Closed
Bug 367630
Opened 18 years ago
Closed 18 years ago
Crash with use of sharp variable in function [@ js_PCToLineNumber]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(4 keywords, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files)
980 bytes,
patch
|
brendan
:
review+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
2.54 KB,
text/plain
|
Details |
js> uneval(#1={a:#1#}); (function() { return #1# })();
Segmentation fault
js> w = {a:#1=function(){return #1#}}; w.a()
Segmentation fault
In the first example, the #1# is clearly illegal due to being out of scope, right? Why does the function even compile? Is the second example also illegal?
Here's the top of a stack trace from the js shell:
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_INVALID_ADDRESS (0x0001) at 0xdadadada
Thread 0 Crashed:
0 js_PCToLineNumber + 68 (jsscript.c:1519)
1 js_ReportErrorNumberVA + 236 (jscntxt.c:1141)
2 JS_ReportErrorNumber + 96 (jsapi.c:4672)
3 js_Interpret + 90244 (jsinterp.c:5336)
4 js_Execute + 904 (jsinterp.c:1607)
5 JS_ExecuteScript + 64 (jsapi.c:4212)
...
Reporter | ||
Comment 1•18 years ago
|
||
I found this while messing around in the js shell, but I plan to add sharps to a fuzzer soon ;)
Whiteboard: [sg:critical?]
Assignee | ||
Comment 2•18 years ago
|
||
Attachment #252230 -
Flags: review?(brendan)
Updated•18 years ago
|
Assignee: general → mrbkap
Comment 3•18 years ago
|
||
Comment on attachment 252230 [details] [diff] [review]
Easy fix
r=me (pls. cc: me on bugs like this; wish r? cc'd me automatically).
/be
Attachment #252230 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 4•18 years ago
|
||
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•18 years ago
|
Attachment #252230 -
Flags: approval1.8.1.3?
Attachment #252230 -
Flags: approval1.8.0.11?
Comment 5•18 years ago
|
||
reliably crashes 1.8.1 but does not crash 1.8.0
Updated•18 years ago
|
Flags: in-testsuite+
Comment 6•18 years ago
|
||
verified fixed 1.9.0 20070226 windows/mac*/linux
Status: RESOLVED → VERIFIED
Updated•18 years ago
|
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Updated•18 years ago
|
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Comment 7•18 years ago
|
||
Comment on attachment 252230 [details] [diff] [review]
Easy fix
approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #252230 -
Flags: approval1.8.1.4?
Attachment #252230 -
Flags: approval1.8.1.4+
Attachment #252230 -
Flags: approval1.8.0.12?
Attachment #252230 -
Flags: approval1.8.0.12+
Updated•18 years ago
|
Group: security
Comment 10•18 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367630.js,v <-- regress-367630.js
initial revision: 1.1
Updated•14 years ago
|
Crash Signature: [@ js_PCToLineNumber]
You need to log in
before you can comment on or make changes to this bug.
Description
•