Crash with use of sharp variable in function [@ js_PCToLineNumber]

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
11 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: mrbkap)

Tracking

(4 keywords)

Trunk
PowerPC
Mac OS X
crash, testcase, verified1.8.0.12, verified1.8.1.4
Points:
---
Bug Flags:
blocking1.8.1.4 +
blocking1.8.0.12 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
js> uneval(#1={a:#1#}); (function() { return #1# })();
Segmentation fault

js> w = {a:#1=function(){return #1#}}; w.a()
Segmentation fault

In the first example, the #1# is clearly illegal due to being out of scope, right?  Why does the function even compile?  Is the second example also illegal?

Here's the top of a stack trace from the js shell:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xdadadada

Thread 0 Crashed:
0   js_PCToLineNumber + 68 (jsscript.c:1519)
1   js_ReportErrorNumberVA + 236 (jscntxt.c:1141)
2   JS_ReportErrorNumber + 96 (jsapi.c:4672)
3   js_Interpret + 90244 (jsinterp.c:5336)
4   js_Execute + 904 (jsinterp.c:1607)
5   JS_ExecuteScript + 64 (jsapi.c:4212)
...
(Reporter)

Comment 1

11 years ago
I found this while messing around in the js shell, but I plan to add sharps to a fuzzer soon ;)
Whiteboard: [sg:critical?]
(Assignee)

Comment 2

11 years ago
Created attachment 252230 [details] [diff] [review]
Easy fix
Attachment #252230 - Flags: review?(brendan)
Assignee: general → mrbkap
Comment on attachment 252230 [details] [diff] [review]
Easy fix

r=me (pls. cc: me on bugs like this; wish r? cc'd me automatically).

/be
Attachment #252230 - Flags: review?(brendan) → review+
(Assignee)

Comment 4

11 years ago
Fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Assignee)

Updated

11 years ago
Attachment #252230 - Flags: approval1.8.1.3?
Attachment #252230 - Flags: approval1.8.0.11?

Comment 5

11 years ago
Created attachment 256373 [details]
js1_5/extensions/regress-367630.js

reliably crashes 1.8.1 but does not crash 1.8.0

Updated

11 years ago
Flags: in-testsuite+

Comment 6

11 years ago
verified fixed 1.9.0 20070226 windows/mac*/linux
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Comment on attachment 252230 [details] [diff] [review]
Easy fix

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #252230 - Flags: approval1.8.1.4?
Attachment #252230 - Flags: approval1.8.1.4+
Attachment #252230 - Flags: approval1.8.0.12?
Attachment #252230 - Flags: approval1.8.0.12+
(Assignee)

Comment 8

10 years ago
Fixed on the 1.8 branches.
Keywords: fixed1.8.0.12, fixed1.8.1.4

Comment 9

10 years ago
verified fixed linux, windows, mac* 1.8.0, 1.8.1 shell 20070406
Keywords: fixed1.8.0.12, fixed1.8.1.4 → verified1.8.0.12, verified1.8.1.4
Group: security

Comment 10

10 years ago
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367630.js,v  <--  regress-367630.js
initial revision: 1.1
Crash Signature: [@ js_PCToLineNumber]
You need to log in before you can comment on or make changes to this bug.