Closed Bug 427191 Opened 16 years ago Closed 16 years ago

Crash [@ js_ExpandErrorArguments]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: gkw, Assigned: igor)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

proposed fix
1.93 KB, patch
igor
: review+
beltzner
: approval1.9+
Details | Diff | Splinter Review
js1_7/geniter/regress-427191.js
2.42 KB, text/plain
Details 
I found this bug using jsfunfuzz.js, and Jesse Ruderman helped to reduce it as much as possible. It triggers a crash @ js_ExpandErrorArguments de-referencing a random memory address.


let (numDummies = 13100) {
  for (let i = 0; i < numDummies; ++i)
    this["z" + (i + 10000)] = 5;
}

let (p = []) {
  p.__iterator__ = this;
  try { for(let y in p); } catch(e) { eeee = e; }
  try { for(let y in p); } catch(e) { eeee = e; }
  try { for(let y in p); } catch(e) { eeee = e; }
  try { for(let y in p); } catch(e) { eeee = e; }
}
Flags: blocking1.9?
Whiteboard: [sg:critical?]
Assignee: general → igor
We need to fix this, and there are other fuzzer bugs in line to be fixed in the next dot release.  Wouldn't hold back 1.9 for this.

wanted1.9.0.x+
Flags: wanted1.9.0.x+
Flags: blocking1.9?
Flags: blocking1.9-
Attached patch proposed fixSplinter Review 
js_ValueToPrintable* is another dangerous API (sorry). Igor, can you get this landed if good, or fix it better and r? me? Thanks,

/be
Attachment #314447 - Flags: review?(igor)
Comment on attachment 314447 [details] [diff] [review]
proposed fix

Even if js_ValueToPrintableSource would have less hazard-friendly signature, js_ReportIsNotFunction still would need an extra root to hold its result. So tvr is inevitable here.
Attachment #314447 - Flags: review?(igor) → review+
Attachment #314447 - Flags: approval1.9?
Comment on attachment 314447 [details] [diff] [review]
proposed fix

a1.9=beltzner
Attachment #314447 - Flags: approval1.9? → approval1.9+
Fixed:

js/src/jsfun.c 3.276

/be
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Verified, no longer crashes in latest trunk opt js shell.
Status: RESOLVED → VERIFIED
I can't reproduce the original crash with this testcase. Can someone who could, please check and see if this testcase also reproduces the original crash?
Nominating for 1.8.1 blocking as the bug may exist there and requires at least an investigation.
Flags: blocking1.8.1.15?
Gary, can you help Bob out here?
I don't believe I have any builds of js shells anymore prior to 4th April 2008.
It is hard for 1.8.1.15 triage to approve this if it cannot be reproduced in Branch.
Oh, you mean for 1.8.1.15, ok I'll get to it soon...
The first set of commands don't work for 1.8.1.15, but works fine for trunk js shell:

===

gary-kwongs-mac-mini:lithium gk$ ./js-intelmac
js> let (numDummies = 13100) {
  for (let i = 0; i < numDummies; ++i)
    this["z" + (i + 10000)] = 5;
}
5
js> 

gary-kwongs-mac-mini:lithium gk$ ./js-moz18branch-intelmac
js> let (numDummies = 13100) {
typein:1: SyntaxError: missing ; before statement:
typein:1: let (numDummies = 13100) {
typein:1: .........................^
js>   for (let i = 0; i < numDummies; ++i)
typein:2: SyntaxError: missing ; after for-loop initializer:
typein:2:   for (let i = 0; i < numDummies; ++i)
typein:2: ...........^
js>     this["z" + (i + 10000)] = 5;
typein:3: ReferenceError: i is not defined
js> }
typein:4: SyntaxError: syntax error:
typein:4: }
typein:4: ^
js> 

gary-kwongs-mac-mini:lithium gk$

===

Igor, is there any tweak I should make for 1.8.1.15 in order for the error not to show up?
To test this on branch, you need to run

./js -v 170

or type "version(170);" into the prompt before pasting the script.  This is because branch defaults to treating |let| as an identifier rather than a keyword.
The commands work as expected and do not crash on the latest branch js shell. (Thanks Jesse for the hint)
Flags: blocking1.8.1.15?
Flags: in-testsuite+
Flags: in-litmus-
Can we open this bug up then? Fixed on the 1.8 branch somehow?
Flags: wanted1.9.0.x+
(In reply to comment #16)
> Can we open this bug up then? Fixed on the 1.8 branch somehow?

I just re-confirmed that the bug has somehow been fixed on the 1.8 branch. With "-v 170" on the commandline, the 1.8.1.x shell doesn't crash with the testcase anymore, and works as expected.
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Crash Signature: [@ js_ExpandErrorArguments]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: