Closed
Bug 457580
Opened 16 years ago
Closed 16 years ago
TM: Crash [@ js_ValueToStringId] with /x/[-4]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b1
People
(Reporter: jruderman, Assigned: gal)
References
Details
(Keywords: crash, testcase, verified1.9.1, Whiteboard: [sg:critical?])
Crash Data
Attachments
(1 file)
$ cat a.js for (let i=0;i<3;++i) /x/[-4]; $ ~/tracemonkey/js/src/Darwin_DBG.OBJ/js -j a.js Crash [@ js_ValueToStringId] Crashes with -4, -8, -12, etc. but not with other numbers I tried. Crashes dereferencing 0xfffffff8, so filing as security-sensitive.
Flags: blocking1.9.1?
|
Reporter | |
Comment 1•16 years ago
|
||
With some trial-and-error wrapping, I got it to crash in the interactive shell:
$ ~/tracemonkey/js/src/Darwin_DBG.OBJ/js -j
js> eval("(function(){for (let i=0;i<3;++i) /x/[-4];})()")
Crash [@ js_ValueToStringId]
|
||
Comment 2•16 years ago
|
||
This is a regression from bug 455748. In particular, that caused us to call js_IndexToId on a jsval that isn't actually an index. Further confusing things is the fact that we store the bogo-index back into the interpreter stack, causing us to crash in the interpreter and not on trace.
Blocks: 455748
|
Assignee | |
Comment 3•16 years ago
|
||
Assignee: general → gal
Attachment #340836 -
Flags: review?
|
|
Assignee | |
Updated•16 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b1
|
|
Assignee | |
Updated•16 years ago
|
Attachment #340836 -
Flags: review?(mrbkap)
Attachment #340836 -
Flags: review?(brendan)
Attachment #340836 -
Flags: review?
|
|
Assignee | |
Comment 4•16 years ago
|
||
Comment on attachment 340836 [details] [diff] [review] Catch negative indexes at recording time. At runtime the builtins already check for us. Also guard for shape and setters/getters for non-dense integer index setelem case. Whoever gets to it first please review.
|
|
||
Comment 5•16 years ago
|
||
Comment on attachment 340836 [details] [diff] [review] Catch negative indexes at recording time. At runtime the builtins already check for us. Also guard for shape and setters/getters for non-dense integer index setelem case. Looks good.
Attachment #340836 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 6•16 years ago
|
||
Not user reported so closing bug directly. http://hg.mozilla.org/tracemonkey/rev/358a6b0a757c
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 7•16 years ago
|
||
Comment on attachment 340836 [details] [diff] [review] Catch negative indexes at recording time. At runtime the builtins already check for us. Also guard for shape and setters/getters for non-dense integer index setelem case. I should have caught this -- I was looking for guardElemOp but thought one was there, saw net-0 change to count of calls to that method, gave up the chase too soon. Sorry, /be
Attachment #340836 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 8•16 years ago
|
||
Follow-up fix (was breaking jquery). http://hg.mozilla.org/tracemonkey/rev/82841707d495
|
|
Reporter | |
Updated•16 years ago
|
Whiteboard: [sg:critical?]
|
||
Comment 9•16 years ago
|
||
test also included in js1_8_1/trace/trace-test.js
Flags: in-testsuite+
Flags: in-litmus-
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1
|
||
Updated•15 years ago
|
Group: core-security
Flags: wanted1.9.0.x-
|
||
Updated•13 years ago
|
Crash Signature: [@ js_ValueToStringId]
You need to log in
before you can comment on or make changes to this bug.
Description
•