Closed Bug 509354 Opened 16 years ago Closed 16 years ago

Crash [@ DecompileDestructuringLHS] with destructuring and "arguments"

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta5-fixed
status1.9.1 --- unaffected

People

(Reporter: jruderman, Assigned: jorendorff)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:critical?] fixed-in-tracemonkey)

Crash Data

Attachments

(3 files)

crash stack trace
1.93 KB, text/plain
Details
valgrind's theory
1.70 KB, text/plain
Details
v1
4.16 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
print(function([arguments,arguments,arguments,arguments,arguments,arguments,arguments,arguments,arguments,arguments,arguments,arguments,arguments,arguments,arguments,arguments]){}) Crash [@ DecompileDestructuringLHS] touching some wrong memory. Related to bug 496985?
Attached file crash stack trace
Attached file valgrind's theory
Doesn't crash under valgrind, but does have an "Invalid read of size 1".
autoBisect shows this might be related to bug 496908 : The first bad revision is: changeset: 30693:6fc1700090b2 user: Boris Zbarsky date: Mon Jul 27 16:14:12 2009 -0400 summary: Bug 496908. Make JSVAL_IS_* functions, not macros. r=brendan,jwalden
Blocks: 496908
Flags: blocking1.9.2?
Keywords: regression
Whiteboard: [sg:critical?]
Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000001e101b Crashed Thread: 0 Thread 0 Crashed: 0 libSystem.B.dylib 0xffff07fc __memcpy + 92 (cpu_capabilities.h:246) 1 js-opt-tm-darwin 0x0008734d DecompileDestructuringLHS(SprintStack*, unsigned char*, unsigned char*, int*) + 1213 2 js-opt-tm-darwin 0x00087d60 DecompileDestructuring(SprintStack*, unsigned char*, unsigned char*) + 1072 3 js-opt-tm-darwin 0x000883bd js_DecompileFunction + 381 4 js-opt-tm-darwin 0x0000cdd3 JS_DecompileFunction + 67 5 js-opt-tm-darwin 0x00043d39 fun_toStringHelper(JSContext*, unsigned int, unsigned int, long*) + 313 6 js-opt-tm-darwin 0x0005d1c7 js_Invoke + 2407 7 js-opt-tm-darwin 0x0005d6bb js_InternalInvoke + 139 8 js-opt-tm-darwin 0x0006dd84 js_TryMethod + 212 9 js-opt-tm-darwin 0x0006df76 js_DefaultValue + 374 10 js-opt-tm-darwin 0x000c4e33 js_ValueToString + 131 11 js-opt-tm-darwin 0x00002375 Print(JSContext*, unsigned int, long*) + 69 12 js-opt-tm-darwin 0x00057016 js_Interpret + 42182 13 js-opt-tm-darwin 0x0005c5f2 js_Execute + 370 14 js-opt-tm-darwin 0x0000e1ac JS_ExecuteScript + 60 15 js-opt-tm-darwin 0x0000432a Process(JSContext*, JSObject*, char*, int) + 1338 16 js-opt-tm-darwin 0x000075bf main + 879 17 js-opt-tm-darwin 0x00001b3b _start + 209 18 js-opt-tm-darwin 0x00001a69 start + 41
Whiteboard: [sg:critical?] → [ccbr][sg:critical?]
Two observations: (function([developers,developers,developers,developers]){}); ==> SyntaxError: duplicate argument is mixed with destructuring pattern ...so the correct behavior here is to throw; script->nfixed is 0, so the decompiler isn't recognizing the `setlocalpop 0` instructions in the destructuring-assignment cliche as assigning to an argument that has a name.
When BindDestructuringVar calls BindLocalVariable, it assumes that a successful return means there's a new local variable. But when atom is `arguments` this is not the case; BindLocalVariable just smiles and nods. This is all kind of silly. Brendan, is it OK if we just reject functions with destructuring arguments named `argument` as a SyntaxError?
(In reply to comment #6) > When BindDestructuringVar calls BindLocalVariable, it assumes that a successful > return means there's a new local variable. But when atom is `arguments` this is > not the case; BindLocalVariable just smiles and nods. Bug there -- notice without destructuring how you can bind a local var named arguments: js> function f(x) { var arguments = x; return arguments } js> dis(f) flags: HEAVYWEIGHT 00000: defvar "arguments" main: 00003: bindname "arguments" 00006: getarg 0 00009: setname "arguments" 00012: pop 00013: arguments 00014: return 00015: stop Source notes: 0: 2 [ 2] xdelta 1: 9 [ 7] decl offset 0 js> f() js> f(42) 42 /be
Blocking 1.9.2+ P2.
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Assigning to blake.
Assignee: general → mrbkap
I'm not going to get this before the freeze. Throwing back into the pool for someone else to catch.
Assignee: mrbkap → general
catching
Assignee: general → jorendorff
Progress, Jason?
Attached patch v1Splinter Review
Attachment #413627 - Flags: review?(mrbkap)
Comment on attachment 413627 [details] [diff] [review] v1 Please add a test that 'function([arguments])' results in a function that can actually use its parameter. r=mrbkap with that.
Attachment #413627 - Flags: review?(mrbkap) → review+
http://hg.mozilla.org/tracemonkey/rev/2cd3b54918b0
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?] fixed-in-tracemonkey
jorendorff: js1_8_1/regress/regress-509354.js needs to be listed in the appropriate jstests.list manifest.
http://hg.mozilla.org/mozilla-central/rev/2cd3b54918b0
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
(In reply to comment #16) > jorendorff: js1_8_1/regress/regress-509354.js needs to be listed in the > appropriate jstests.list manifest. Did this ever happen?
Hi, Jason. It seems like js/src/tests/js1_8_1/regress/regress-509354.js still needs to be added to jstests.list.
$ python jstests.py -c Test files not contained in any manifest: js1_8_1/regress/regress-509354.js
jorendorff, still need to list this test in the manifest.
Group: core-security
Crash Signature: [@ DecompileDestructuringLHS]
A testcase for this bug was automatically identified at js/src/tests/js1_8_1/regress/regress-509354.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: