Closed
Bug 522123
Opened 15 years ago
Closed 15 years ago
Indirect eval befuddles scopeChain
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jimb, Assigned: jimb)
Details
(Keywords: testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files)
|
2.14 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
|
2.71 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
obj_eval doesn't succeed in using the global object for indirect eval calls:
$ obj~/js
js> evil=eval
function eval() {[native code]}
js> let (x=1) { print (evil("x")); }
1
js>
The underlying problem is that, while the 'if indirectCall' code does swap out the frame's scopeChain, if there are lexical blocks on caller->blockChain, the subsequent call to js_GetScopeChain re-clones them, uses them for the compile and execute, and then drops them when it restores the frame's original scopeChain.
These double clones never get their variables copied out of their stack frames when the frames are popped, so you can get functions that have closed over blocks pointing to popped frames:
$ cat ~/mc/b/strict/eval-scope-2.js
evil=eval;
var f, g;
let (x=1) {
evil("f=function () { return x; };");
x++;
};
print(f());
$ obj~/js ~/mc/b/strict/eval-scope-2.js
function print() {
[native code]
}
$
I think I have a patch for this.
|
Assignee | |
Comment 1•15 years ago
|
||
(In reply to comment #0)
> caller->blockChain
fp->blockChain, that should be.
|
|
Assignee | |
Updated•15 years ago
|
Flags: wanted1.9.2?
|
|
Assignee | |
Comment 2•15 years ago
|
||
I may not have made it clear from the description, but you can end up with references to freed memory using this bug, or pointers into the stack.
|
|
Assignee | |
Comment 3•15 years ago
|
||
Attachment #406301 -
Flags: review?(mrbkap)
|
||
Updated•15 years ago
|
Group: core-security
|
|
Assignee | |
Comment 4•15 years ago
|
||
Attachment #406488 -
Flags: review?(mrbkap)
|
||
Comment 5•15 years ago
|
||
Comment on attachment 406301 [details] [diff] [review]
Don't reify lazy scope chain blocks twice in 'eval'.
Thanks for catching this.
Attachment #406301 -
Flags: review?(mrbkap) → review+
|
|
||
Updated•15 years ago
|
Attachment #406488 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 6•15 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
||
Comment 7•15 years ago
|
||
(In reply to comment #6)
> http://hg.mozilla.org/tracemonkey/rev/64094cb2f8b2
This seems to have fixed the assertions in bug 521163 and bug 521279. There are testcases in these 2 bugs.
|
||
Comment 8•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•15 years ago
|
Flags: wanted1.9.2?
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•