Closed Bug 531746 Opened 15 years ago Closed 15 years ago

Crash [@ strlen]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: igor)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dos null-deref][ccbr])

Crash Data

for (let a = 0; a < 1; a++) {
  x = a
};
(function() {
  {
    (d++).o(d = x)
    let d = 0
  }
})()


crashes js opt and debug shell without -j on TM tip at strlen at null.

Manual bisect shows this is probably related to bug 424558.

===

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   libSystem.B.dylib             	0x93dc1a90 strlen + 16
1   js-opt-32-tm-darwin           	0x000a14c7 cvt_s(SprintfStateStr*, char const*, int, int, int) + 55
2   js-opt-32-tm-darwin           	0x000a2478 dosprintf(SprintfStateStr*, char const*, char*) + 3608
3   js-opt-32-tm-darwin           	0x000a2844 JS_vsmprintf + 68
4   js-opt-32-tm-darwin           	0x00079b47 Sprint(Sprinter*, char const*, ...) + 39
5   js-opt-32-tm-darwin           	0x0007e865 Decompile(SprintStack*, unsigned char*, int, JSOp) + 15285
6   js-opt-32-tm-darwin           	0x00089797 DecompileCode(JSPrinter*, JSScript*, unsigned char*, unsigned int, unsigned int) + 759
7   js-opt-32-tm-darwin           	0x0008994b DecompileExpression(JSContext*, JSScript*, JSFunction*, unsigned char*) + 411
8   js-opt-32-tm-darwin           	0x00089de9 js_DecompileValueGenerator + 745
9   js-opt-32-tm-darwin           	0x00020225 js_ReportValueErrorFlags(JSContext*, unsigned int, unsigned int, int, long, JSString*, char const*, char const*) + 53
10  js-opt-32-tm-darwin           	0x00046b93 js_ReportIsNotFunction + 243
11  js-opt-32-tm-darwin           	0x0005f0ec js_Invoke + 1228
12  js-opt-32-tm-darwin           	0x0004f4b1 js_Interpret + 2673
13  js-opt-32-tm-darwin           	0x0005e90c js_Execute + 444
14  js-opt-32-tm-darwin           	0x0000df1c JS_ExecuteScript + 60
15  js-opt-32-tm-darwin           	0x00004c48 Process(JSContext*, JSObject*, char*, int) + 1336
16  js-opt-32-tm-darwin           	0x00008cc6 main + 1734
17  js-opt-32-tm-darwin           	0x00002bed _start + 208
18  js-opt-32-tm-darwin           	0x00002b1c start + 40
Security-sensitive because possibly-related bug 424558 is locked too.
Group: core-security
Assignee: general → igor
A reduced test case for the bug is:

{
    let d = 0;
    (d++).o();
}
Igor backed out:

http://hg.mozilla.org/tracemonkey/rev/e101dddbc432

/be
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [ccbr] → [sg:dos null-deref][ccbr]
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Crash Signature: [@ strlen]
You need to log in before you can comment on or make changes to this bug.