Closed Bug 568466 Opened 14 years ago Closed 14 years ago

TM: fix too-late NULL check in NewXMLQName()

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Assigned: n.nethercote)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files)

Attached file testcase
The attached testcase crashes 64-bit js debug shell on Mac 10.6.3 on TM tip with -j at JSObject::getClass.

Seems to be a null dereference, locking s-s just-in-case.

Console output:
======

/x/
2interesting/w4313-cj-in.js:21: out of memory

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000008
0x000000010007c950 in JSObject::getClass ()
(gdb) bt
#0  0x000000010007c950 in JSObject::getClass ()
#1  0x000000010016c4c9 in JSObject::isQName ()
#2  0x0000000100158953 in NewXMLQName ()
#3  0x00000001001652f3 in DeepCopyInLRS ()
#4  0x000000010016511c in DeepCopySetInLRS ()
#5  0x000000010016536f in DeepCopyInLRS ()
#6  0x000000010016511c in DeepCopySetInLRS ()
#7  0x000000010016536f in DeepCopyInLRS ()
#8  0x000000010016511c in DeepCopySetInLRS ()
#9  0x000000010016536f in DeepCopyInLRS ()
#10 0x000000010016511c in DeepCopySetInLRS ()
#11 0x000000010016536f in DeepCopyInLRS ()
#12 0x000000010016511c in DeepCopySetInLRS ()
#13 0x000000010016536f in DeepCopyInLRS ()
#14 0x000000010016511c in DeepCopySetInLRS ()
#15 0x000000010016536f in DeepCopyInLRS ()
#16 0x000000010016511c in DeepCopySetInLRS ()
#17 0x000000010016536f in DeepCopyInLRS ()
#18 0x000000010016511c in DeepCopySetInLRS ()
#19 0x000000010016536f in DeepCopyInLRS ()
#20 0x000000010016511c in DeepCopySetInLRS ()
#21 0x000000010016536f in DeepCopyInLRS ()
#22 0x000000010016511c in DeepCopySetInLRS ()
#23 0x000000010016536f in DeepCopyInLRS ()
#24 0x000000010016a8b8 in PutProperty ()
#25 0x000000010016b6dc in xml_setProperty ()
#26 0x000000010002497a in JSObject::setProperty ()
#27 0x0000000100099012 in js_Interpret ()
#28 0x00000001000ad80a in js_Execute ()
#29 0x0000000100011b33 in JS_ExecuteScript ()
#30 0x00000001000098e4 in Process ()
#31 0x000000010000a529 in ProcessArgs ()
#32 0x000000010000a6a4 in main ()
(gdb) x/i $rip
0x10007c950 <_ZNK8JSObject8getClassEv+12>:      mov    0x8(%rax),%rax
(gdb) x/b $rax
0x0:    Cannot access memory at address 0x0
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   41884:744611b4f3d9
user:        Nicholas Nethercote
date:        Wed May 12 18:57:36 2010 -0700
summary:     Bug 560167 - encapsulate XML-related JSSLOT_* values within JSObject (attempt 2;  attempt 1 was backed out due to conflicts).  r=brendan.
Blocks: 560167
blocking2.0: --- → ?
blocking2.0: ? → final+
Attached patch patchSplinter Review
I can't reproduce, but the attached bug is very likely to fix the problem -- it moves the NULL check earlier.  Gary, can you check?

The crash is happening in an assertion so I don't think it counts as s-s because it cannot manifest in a release build.
Assignee: general → nnethercote
Status: NEW → ASSIGNED
Attachment #450269 - Flags: review?(gal)
Attachment #450269 - Flags: review?(gal) → review+
Nice catch nick. Dropping the ss flags. We don't have to block on this.
Group: core-security
blocking2.0: final+ → ---
Whiteboard: [ccbr][sg:dos]
Summary: TM: (64-bit) Crash [@ JSObject::getClass] → TM: avoid premature NULL check in NewXMLQName()
http://hg.mozilla.org/tracemonkey/rev/aafbaa9daac4
Whiteboard: fixed-in-tracemonkey
Summary: TM: avoid premature NULL check in NewXMLQName() → TM: fix too-late NULL check in NewXMLQName()
http://hg.mozilla.org/mozilla-central/rev/aafbaa9daac4
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: