577155 - FV: Crash [@ IteratorMore] or [@ js::Interpret] with evalcx

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

for (b in evalcx('')) {
  w
}

crashes js debug and opt shells on fatval tip without -j at IteratorMore and js::Interpret respectively.

(Seems to be a null crash)

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000008
0x0008a1ff in IteratorMore (cx=0x809400, iterobj=0x601d58, cond=0xbfffebd7, rval=0x1000108) at ../jsinterp.cpp:2015
2015            *cond = (ni->props_cursor < ni->props_end);
(gdb) bt
#0  0x0008a1ff in IteratorMore (cx=0x809400, iterobj=0x601d58, cond=0xbfffebd7, rval=0x1000108) at ../jsinterp.cpp:2015
#1  0x00090abc in js::Interpret (cx=0x809400) at ../jsinterp.cpp:2896
#2  0x000b3baf in js::Execute (cx=0x809400, chain=0x601000, script=0x40d4e0, down=0x0, flags=0, result=0xbffff580) at jsinterp.cpp:882
#3  0x00017035 in JS_ExecuteScript (cx=0x809400, obj=0x601000, script=0x40d4e0, rval=0xbffff580) at ../jsapi.cpp:4638
#4  0x0000bf12 in Process (cx=0x809400, obj=0x601000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:532
#5  0x0000c8e9 in ProcessArgs (cx=0x809400, obj=0x601000, argv=0xbffff750, argc=0) at ../../shell/js.cpp:853
#6  0x0000ca02 in shell (cx=0x809400, argc=0, argv=0xbffff750, envp=0xbffff754) at ../../shell/js.cpp:5029
#7  0x0000cb26 in main (argc=0, argv=0xbffff750, envp=0xbffff754) at ../../shell/js.cpp:5116
(gdb) x/i $eip
0x8a1ff <_ZL12IteratorMoreP9JSContextP8JSObjectPbPN2js5ValueE+69>:      mov    0x8(%eax),%edx
(gdb) x/b $eax
0x0:    Cannot access memory at address 0x0

Comment 1

[Luke Wagner [:luke]]

Awesome reduced test case, thanks!