Closed Bug 583615 Opened 14 years ago Closed 14 years ago

Crash [@ JSString::length] or [@ ParseXMLSource] with e4x

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+
status1.9.2 --- wanted
status1.9.1 --- wanted

People

(Reporter: gkw, Assigned: dmandelin)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr], [sg:dos][critsmash:investigating], [fixed-in-tracemonkey])

Crash Data

Attachments

(1 file)

Patch
1.18 KB, patch
Waldo
: review+
Details | Diff | Splinter Review 
try {
    x = <x><y/></x>
    x += /x /
} catch (e) {}
for each(a in [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) {
    x += x;
}
default xml namespace = x;
<x></x>


crashes js opt shell on TM tip without -j at ParseXMLSource and crashes js debug shell on TM tip without -j at JSString::length.

Testcase has to be passed in as a CLI argument.

s-s because while this seems to be a null dereference, it's best to be safe..

===

Debug js console output:

Program received signal SIGSEGV, Segmentation fault.
0x08055b5c in JSString::length (this=0x0) at ../../jsstr.h:235
235	        return mLengthAndFlags >> FLAGS_LENGTH_SHIFT;
(gdb) bt
#0  0x08055b5c in JSString::length (this=0x0) at ../../jsstr.h:235
#1  0x0818deb5 in ParseXMLSource (cx=0x82d5c10, src=0xf7504c20) at ../jsxml.cpp:1687
#2  0x0818e6dd in ToXML (cx=0x82d5c10, v=...) at ../jsxml.cpp:1839
#3  0x0819f892 in js_ValueToXMLObject (cx=0x82d5c10, v=...) at ../jsxml.cpp:7726
#4  0x082358a4 in js::Interpret (cx=0x82d5c10) at ../jsinterp.cpp:6570
#5  0x080d8f30 in js::Execute (cx=0x82d5c10, chain=0xf7502000, script=0x82dcf28, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:907
#6  0x0806f764 in JS_ExecuteScript (cx=0x82d5c10, obj=0xf7502000, script=0x82dcf28, rval=0x0) at ../jsapi.cpp:4736
#7  0x0804beb5 in Process (cx=0x82d5c10, obj=0xf7502000, filename=0xffffd5c1 "../crashParseXMLSource.js", forceTTY=0) at ../../shell/js.cpp:440
#8  0x0804cd71 in ProcessArgs (cx=0x82d5c10, obj=0xf7502000, argv=0xffffd3f8, argc=1) at ../../shell/js.cpp:854
#9  0x08055304 in shell (cx=0x82d5c10, argc=1, argv=0xffffd3f8, envp=0xffffd400) at ../../shell/js.cpp:4957
#10 0x08055420 in main (argc=1, argv=0xffffd3f8, envp=0xffffd400) at ../../shell/js.cpp:5044
(gdb) x/i $eip
=> 0x8055b5c <_ZNK8JSString6lengthEv+6>:	mov    (%eax),%eax
(gdb) x/b $eax
0x0:	Cannot access memory at address 0x0
blocking2.0: --- → ?
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   27222:9e0f6160ef35
user:        David Mandelin
date:        Thu Apr 16 15:00:13 2009 -0700
summary:     Bug 487546: call expensive JSString finalizers only if needed, r=brendan
Blocks: 487546
Assignee: general → dmandelin
blocking2.0: ? → final+
Whiteboard: [ccbr] → [ccbr], [sg:critical]
Whiteboard: [ccbr], [sg:critical] → [ccbr], [sg:critical][critsmash:investigating]
Attached patch PatchSplinter Review 
Not sure why this is sg:crit, given that it's just an OOM-caused NPE. But at least it is easy to fix.
Attachment #462616 - Flags: review?(jwalden+bmo)
Attachment #462616 - Flags: review?(jwalden+bmo) → review+
http://hg.mozilla.org/tracemonkey/rev/4bea4e06aa3f
Whiteboard: [ccbr], [sg:critical][critsmash:investigating] → [ccbr], [sg:critical][critsmash:investigating], [fixed-in-tracemonkey]
http://hg.mozilla.org/mozilla-central/rev/4bea4e06aa3f pushed at the auspicious looking Fri Aug 13 13:13:33.  Also downgrading to sg:dos per dmandelin's comment 2.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [ccbr], [sg:critical][critsmash:investigating], [fixed-in-tracemonkey] → [ccbr], [sg:dos][critsmash:investigating], [fixed-in-tracemonkey]
Affects the 1.9.1/1.9.2 branches if we want to take this patch.
Group: core-security
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Crash Signature: [@ JSString::length] [@ ParseXMLSource]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug583615.js.
Flags: in-testsuite+
Setting in-testsuite- because this test is in the testsuite but marked as slow
test (which means it won't run automatically). I verified manually that the
tests pass, so marking this VERIFIED.
Status: RESOLVED → VERIFIED
Crash Signature: [@ JSString::length] [@ ParseXMLSource] → [@ JSString::length] [@ ParseXMLSource]
Flags: in-testsuite+ → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: