Closed Bug 590083 Opened 15 years ago Closed 15 years ago

JM: Crash [@ js_DeflateString]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file, 1 obsolete file)

fix
3.72 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review
L = "" for (a = 0; a < 7; a++) { (eval("\ (function() {\ for each(var x in this) {\ function x(){}\ print(x)\ }\ })\ "))() } crashes js opt shell on JM changeset e42b505b43f3 with -m but without -j at js_DeflateString Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x0027d000 0x000f2bcf in js_DeflateString () (gdb) bt #0 0x000f2bcf in js_DeflateString () #1 0x0000f1bf in JS_EncodeString () #2 0x00004c6f in Print () #3 0x001d5a07 in js::mjit::stubs::SlowCall () #4 0x002d7868 in ?? () #5 0x00189152 in js::mjit::JaegerShot () #6 0x0006fdb1 in js::Execute () #7 0x00014bb8 in JS_ExecuteScript () #8 0x0000564c in Process () #9 0x000093c7 in shell () #10 0x000098f8 in main () (gdb) x/i $eip 0xf2bcf <_Z16js_DeflateStringP9JSContextPKtm+591>: movzwl (%ecx,%edx,2),%eax (gdb) x/b $ecx 0x233860 <js_FunctionClass>: 0x56 (gdb) x/b $edx 0x24bd0 <_ZNK9JSContext12generatorForEP12JSStackFrame+80>: 0x8b (gdb) x/b $eax 0x0: Cannot access memory at address 0x0
eval("\ (function(){\ for(var w in [0]) {\ function w(){}\ print(w)\ }\ })\ ")() crashes both debug and opt shells on Ubuntu 10.04 at js_DeflateString. Program received signal SIGSEGV, Segmentation fault. 0x0816e56b in js_DeflateString (cx=0x8397bc8, chars=0x8336400, nchars=8624839) at ../jsstr.cpp:3704 3704 ../jsstr.cpp: No such file or directory. in ../jsstr.cpp (gdb) bt #0 0x0816e56b in js_DeflateString (cx=0x8397bc8, chars=0x8336400, nchars=8624839) at ../jsstr.cpp:3704 #1 0x08071e1f in JS_EncodeString (cx=0x8397bc8, str=0xf7502540) at ../jsapi.cpp:5241 #2 0x0804d805 in Print (cx=0x8397bc8, argc=1, vp=0xf77ac178) at ../../shell/js.cpp:1090 #3 0x08262936 in js::mjit::stubs::SlowCall (f=..., argc=1) at ../methodjit/InvokeHelpers.cpp:394 #4 0xf76a46f9 in ?? () #5 0x0821aaa4 in EnterMethodJIT (cx=0x8397bc8, fp=0xf77ac0a8, code=0xf76a405c, safePoint=0x0) at ../methodjit/MethodJIT.cpp:757 #6 0x0821ac0a in js::mjit::JaegerShot (cx=0x8397bc8) at ../methodjit/MethodJIT.cpp:785 #7 0x080dddff in js::RunScript (cx=0x8397bc8, script=0x839d2f8, fun=0x0, scopeChain=0xf7502000) at ../jsinterp.cpp:465 #8 0x080ded75 in js::Execute (cx=0x8397bc8, chain=0xf7502000, script=0x839d2f8, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:945 #9 0x08070f46 in JS_ExecuteScript (cx=0x8397bc8, obj=0xf7502000, script=0x839d2f8, rval=0xffffd200) at ../jsapi.cpp:4762 #10 0x0804c42b in Process (cx=0x8397bc8, obj=0xf7502000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:535 #11 0x0804cfbd in ProcessArgs (cx=0x8397bc8, obj=0xf7502000, argv=0xffffd408, argc=1) at ../../shell/js.cpp:862 #12 0x08055c2d in shell (cx=0x8397bc8, argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5151 #13 0x08055d49 in main (argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5247 (gdb) x/i $eip => 0x816e56b <_Z16js_DeflateStringP9JSContextPKtj+316>: movzwl (%eax),%eax (gdb) x/b $eax 0x83bc000: Cannot access memory at address 0x83bc000
This is related to, but not a duplicate of, bug 584603. The compiler doesn't know the DEFFUN aliases a local slot, and thus the variable is not tracked properly.
This will be security sensitive by the time JM lands, so we should fix. Three possibilities, I'm leaning toward #2 or #3 as a fast fallback. 1) Parser: Fix both bugs at once, by introducing the planned new binding for function statements. 2) Compiler: Spot-fix by peeking at the name in DEFFUN, and checking for intervening names on the scope chain. 3) Parser: Rewrite the DEFFUN to LAMBDA+SETLOCAL if we detect that it aliases a local variable in the parser.
Attached patch fix (obsolete) — Splinter Review
This needs a quick fix, so I'm taking approach #2
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #472671 - Flags: review?(dmandelin)
Attached patch fixSplinter Review
Attachment #472671 - Attachment is obsolete: true
Attachment #472677 - Flags: review?(dmandelin)
Attachment #472671 - Flags: review?(dmandelin)
Attachment #472677 - Flags: review?(dmandelin) → review+
Hrm, it's hard to tell from that, but it might.
Depends on: 595336
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_DeflateString]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug590083.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: