Closed Bug 619064 Opened 15 years ago Closed 15 years ago

Crash/Nullptr dereference: js::DefaultValue

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: decoder, Unassigned)

Details

The following code crashes on tracemonkey trunk due to a null pointer dereference: test(); function test() { ( function() { parent( "" + parent(function(){}) ); } )(); eval("foo"); } Trace shows: #0 0x0000000000000000 in ?? () #1 0x00000000004ea0bb in js::DefaultValue (cx=0xa881b0, obj=0x7ffff690d058, hint=JSTYPE_VOID, vp=0x7ffff6abf188) at jsobj.cpp:5822 #2 0x00000000006b991e in js::Interpret (cx=0xa881b0, entryFrame=0x7ffff6abf048, inlineCallCount=2, interpMode=JSINTERP_NORMAL) at jsinterp.cpp:3623 #3 0x00000000004c1a47 in js::RunScript (cx=0xa881b0, script=0xaa80e0, fp=0x7ffff6abf048) at jsinterp.cpp:657 #4 0x00000000004c2dc3 in js::Execute (cx=0xa881b0, chain=0x7ffff6903048, script=0xaa80e0, prev=0x0, flags=0, result=0x0) at jsinterp.cpp:1005 #5 0x000000000042cff5 in JS_ExecuteScript (cx=0xa881b0, obj=0x7ffff6903048, script=0xaa80e0, rval=0x0) at jsapi.cpp:4893 #6 0x0000000000405293 in Process (cx=0xa881b0, obj=0x7ffff6903048, filename=0x7fffffffdc1b "min.js", forceTTY=0) at js.cpp:453 #7 0x000000000040606c in ProcessArgs (cx=0xa881b0, obj=0x7ffff6903048, argv=0x7fffffffd8d0, argc=2) at js.cpp:870 #8 0x000000000040f458 in Shell (cx=0xa881b0, argc=2, argv=0x7fffffffd8d0, envp=0x7fffffffd8e8) at js.cpp:5377 #9 0x000000000040f61e in main (argc=2, argv=0x7fffffffd8d0, envp=0x7fffffffd8e8) at js.cpp:5485 I've seen quite a few bug reports related to crashes in this function, but none of them carried a trace or sample code. If this is related to any of them, maybe the sample here will help to find the problem.
The crash comes from calling the 'convert' member of js_CallClass, which is null. An engine invariant is that call objects don't escape into the wild (and thus have DefaultValue called on them). It seems that's happening here via the parent() shell-only function. So, my first guess is that this is invalid. I'm not sure if we want to make parent() "safe" by censoring call object parents or if its unsafe for exactly the purpose of writing unit tests. Jason?
Yet another new shell function that I didn't see/know :) If it's not meant to be safely callable then I agree that it's invalid.
I don't remember why parent() is there, but yes, it's known to be very unsafe.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.