Closed
Bug 427191
Opened 17 years ago
Closed 17 years ago
Crash [@ js_ExpandErrorArguments]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: gkw, Assigned: igor)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files)
(deleted),
patch
|
igor
:
review+
beltzner
:
approval1.9+
|
Details | Diff | Splinter Review |
(deleted),
text/plain
|
Details |
I found this bug using jsfunfuzz.js, and Jesse Ruderman helped to reduce it as much as possible. It triggers a crash @ js_ExpandErrorArguments de-referencing a random memory address.
let (numDummies = 13100) {
for (let i = 0; i < numDummies; ++i)
this["z" + (i + 10000)] = 5;
}
let (p = []) {
p.__iterator__ = this;
try { for(let y in p); } catch(e) { eeee = e; }
try { for(let y in p); } catch(e) { eeee = e; }
try { for(let y in p); } catch(e) { eeee = e; }
try { for(let y in p); } catch(e) { eeee = e; }
}
Flags: blocking1.9?
Updated•17 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Updated•17 years ago
|
Assignee: general → igor
Comment 1•17 years ago
|
||
We need to fix this, and there are other fuzzer bugs in line to be fixed in the next dot release. Wouldn't hold back 1.9 for this.
wanted1.9.0.x+
Flags: wanted1.9.0.x+
Flags: blocking1.9?
Flags: blocking1.9-
Comment 2•17 years ago
|
||
js_ValueToPrintable* is another dangerous API (sorry). Igor, can you get this landed if good, or fix it better and r? me? Thanks,
/be
Attachment #314447 -
Flags: review?(igor)
Assignee | ||
Comment 3•17 years ago
|
||
Comment on attachment 314447 [details] [diff] [review]
proposed fix
Even if js_ValueToPrintableSource would have less hazard-friendly signature, js_ReportIsNotFunction still would need an extra root to hold its result. So tvr is inevitable here.
Attachment #314447 -
Flags: review?(igor) → review+
Updated•17 years ago
|
Attachment #314447 -
Flags: approval1.9?
Comment 4•17 years ago
|
||
Comment on attachment 314447 [details] [diff] [review]
proposed fix
a1.9=beltzner
Attachment #314447 -
Flags: approval1.9? → approval1.9+
Comment 5•17 years ago
|
||
Fixed:
js/src/jsfun.c 3.276
/be
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 6•17 years ago
|
||
Verified, no longer crashes in latest trunk opt js shell.
Status: RESOLVED → VERIFIED
Comment 7•17 years ago
|
||
I can't reproduce the original crash with this testcase. Can someone who could, please check and see if this testcase also reproduces the original crash?
Assignee | ||
Comment 8•17 years ago
|
||
Nominating for 1.8.1 blocking as the bug may exist there and requires at least an investigation.
Flags: blocking1.8.1.15?
Comment 9•17 years ago
|
||
Gary, can you help Bob out here?
Reporter | ||
Comment 10•17 years ago
|
||
I don't believe I have any builds of js shells anymore prior to 4th April 2008.
Comment 11•17 years ago
|
||
It is hard for 1.8.1.15 triage to approve this if it cannot be reproduced in Branch.
Reporter | ||
Comment 12•17 years ago
|
||
Oh, you mean for 1.8.1.15, ok I'll get to it soon...
Reporter | ||
Comment 13•17 years ago
|
||
The first set of commands don't work for 1.8.1.15, but works fine for trunk js shell:
===
gary-kwongs-mac-mini:lithium gk$ ./js-intelmac
js> let (numDummies = 13100) {
for (let i = 0; i < numDummies; ++i)
this["z" + (i + 10000)] = 5;
}
5
js>
gary-kwongs-mac-mini:lithium gk$ ./js-moz18branch-intelmac
js> let (numDummies = 13100) {
typein:1: SyntaxError: missing ; before statement:
typein:1: let (numDummies = 13100) {
typein:1: .........................^
js> for (let i = 0; i < numDummies; ++i)
typein:2: SyntaxError: missing ; after for-loop initializer:
typein:2: for (let i = 0; i < numDummies; ++i)
typein:2: ...........^
js> this["z" + (i + 10000)] = 5;
typein:3: ReferenceError: i is not defined
js> }
typein:4: SyntaxError: syntax error:
typein:4: }
typein:4: ^
js>
gary-kwongs-mac-mini:lithium gk$
===
Igor, is there any tweak I should make for 1.8.1.15 in order for the error not to show up?
Comment 14•17 years ago
|
||
To test this on branch, you need to run
./js -v 170
or type "version(170);" into the prompt before pasting the script. This is because branch defaults to treating |let| as an identifier rather than a keyword.
Reporter | ||
Comment 15•17 years ago
|
||
The commands work as expected and do not crash on the latest branch js shell. (Thanks Jesse for the hint)
Reporter | ||
Updated•17 years ago
|
Flags: blocking1.8.1.15?
Updated•16 years ago
|
Flags: in-testsuite+
Flags: in-litmus-
Comment 16•16 years ago
|
||
Can we open this bug up then? Fixed on the 1.8 branch somehow?
Flags: wanted1.9.0.x+
Reporter | ||
Comment 17•16 years ago
|
||
(In reply to comment #16)
> Can we open this bug up then? Fixed on the 1.8 branch somehow?
I just re-confirmed that the bug has somehow been fixed on the 1.8 branch. With "-v 170" on the commandline, the 1.8.1.x shell doesn't crash with the testcase anymore, and works as expected.
Comment 18•15 years ago
|
||
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Updated•14 years ago
|
Crash Signature: [@ js_ExpandErrorArguments]
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•