Bug 311512 - Null pointer dereference
Summary: Null pointer dereference
Status: RESOLVED FIXED
Alias: None
Product: konqueror
Classification: Applications
Component: kjs (show other bugs)
Version: 4.9.80
Platform: Debian unstable Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords: testcase
Depends on:
Blocks:
 
Reported: 2012-12-11 13:10 UTC by Tim Brown
Modified: 2013-04-27 18:36 UTC (History)
0 users

See Also:
Latest Commit: http://commits.kde.org/kdelibs/137c4d58664657bc9e11068dc1a0ff739f06b121
Version Fixed In: 4.11
Sentry Crash Report:

Attachments
Test case (276 bytes, text/html)
2012-12-15 11:35 UTC, Tommi Tervo 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Brown 2012-12-11 13:10:40 UTC 
Konqueror suffers a SIGSEGV due to a null pointer dereference:

Program received signal SIGSEGV, Segmentation fault.
0x00007fffe2f33c6f in KJS::ExecState::lexicalInterpreter() const () from /usr/lib/libkjs.so.4
(gdb) x/1i $pc
=> 0x7fffe2f33c6f <_ZNK3KJS9ExecState18lexicalInterpreterEv+63>:        mov    0x28(%rax),%rax
(gdb) i r rax
rax            0x0      0

This occurs when attempting to process each of the following JavaScript expressions:

{with({}) { import window.x; } M:do {with(NaN = y)NaN = 1.3; } while(0); }
try { with({}) /*TODE2*/if(window) { if (V) {continue ;; }} else import set.x; } finally { x.__proto__ = x; }
try { with({}) { import x.*; }  } finally { return (x); }

Full stack trace follows:

#0  0x00007fffe2f33c6f in KJS::ExecState::lexicalInterpreter() const () from /usr/lib/libkjs.so.4
#1  0x00007fffe2f44e46 in KJS::Error::create(KJS::ExecState*, KJS::ErrorType, KJS::UString const&, int, int, KJS::UString const&) () from /usr/lib/libkjs.so.4
#2  0x00007fffe2f45846 in KJS::throwError(KJS::ExecState*, KJS::ErrorType, KJS::UString const&, int, int, KJS::UString const&) () from /usr/lib/libkjs.so.4
#3  0x00007fffe2f5764a in ?? () from /usr/lib/libkjs.so.4
#4  0x00007fffe2f1b724 in ?? () from /usr/lib/libkjs.so.4
#5  0x00007fffe2f47d58 in KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) () from /usr/lib/libkjs.so.4
#6  0x00007fffe2f47ee4 in KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UString const&, KJS::JSValue*) () from /usr/lib/libkjs.so.4
#7  0x00007fffe3ad39ea in ?? () from /usr/lib/libkhtml.so.5
#8  0x00007fffe387ded0 in KHTMLPart::executeScript(QString const&, int, DOM::Node const&, QString const&) () from /usr/lib/libkhtml.so.5
#9  0x00007fffe393b73f in ?? () from /usr/lib/libkhtml.so.5
#10 0x00007fffe393edfc in ?? () from /usr/lib/libkhtml.so.5
#11 0x00007fffe39407cf in ?? () from /usr/lib/libkhtml.so.5
#12 0x00007fffe3943766 in ?? () from /usr/lib/libkhtml.so.5
#13 0x00007fffe3943f2e in ?? () from /usr/lib/libkhtml.so.5
#14 0x00007fffe38796ce in KHTMLPart::write(char const*, int) () from /usr/lib/libkhtml.so.5
#15 0x00007fffe3875eb6 in KHTMLPart::slotData(KIO::Job*, QByteArray const&) () from /usr/lib/libkhtml.so.5
#16 0x00007fffe389eeef in ?? () from /usr/lib/libkhtml.so.5
#17 0x00007ffff530a54f in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#18 0x00007ffff64e9b14 in KIO::TransferJob::data(KIO::Job*, QByteArray const&) () from /usr/lib/libkio.so.5
#19 0x00007ffff64e9b73 in KIO::TransferJob::slotData(QByteArray const&) () from /usr/lib/libkio.so.5
#20 0x00007ffff530a54f in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#21 0x00007ffff6587572 in KIO::SlaveInterface::data(QByteArray const&) () from /usr/lib/libkio.so.5
#22 0x00007ffff658a080 in KIO::SlaveInterface::dispatch(int, QByteArray const&) () from /usr/lib/libkio.so.5
#23 0x00007ffff6586eca in KIO::SlaveInterface::dispatch() () from /usr/lib/libkio.so.5
#24 0x00007ffff657b32e in KIO::Slave::gotInput() () from /usr/lib/libkio.so.5
#25 0x00007ffff530a54f in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#26 0x00007ffff64bd4f2 in ?? () from /usr/lib/libkio.so.5
#27 0x00007ffff5309a2e in QObject::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#28 0x00007ffff442170c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#29 0x00007ffff4425b8a in QApplication::notify(QObject*, QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#30 0x00007ffff5d80886 in KApplication::notify(QObject*, QEvent*) () from /usr/lib/libkdeui.so.5
#31 0x00007ffff52f4b5e in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#32 0x00007ffff52f89e1 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#33 0x00007ffff53230e3 in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#34 0x00007ffff0651355 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#35 0x00007ffff0651688 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#36 0x00007ffff0651744 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#37 0x00007ffff5323276 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#38 0x00007ffff44c283e in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#39 0x00007ffff52f38af in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#40 0x00007ffff52f3b38 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#41 0x00007ffff52f8cf8 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#42 0x00007ffff7bad062 in kdemain () from /usr/lib/kde4/libkdeinit/libkdeinit4_konqueror.so
#43 0x00007ffff778fead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdd98)
    at libc-start.c:228
#44 0x0000000000400771 in _start ()

Reproducible: Always

Steps to Reproduce:
To reproduce, pick any one of the 3 and wrap it in <html><script></script></html> and load it into Konqueror.
Actual Results:  
SIGSEGV

Expected Results:  
No SIGSEGV
Comment 1 Tommi Tervo 2012-12-15 11:35:33 UTC 
Created attachment 75844 [details]
Test case
Comment 2 Tim Brown 2012-12-15 19:48:48 UTC 
Note the attached test case actually has all 3 test cases in it.  They all trigger the same bug AFAIK.
Comment 3 Bernd Buschinski 2013-04-18 13:09:54 UTC 
Git commit 137c4d58664657bc9e11068dc1a0ff739f06b121 by Bernd Buschinski.
Committed on 18/04/2013 at 14:31.
Pushed by buschinski into branch 'master'.

kjs: Don't crash in PopScope if PushScope already had an Exception and didn't Push anything

As PushScope does not Push anything on Exception case, we can not Pop.
NOTE: the Exception checking on Push/Pop-Scope is not optimal.
Such a Situation, where PushScope already has a Exception can only
occour if import is used inside the the "with"-statement. As import is
executed at the beginning of the code (as val decl) and can leave a exception.
As "import" is not (yet) part of ECMA-262 the correct behavior is unknown
when this changes we can rework the bahavior, but for now just fix the crash.

NOTE2: Using import can cause problems for other statements too, but should not lead to a crash

REVIEW:110027
Related: bug 311513

M  +10   -0    kjs/bytecode/codes.def

http://commits.kde.org/kdelibs/137c4d58664657bc9e11068dc1a0ff739f06b121