Closed
Bug 291213
Opened 20 years ago
Closed 20 years ago
crash in args_resolve enumerating |arguments|
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla1.8beta2
People
(Reporter: dbaron, Assigned: brendan)
References
Details
(Keywords: js1.5, Whiteboard: [sg:fix])
Attachments
(3 files)
|
773 bytes,
text/html; charset=UTF-8
|
Details | |
|
3.69 KB,
patch
|
shaver
:
review+
brendan
:
approval1.8b2+
|
Details | Diff | Splinter Review |
|
3.57 KB,
patch
|
Details | Diff | Splinter Review |
I'm marking this security-sensitive since the testcase is a slight variant of a
testcase for a security bug (bug 290908), and I want to get it filed and don't
have a chance to simplify the testcase to something that doesn't show or point
to security problems (the latter might be hard; I'm not sure). This bug should
be opened whenever bug 290908 is opened.
The crash is here:
434 value = fp->argv ? fp->argv[-2]
435 : OBJECT_TO_JSVAL(fp->fun->object);
(gdb) p fp->argv
$4 = (jsval *) 0x0
(gdb) p fp->fun
$5 = (JSFunction *) 0x0
with the stack:
#0 0xb7c14e99 in args_resolve (cx=0x85cd628, obj=0x86a46a8, id=135412592,
flags=4, objp=0xbfffcf48)
at /builds/trunk/mozilla/js/src/jsfun.c:434
#1 0xb7c38e7e in js_LookupPropertyWithFlags (cx=0x85cd628, obj=0x86a46a8,
id=135412592, flags=4,
objp=0xbfffcfd4, propp=0xbfffcfd8) at /builds/trunk/mozilla/js/src/jsobj.c:2521
#2 0xb7c393ac in js_LookupProperty (cx=0x85cd628, obj=0x86a46a8, id=135412592,
objp=0xbfffcfd4,
propp=0xbfffcfd8) at /builds/trunk/mozilla/js/src/jsobj.c:2426
#3 0xb7c14f4c in args_enumerate (cx=0x85cd628, obj=0x86a46a8)
at /builds/trunk/mozilla/js/src/jsfun.c:487
#4 0xb7c3c7d7 in js_Enumerate (cx=0x85cd628, obj=0x86a46a8,
enum_op=JSENUMERATE_INIT,
statep=0xbfffd268, idp=0x0) at /builds/trunk/mozilla/js/src/jsobj.c:3275
#5 0xb7c29764 in js_Interpret (cx=0x85cd628, pc=0x86cebaa "h", result=0xbfffd350)
at /builds/trunk/mozilla/js/src/jsinterp.c:2399
#6 0xb7c2e7dd in js_Execute (cx=0x85cd628, chain=0x85b13a8, script=0x86ceb68,
down=0xbfffd7d0,
flags=0, result=0x0) at /builds/trunk/mozilla/js/src/jsinterp.c:1550
#7 0xb7c59ec0 in script_exec (cx=0x85cd628, obj=0x86a4168, argc=0,
argv=0xbfffd7d0, rval=0xbfffd480)
at /builds/trunk/mozilla/js/src/jsscript.c:308
|
Reporter | |
Comment 1•20 years ago
|
||
|
||
Updated•20 years ago
|
Whiteboard: [sg:fix] keep confidential until 290908 opened
|
Assignee | |
Updated•20 years ago
|
Status: NEW → ASSIGNED
Flags: blocking1.8b2+
Priority: -- → P2
Target Milestone: --- → mozilla1.8beta2
|
|
Assignee | |
Comment 2•20 years ago
|
||
This fixes this bug, and bug 293839.
/be
Attachment #183337 -
Flags: review?(shaver)
Attachment #183337 -
Flags: approval1.8b2+
|
|
Assignee | |
Comment 3•20 years ago
|
||
|
|
Assignee | |
Comment 4•20 years ago
|
||
*** Bug 293839 has been marked as a duplicate of this bug. ***
|
||
Comment 5•20 years ago
|
||
Comment on attachment 183337 [details] [diff] [review]
trunk patch to fix this bug
r=shaver
Attachment #183337 -
Flags: review?(shaver) → review+
|
|
Assignee | |
Comment 6•20 years ago
|
||
Fixed on trunk.
/be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
|
||
Updated•20 years ago
|
Group: security
|
||
Updated•20 years ago
|
Flags: testcase?
Whiteboard: [sg:fix] keep confidential until 290908 opened → [sg:fix]
|
|
||
Comment 7•20 years ago
|
||
Checking in regress-291213.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-291213.js,v <-- regress-291213.js
initial revision: 1.1
Flags: testcase? → testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•