Closed
Bug 361360
Opened 18 years ago
Closed 18 years ago
"Assertion failure: !caller || caller->pc" in obj_eval involving setter and watch
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: brendan)
References
Details
(Keywords: crash, testcase, verified1.8.1.1)
Attachments
(1 file)
2.76 KB,
patch
|
mrbkap
:
review+
jay
:
approval1.8.1.1+
|
Details | Diff | Splinter Review |
js> this.__defineSetter__('x', eval); this.watch('x', function(){}); x = 3; Assertion failure: !caller || caller->pc, at jsobj.c:1220 Security-sensitive because other bugs involving setter and watch are security-sensitive.
Comment 1•18 years ago
|
||
This is bug 355341's cousin. I wonder if we should make the pseudo frame's pc be the end of its script or something... I think this is a simple null deref. crash (which manifests itself as an assertion in debug builds).
Assignee | ||
Comment 2•18 years ago
|
||
Please don't over-use the s-s setting. /be
Assignee | ||
Comment 3•18 years ago
|
||
Like this? Want to point at a real bytecode, not past end of vector, of course. /be
Assignee | ||
Comment 4•18 years ago
|
||
Pure null deref or assertbotch. /be
Group: security
Flags: blocking1.8.1.1?
OS: Mac OS X 10.4 → All
Priority: -- → P3
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Comment 5•18 years ago
|
||
Comment on attachment 246184 [details] [diff] [review] fix Yeah, this is what I had in mind.
Attachment #246184 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 6•18 years ago
|
||
Fixed on trunk: Checking in jsdbgapi.c; /cvsroot/mozilla/js/src/jsdbgapi.c,v <-- jsdbgapi.c new revision: 3.74; previous revision: 3.73 done /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 7•18 years ago
|
||
Comment on attachment 246184 [details] [diff] [review] fix Essentially a one-line fix to avoid a null deref crash. /be
Attachment #246184 -
Flags: approval1.8.1.1?
Comment 8•18 years ago
|
||
RCS file: /cvsroot/mozilla/js/tests/js1_5/Regress/regress-361360.js,v done Checking in regress-361360.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-361360.js,v <-- regress-361360.js initial revision: 1.1 done
Flags: in-testsuite+
Updated•18 years ago
|
Flags: blocking1.8.1.1? → blocking1.8.1.1-
Comment 9•18 years ago
|
||
Comment on attachment 246184 [details] [diff] [review] fix Approved for 1.8.1 branch, a=jay for drivers. Please land asap, thanks!
Attachment #246184 -
Flags: approval1.8.1.1? → approval1.8.1.1+
Assignee | ||
Comment 10•18 years ago
|
||
Want patch for bug 361467 along with this bug's patch. /be
Blocks: 361467
Assignee | ||
Comment 12•18 years ago
|
||
revision 3.56.2.6 date: 2006/11/23 19:36:24; author: brendan%mozilla.org; state: Exp; lines: +12 -3 Fix 361360 and 361467, a=jay. /be
Keywords: fixed1.8.1.1
Comment 13•18 years ago
|
||
verified fixed 20061125 1.8.1.1, windows/linux/mac*, 1.9 windows/linux, note test passes in 1.8.0.9.
Keywords: fixed1.8.1.1 → verified1.8.1.1
You need to log in
before you can comment on or make changes to this bug.
Description
•