Closed Bug 361360 Opened 18 years ago Closed 18 years ago

"Assertion failure: !caller || caller->pc" in obj_eval involving setter and watch

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(Keywords: crash, testcase, verified1.8.1.1)

Attachments

(1 file)

fix
2.76 KB, patch
mrbkap
: review+
jay
: approval1.8.1.1+
Details | Diff | Splinter Review 
js> this.__defineSetter__('x', eval); this.watch('x', function(){}); x = 3;
Assertion failure: !caller || caller->pc, at jsobj.c:1220

Security-sensitive because other bugs involving setter and watch are security-sensitive.
This is bug 355341's cousin. I wonder if we should make the pseudo frame's pc be the end of its script or something...

I think this is a simple null deref. crash (which manifests itself as an assertion in debug builds).
Please don't over-use the s-s setting.

/be
Attached patch fixSplinter Review 
Like this?  Want to point at a real bytecode, not past end of vector, of course.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #246184 - Flags: review?(mrbkap)
Pure null deref or assertbotch.

/be
Group: security
Flags: blocking1.8.1.1?
OS: Mac OS X 10.4 → All
Priority: -- → P3
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 246184 [details] [diff] [review]
fix

Yeah, this is what I had in mind.
Attachment #246184 - Flags: review?(mrbkap) → review+
Fixed on trunk:

Checking in jsdbgapi.c;
/cvsroot/mozilla/js/src/jsdbgapi.c,v  <--  jsdbgapi.c
new revision: 3.74; previous revision: 3.73
done

/be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment on attachment 246184 [details] [diff] [review]
fix

Essentially a one-line fix to avoid a null deref crash.

/be
Attachment #246184 - Flags: approval1.8.1.1?
RCS file: /cvsroot/mozilla/js/tests/js1_5/Regress/regress-361360.js,v
done
Checking in regress-361360.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-361360.js,v  <--  regress-361360.js
initial revision: 1.1
done
Flags: in-testsuite+
Flags: blocking1.8.1.1? → blocking1.8.1.1-
Comment on attachment 246184 [details] [diff] [review]
fix

Approved for 1.8.1 branch, a=jay for drivers.  Please land asap, thanks!
Attachment #246184 - Flags: approval1.8.1.1? → approval1.8.1.1+
Want patch for bug 361467 along with this bug's patch.

/be
Blocks: 361467
verified fixed 20061122 1.9 windows/linux
Status: RESOLVED → VERIFIED
revision 3.56.2.6
date: 2006/11/23 19:36:24;  author: brendan%mozilla.org;  state: Exp;  lines: +12 -3
Fix 361360 and 361467, a=jay.

/be
Keywords: fixed1.8.1.1
verified fixed 20061125 1.8.1.1, windows/linux/mac*, 1.9 windows/linux, note test passes in 1.8.0.9.
Keywords: fixed1.8.1.1verified1.8.1.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: