Closed Bug 370101 Opened 17 years ago Closed 17 years ago

getfunns does not call SAVE_SP_AND_PC

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: igor, Assigned: igor)

Details

(Keywords: fixed1.8.0.12, fixed1.8.1.4, Whiteboard: [sg:critical?])

Attachments

(3 files)

Fix v1
732 bytes, patch
brendan
: review+
Details | Diff | Splinter Review
1.8.1 version of fix v
754 bytes, patch
dveditz
: approval1.8.1.4+
Details | Diff | Splinter Review
1.8.0 version of fix v
752 bytes, patch
dveditz
: approval1.8.0.12+
Details | Diff | Splinter Review 
JSOP_GETFUNNS does not call SAVE_SP_AND_PC before calling js_GetFunctionNamespace. The latter on the first initialization of function:: namespace can call JS_InitClass for namespace and qname classes which uses the stack for the constructor call. In that the unsaved portion of the stack will be nuked. I was hit by that while developing fixes for bug 370016, bug 370048 and bug  369740. 

But without a fix for bugs I was not able to come up so far with a test case to show the bug. With code like:
  with(Math)
    print(function::sin)
the function::sin triggers not found function exception. That in turn throws away the damaged portion of the stack. But the bug should be visible in the js debugger.
Attached patch Fix v1Splinter Review 

        Attachment #254759 -
        Flags: review?(brendan)

    
    

    
  
Comment on attachment 254759 [details] [diff] [review]
Fix v1

r=me, d'oh.

/be

        Attachment #254759 -
        Flags: review?(brendan) → review+

    
    

    
  
I committed the patch from comment 1 to the trunk:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.328; previous revision: 3.327
done

Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
    

    
  
Nominating for branches this very safe fix. 
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?

    
  
Flags: blocking1.8.1.3?
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.11?
Flags: blocking1.8.0.10?

    
    

    
  


  

        Attachment #254960 -
        Flags: approval1.8.1.3?

    
    

    
  


  

        Attachment #254961 -
        Flags: approval1.8.0.11?

    
  

        Attachment #254961 -
        Attachment is patch: true

        Attachment #254961 -
        Attachment mime type: application/octet-stream → text/plain
Flags: in-testsuite-
Summary: getfuns does not call SAVE_SP_AND_PC → getfunns does not call SAVE_SP_AND_PC
Whiteboard: [sg:critical?]
Flags: blocking1.8.1.3?
Flags: blocking1.8.1.3?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+

        Attachment #254961 -
        Flags: approval1.8.0.12? → approval1.8.0.12+

    
    

    
  
Comment on attachment 254960 [details] [diff] [review]
1.8.1 version of fix v

approved for 1.8/1.8.0 branches, a=dveditz for drivers

        Attachment #254960 -
        Flags: approval1.8.1.4? → approval1.8.1.4+
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+

    
    

    
  
I committed the patch from comment 5 to MOZILLA_1_8_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.85; previous revision: 3.181.2.84
done

Keywords: fixed1.8.1.4

    
    

    
  
I committed the patch from comment 6 to MOZILLA_1_8_0_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.17.2.30; previous revision: 3.181.2.17.2.29
done

Keywords: fixed1.8.0.12
Group: security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: