Closed Bug 407720 Opened 17 years ago Closed 17 years ago

js_FindClassObject causes crashes with getter/setter

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: igor)

Details

(Keywords: crash, fixed1.8.0.15, verified1.8.1.12, Whiteboard: [sg:critical?])

Attachments

(3 files)

testcase (crashes Firefox when loaded)
387 bytes, text/html
Details
fix
1.98 KB, patch
brendan
: review+
dveditz
: approval1.8.1.12+
brendan
: approval1.9+
asac
: approval1.8.0.next-
Details | Diff | Splinter Review
real 1.8.0
1.76 KB, patch
igor
: review+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review 
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/js/src/jsobj.c&rev=3.403&mark=2780-2781,2790-2792#2780

A found property can be a getter/setter, in which case sprop->slot is
0xffffffff.
With this testcase, on trunk:
*vp = pobj->dslots[-7]

on 1.8/1.8.0 branches:
*vp = pobj->slots[-1] = 8
Flags: blocking1.9?
Flags: blocking1.8.1.12?
Keywords: crash
Attached patch fixSplinter Review 
This is a targeted fix to make sure that the slot for constructor is accessed only when it exists and the return from the function is either non-primitive or void.
Assignee: general → igor
Status: NEW → ASSIGNED
Attachment #292398 - Flags: review?(brendan)
Attachment #292398 - Flags: review?(brendan)
Attachment #292398 - Flags: review+
Attachment #292398 - Flags: approval1.9+
Flags: blocking1.9? → blocking1.9+
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.12+
Whiteboard: [sg:critical?]
I accidentally committed the patch from comment 1 when I committed the patch for bug 397215, see bug 397215 comment 81.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Igor, is this patch applicable on the 1.8 branch or do we need a new one? If this one works please ask for approval1.8.1.12 on it, or else please create the branch version of this patch.
Whiteboard: [sg:critical?] → [sg:critical?] need 1.8 patch
Comment on attachment 292398 [details] [diff] [review]
fix

The patch applies to 1.8.1 branch as-is.
Attachment #292398 - Flags: approval1.8.1.12?
Comment on attachment 292398 [details] [diff] [review]
fix

approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #292398 - Flags: approval1.8.1.12? → approval1.8.1.12+
I checked in the patch from comment 2 to MOZILLA_1_8_BRANCH:

Checking in jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.208.2.56; previous revision: 3.208.2.55
done
Keywords: fixed1.8.1.12
Whiteboard: [sg:critical?] need 1.8 patch → [sg:critical?]
Verified in branch with https://bugzilla.mozilla.org/attachment.cgi?id=292388. No crash with testcase (though it crashes nicely in 2.0.0.11).
Keywords: fixed1.8.1.12verified1.8.1.12
Group: security
distro patches block 1.8.0.15
Flags: blocking1.8.0.15+
Comment on attachment 292398 [details] [diff] [review]
fix

we ship an unmodified patch in distros. caillon, please sign off.
Attachment #292398 - Flags: approval1.8.0.15?
Comment on attachment 292398 [details] [diff] [review]
fix

a=caillon for 1.8.0
Attachment #292398 - Flags: approval1.8.0.15? → approval1.8.0.15+
(In reply to comment #10)
> (From update of attachment 292398 [details] [diff] [review])
> we ship an unmodified patch in distros. caillon, please sign off.

You do? Not sure how, considering there isn't a js_FindClassObject() in js/src/jsobj.c on MOZILLA_1_8_0_BRANCH! ;)

igor, is this patch needed on 1.8.0? If so, do we need some other patch first?
Attached patch real 1.8.0Splinter Review 
indeed, thanks for catching this.
Attachment #311136 - Flags: review?(igor)
Attachment #292398 - Flags: approval1.8.0.15+ → approval1.8.0.15-
Attachment #311136 - Flags: review?(igor) → review+
Attachment #311136 - Flags: approval1.8.0.15?
Comment on attachment 311136 [details] [diff] [review]
real 1.8.0

a=asac for 1.8.0.15
Attachment #311136 - Flags: approval1.8.0.15? → approval1.8.0.15+
MOZILLA_1_8_0_BRANCH:

Checking in js/src/jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.208.2.12.2.29; previous revision: 3.208.2.12.2.28
done
Keywords: fixed1.8.0.15
verified linux|mac|windows

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-407720.js,v  <--  regress-407720.js
initial revision: 1.1
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: