Closed
Bug 407720
Opened 17 years ago
Closed 17 years ago
js_FindClassObject causes crashes with getter/setter
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: igor)
Details
(Keywords: crash, fixed1.8.0.15, verified1.8.1.12, Whiteboard: [sg:critical?])
Attachments
(3 files)
387 bytes,
text/html
|
Details | |
1.98 KB,
patch
|
brendan
:
review+
dveditz
:
approval1.8.1.12+
brendan
:
approval1.9+
asac
:
approval1.8.0.next-
|
Details | Diff | Splinter Review |
1.76 KB,
patch
|
igor
:
review+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/js/src/jsobj.c&rev=3.403&mark=2780-2781,2790-2792#2780 A found property can be a getter/setter, in which case sprop->slot is 0xffffffff.
Reporter | ||
Comment 1•17 years ago
|
||
With this testcase, on trunk: *vp = pobj->dslots[-7] on 1.8/1.8.0 branches: *vp = pobj->slots[-1] = 8
Updated•17 years ago
|
Assignee | ||
Comment 2•17 years ago
|
||
This is a targeted fix to make sure that the slot for constructor is accessed only when it exists and the return from the function is either non-primitive or void.
Updated•17 years ago
|
Attachment #292398 -
Flags: review?(brendan)
Attachment #292398 -
Flags: review+
Attachment #292398 -
Flags: approval1.9+
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.12+
Whiteboard: [sg:critical?]
Assignee | ||
Comment 3•17 years ago
|
||
I accidentally committed the patch from comment 1 when I committed the patch for bug 397215, see bug 397215 comment 81.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment 4•17 years ago
|
||
Igor, is this patch applicable on the 1.8 branch or do we need a new one? If this one works please ask for approval1.8.1.12 on it, or else please create the branch version of this patch.
Whiteboard: [sg:critical?] → [sg:critical?] need 1.8 patch
Assignee | ||
Comment 5•17 years ago
|
||
Comment on attachment 292398 [details] [diff] [review] fix The patch applies to 1.8.1 branch as-is.
Attachment #292398 -
Flags: approval1.8.1.12?
Comment 6•17 years ago
|
||
Comment on attachment 292398 [details] [diff] [review] fix approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #292398 -
Flags: approval1.8.1.12? → approval1.8.1.12+
Assignee | ||
Comment 7•17 years ago
|
||
I checked in the patch from comment 2 to MOZILLA_1_8_BRANCH: Checking in jsobj.c; /cvsroot/mozilla/js/src/jsobj.c,v <-- jsobj.c new revision: 3.208.2.56; previous revision: 3.208.2.55 done
Keywords: fixed1.8.1.12
Whiteboard: [sg:critical?] need 1.8 patch → [sg:critical?]
Comment 8•17 years ago
|
||
Verified in branch with https://bugzilla.mozilla.org/attachment.cgi?id=292388. No crash with testcase (though it crashes nicely in 2.0.0.11).
Keywords: fixed1.8.1.12 → verified1.8.1.12
Updated•16 years ago
|
Group: security
Comment 10•16 years ago
|
||
Comment on attachment 292398 [details] [diff] [review] fix we ship an unmodified patch in distros. caillon, please sign off.
Attachment #292398 -
Flags: approval1.8.0.15?
Comment 11•16 years ago
|
||
Comment on attachment 292398 [details] [diff] [review] fix a=caillon for 1.8.0
Attachment #292398 -
Flags: approval1.8.0.15? → approval1.8.0.15+
Comment 12•16 years ago
|
||
(In reply to comment #10) > (From update of attachment 292398 [details] [diff] [review]) > we ship an unmodified patch in distros. caillon, please sign off. You do? Not sure how, considering there isn't a js_FindClassObject() in js/src/jsobj.c on MOZILLA_1_8_0_BRANCH! ;) igor, is this patch needed on 1.8.0? If so, do we need some other patch first?
Comment 13•16 years ago
|
||
indeed, thanks for catching this.
Attachment #311136 -
Flags: review?(igor)
Updated•16 years ago
|
Attachment #292398 -
Flags: approval1.8.0.15+ → approval1.8.0.15-
Assignee | ||
Updated•16 years ago
|
Attachment #311136 -
Flags: review?(igor) → review+
Updated•16 years ago
|
Attachment #311136 -
Flags: approval1.8.0.15?
Comment 14•16 years ago
|
||
Comment on attachment 311136 [details] [diff] [review] real 1.8.0 a=asac for 1.8.0.15
Attachment #311136 -
Flags: approval1.8.0.15? → approval1.8.0.15+
Comment 15•16 years ago
|
||
MOZILLA_1_8_0_BRANCH: Checking in js/src/jsobj.c; /cvsroot/mozilla/js/src/jsobj.c,v <-- jsobj.c new revision: 3.208.2.12.2.29; previous revision: 3.208.2.12.2.28 done
Keywords: fixed1.8.0.15
Comment 16•16 years ago
|
||
verified linux|mac|windows /cvsroot/mozilla/js/tests/js1_5/extensions/regress-407720.js,v <-- regress-407720.js initial revision: 1.1
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•