Closed
Bug 901380
Opened 11 years ago
Closed 11 years ago
Assertion failure: obj->isNative(), at js/src/json.cpp:728
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 901351
People
(Reporter: anba, Unassigned)
Details
(Whiteboard: [sg:dupe 901351])
The following test case asserts with: obj->isNative(), at js/src/json.cpp:728
JSON.parse('{"a":0, "b":1}', function(n, v) {
if (n == "a") {
Object.defineProperty(this, "b", {value: new Int8Array(new ArrayBuffer(4))})
}
return v
})
|
Reporter | |
Comment 1•11 years ago
|
||
Simplified test case with arrays as mentioned in bug 901351 comment 1: JSON.parse('[0, 1]', function(n, v) { if (n == "0") { this[1] = new Int8Array(1); } return v; })
|
||
Comment 2•11 years ago
|
||
Uh...DefineNativeProperty on a non-native object, without looking super-closely into things, sounds bad enough to give me the heebie-jeebies. Closing, taking.
Group: core-security
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
||
Comment 3•11 years ago
|
||
I hid the comment in bug 901351 that mentions this possibility, just to be safe. All but certainly both bugs will be fixed at once, but I think only this part of it is the worrisome part.
|
|
||
Comment 4•11 years ago
|
||
Eh, this is close enough to the other bug in effect, once you consider that release builds will ignore all these assertion failures and just merrily continue along executing into conceptually-bogus code. Fun fun fun!
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
||
Updated•11 years ago
|
Group: javascript-core-security
Whiteboard: [sg:dupe 901351]
|
|
||
Updated•11 years ago
|
Group: core-security, javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•