Closed
Bug 1355200
Opened 8 years ago
Closed 8 years ago
Assertion failure: IsConstructor(args.CallArgs::newTarget()) (provided new.target value must be a constructor)
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: anba, Assigned: till)
References
Details
(Keywords: assertion, testcase)
test case:
---
var g = newGlobal();
var w = g.eval("Array");
var v = g.eval("() => {}");
var o = Reflect.construct(w, [], v);
---
Assertion failure:
---
Assertion failure: IsConstructor(args.CallArgs::newTarget()) (provided new.target value must be a constructor), at /home/andre/git/mozilla-central/js/src/vm/Interpreter.cpp:537
---
I'm now wondering if bug 1355016 is more severe than I thought, therefore I'm hiding this bug for the time being.
|
||
Updated•8 years ago
|
Group: core-security → javascript-core-security
|
|
||
Comment 1•8 years ago
|
||
Till: Is this assertion a potential security problem or simply a correctness issue?
|
||
Comment 3•8 years ago
|
||
Till landed bug 1355016 which should fix this one as well. Till, should we backport this?
Flags: needinfo?(jdemooij)
|
Assignee | |
Comment 4•8 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #3)
> Till landed bug 1355016 which should fix this one as well. Till, should we
> backport this?
Maybe. I don't see how it could be a security problem, but it's also a very non-risky patch. I'll request uplift once the patch in bug 1355016 has gone to Nightly.
|
||
Updated•8 years ago
|
status-firefox56:
--- → fixed
|
|
||
Updated•8 years ago
|
|
||
Updated•8 years ago
|
|
|
||
Updated•8 years ago
|
Assignee: nobody → till
Target Milestone: --- → mozilla56
|
|
||
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•