Closed
Bug 291213
Opened 19 years ago
Closed 19 years ago
crash in args_resolve enumerating |arguments|
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla1.8beta2
People
(Reporter: dbaron, Assigned: brendan)
References
Details
(Keywords: js1.5, Whiteboard: [sg:fix])
Attachments
(3 files)
773 bytes,
text/html; charset=UTF-8
|
Details | |
3.69 KB,
patch
|
shaver
:
review+
brendan
:
approval1.8b2+
|
Details | Diff | Splinter Review |
3.57 KB,
patch
|
Details | Diff | Splinter Review |
I'm marking this security-sensitive since the testcase is a slight variant of a testcase for a security bug (bug 290908), and I want to get it filed and don't have a chance to simplify the testcase to something that doesn't show or point to security problems (the latter might be hard; I'm not sure). This bug should be opened whenever bug 290908 is opened. The crash is here: 434 value = fp->argv ? fp->argv[-2] 435 : OBJECT_TO_JSVAL(fp->fun->object); (gdb) p fp->argv $4 = (jsval *) 0x0 (gdb) p fp->fun $5 = (JSFunction *) 0x0 with the stack: #0 0xb7c14e99 in args_resolve (cx=0x85cd628, obj=0x86a46a8, id=135412592, flags=4, objp=0xbfffcf48) at /builds/trunk/mozilla/js/src/jsfun.c:434 #1 0xb7c38e7e in js_LookupPropertyWithFlags (cx=0x85cd628, obj=0x86a46a8, id=135412592, flags=4, objp=0xbfffcfd4, propp=0xbfffcfd8) at /builds/trunk/mozilla/js/src/jsobj.c:2521 #2 0xb7c393ac in js_LookupProperty (cx=0x85cd628, obj=0x86a46a8, id=135412592, objp=0xbfffcfd4, propp=0xbfffcfd8) at /builds/trunk/mozilla/js/src/jsobj.c:2426 #3 0xb7c14f4c in args_enumerate (cx=0x85cd628, obj=0x86a46a8) at /builds/trunk/mozilla/js/src/jsfun.c:487 #4 0xb7c3c7d7 in js_Enumerate (cx=0x85cd628, obj=0x86a46a8, enum_op=JSENUMERATE_INIT, statep=0xbfffd268, idp=0x0) at /builds/trunk/mozilla/js/src/jsobj.c:3275 #5 0xb7c29764 in js_Interpret (cx=0x85cd628, pc=0x86cebaa "h", result=0xbfffd350) at /builds/trunk/mozilla/js/src/jsinterp.c:2399 #6 0xb7c2e7dd in js_Execute (cx=0x85cd628, chain=0x85b13a8, script=0x86ceb68, down=0xbfffd7d0, flags=0, result=0x0) at /builds/trunk/mozilla/js/src/jsinterp.c:1550 #7 0xb7c59ec0 in script_exec (cx=0x85cd628, obj=0x86a4168, argc=0, argv=0xbfffd7d0, rval=0xbfffd480) at /builds/trunk/mozilla/js/src/jsscript.c:308
Reporter | ||
Comment 1•19 years ago
|
||
Updated•19 years ago
|
Whiteboard: [sg:fix] keep confidential until 290908 opened
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Flags: blocking1.8b2+
Priority: -- → P2
Target Milestone: --- → mozilla1.8beta2
Assignee | ||
Comment 2•19 years ago
|
||
This fixes this bug, and bug 293839. /be
Attachment #183337 -
Flags: review?(shaver)
Attachment #183337 -
Flags: approval1.8b2+
Assignee | ||
Comment 3•19 years ago
|
||
Assignee | ||
Comment 4•19 years ago
|
||
*** Bug 293839 has been marked as a duplicate of this bug. ***
Comment on attachment 183337 [details] [diff] [review] trunk patch to fix this bug r=shaver
Attachment #183337 -
Flags: review?(shaver) → review+
Assignee | ||
Comment 6•19 years ago
|
||
Fixed on trunk. /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Group: security
Updated•19 years ago
|
Flags: testcase?
Whiteboard: [sg:fix] keep confidential until 290908 opened → [sg:fix]
Comment 7•19 years ago
|
||
Checking in regress-291213.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-291213.js,v <-- regress-291213.js initial revision: 1.1
Flags: testcase? → testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•