Last Comment Bug 313080 - <xml/>.__proto__() causes crash [@ obj_getSlot]
: <xml/>.__proto__() causes crash [@ obj_getSlot]
Status: RESOLVED FIXED
: fixed1.8, js1.6
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.8rc1
Assigned To: Brendan Eich [:brendan]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-19 20:18 PDT by nanto_vi (TOYAMA Nao)
Modified: 2005-10-21 01:16 PDT (History)
3 users (show)
brendan: blocking1.8rc1+
bob: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
when deriving from native object-ops, mix and match with care! (1.72 KB, patch)
2005-10-20 00:19 PDT, Brendan Eich [:brendan]
mrbkap: review+
shaver: superreview+
asa: approval1.8rc1+
Details | Diff | Splinter Review

Description nanto_vi (TOYAMA Nao) 2005-10-19 20:18:09 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051019 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051019 Firefox/1.5

These scripts cause Firefox crash:
<element/>.__proto__();
<element/>.__parent__();
<element/>.function::__proto__();

Reproducible: Always

Steps to Reproduce:




Talkback Incident IDs:
TB10279899 (The comment for this incident is wrong.)
TB10875233Y
Comment 1 Brendan Eich [:brendan] 2005-10-20 00:19:28 PDT
Created attachment 200177 [details] [diff] [review]
when deriving from native object-ops, mix and match with care!

This one is easy.

/be
Comment 2 Mike Shaver (:shaver -- probably not reading bugmail closely) 2005-10-20 12:19:06 PDT
Comment on attachment 200177 [details] [diff] [review]
when deriving from native object-ops, mix and match with care!

sr=shaver, requesting approval
Comment 3 Blake Kaplan (:mrbkap) 2005-10-20 12:35:34 PDT
Comment on attachment 200177 [details] [diff] [review]
when deriving from native object-ops, mix and match with care!

r=mrbkap
Comment 4 Brendan Eich [:brendan] 2005-10-20 12:47:48 PDT
Comment on attachment 200177 [details] [diff] [review]
when deriving from native object-ops, mix and match with care!

Reduction in code size, and it fixes a trivial, non-exploitable crash bug. This
is not a release stopper, OTOH we are and have been taking lots of fixes for
non-stoppers, some of which are big.

At this stage of 1.8, having taken big patches, we should take little patches
if they spot-fix well.	We can determine that in this case by code review and
testing.  So I think this should go into the 1.8 tomorrow based on expected
results of testing today.  The reviews are done.

/be
Comment 5 Brendan Eich [:brendan] 2005-10-20 12:51:25 PDT
(In reply to comment #4)
> (From update of attachment 200177 [details] [diff] [review] [edit])
> Reduction in code size, and it fixes a trivial, non-exploitable crash bug. This
> is not a release stopper, OTOH we are and have been taking lots of fixes for
> non-stoppers, some of which are big.

To amplify on this, I mean we have recently taken non-stopper, bigger patches
(recently == in the last month).  Followup fixes that are small and targeted
should go in.  This bug's patch fixes an E4X bug that went in months ago, but
was not found till now.  Better late than never.

The risk of regression is that normal access checking for native objects would
break some E4X object access.  But any such E4X access would be a security bug,
or a logic bug in existing access checking code.  We want to prevent the first,
and find the second.  Testing shows no sign of the second.

/be
Comment 6 Brendan Eich [:brendan] 2005-10-20 17:07:49 PDT
Fixed on branch and trunk.

/be
Comment 7 Bob Clary [:bc:] 2005-10-21 01:16:22 PDT
Checking in regress-313080.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-313080.js,v  <--  regress-313080.js
initial revision: 1.1

Note You need to log in before you can comment on or make changes to this bug.