Closed
Bug 313080
Opened 19 years ago
Closed 19 years ago
<xml/>.__proto__() causes crash [@ obj_getSlot]
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.8rc1
People
(Reporter: nanto, Assigned: brendan)
Details
(Keywords: fixed1.8, js1.6)
Attachments
(1 file)
1.72 KB,
patch
|
mrbkap
:
review+
shaver
:
superreview+
asa
:
approval1.8rc1+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051019 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051019 Firefox/1.5
These scripts cause Firefox crash:
<element/>.__proto__();
<element/>.__parent__();
<element/>.function::__proto__();
Reproducible: Always
Steps to Reproduce:
Talkback Incident IDs:
TB10279899 (The comment for this incident is wrong.)
TB10875233Y
Assignee | ||
Updated•19 years ago
|
Assignee: general → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 1•19 years ago
|
||
This one is easy.
/be
Attachment #200177 -
Flags: superreview?
Attachment #200177 -
Flags: review?(mrbkap)
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Flags: blocking1.8rc1+
OS: Windows 2000 → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8rc1
Assignee | ||
Updated•19 years ago
|
Attachment #200177 -
Flags: superreview? → superreview?(shaver)
Comment 2•19 years ago
|
||
Comment on attachment 200177 [details] [diff] [review]
when deriving from native object-ops, mix and match with care!
sr=shaver, requesting approval
Attachment #200177 -
Flags: superreview?(shaver)
Attachment #200177 -
Flags: superreview+
Attachment #200177 -
Flags: approval1.8rc1?
Comment 3•19 years ago
|
||
Comment on attachment 200177 [details] [diff] [review]
when deriving from native object-ops, mix and match with care!
r=mrbkap
Attachment #200177 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 4•19 years ago
|
||
Comment on attachment 200177 [details] [diff] [review]
when deriving from native object-ops, mix and match with care!
Reduction in code size, and it fixes a trivial, non-exploitable crash bug. This
is not a release stopper, OTOH we are and have been taking lots of fixes for
non-stoppers, some of which are big.
At this stage of 1.8, having taken big patches, we should take little patches
if they spot-fix well. We can determine that in this case by code review and
testing. So I think this should go into the 1.8 tomorrow based on expected
results of testing today. The reviews are done.
/be
Assignee | ||
Comment 5•19 years ago
|
||
(In reply to comment #4)
> (From update of attachment 200177 [details] [diff] [review] [edit])
> Reduction in code size, and it fixes a trivial, non-exploitable crash bug. This
> is not a release stopper, OTOH we are and have been taking lots of fixes for
> non-stoppers, some of which are big.
To amplify on this, I mean we have recently taken non-stopper, bigger patches
(recently == in the last month). Followup fixes that are small and targeted
should go in. This bug's patch fixes an E4X bug that went in months ago, but
was not found till now. Better late than never.
The risk of regression is that normal access checking for native objects would
break some E4X object access. But any such E4X access would be a security bug,
or a logic bug in existing access checking code. We want to prevent the first,
and find the second. Testing shows no sign of the second.
/be
Updated•19 years ago
|
Attachment #200177 -
Flags: approval1.8rc1? → approval1.8rc1+
Assignee | ||
Comment 6•19 years ago
|
||
Fixed on branch and trunk.
/be
Comment 7•19 years ago
|
||
Checking in regress-313080.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-313080.js,v <-- regress-313080.js
initial revision: 1.1
Flags: testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•