<xml/>.__proto__() causes crash [@ obj_getSlot]

RESOLVED FIXED in mozilla1.8rc1

Status

()

Core
JavaScript Engine
P1
critical
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: nanto_vi (TOYAMA Nao), Assigned: brendan)

Tracking

({fixed1.8, js1.6})

Trunk
mozilla1.8rc1
fixed1.8, js1.6
Points:
---
Bug Flags:
blocking1.8rc1 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051019 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051019 Firefox/1.5

These scripts cause Firefox crash:
<element/>.__proto__();
<element/>.__parent__();
<element/>.function::__proto__();

Reproducible: Always

Steps to Reproduce:




Talkback Incident IDs:
TB10279899 (The comment for this incident is wrong.)
TB10875233Y
(Assignee)

Updated

12 years ago
Assignee: general → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 1

12 years ago
Created attachment 200177 [details] [diff] [review]
when deriving from native object-ops, mix and match with care!

This one is easy.

/be
Attachment #200177 - Flags: superreview?
Attachment #200177 - Flags: review?(mrbkap)
(Assignee)

Updated

12 years ago
Status: NEW → ASSIGNED
Flags: blocking1.8rc1+
OS: Windows 2000 → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8rc1
(Assignee)

Updated

12 years ago
Attachment #200177 - Flags: superreview? → superreview?(shaver)
Comment on attachment 200177 [details] [diff] [review]
when deriving from native object-ops, mix and match with care!

sr=shaver, requesting approval
Attachment #200177 - Flags: superreview?(shaver)
Attachment #200177 - Flags: superreview+
Attachment #200177 - Flags: approval1.8rc1?
Comment on attachment 200177 [details] [diff] [review]
when deriving from native object-ops, mix and match with care!

r=mrbkap
Attachment #200177 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 4

12 years ago
Comment on attachment 200177 [details] [diff] [review]
when deriving from native object-ops, mix and match with care!

Reduction in code size, and it fixes a trivial, non-exploitable crash bug. This
is not a release stopper, OTOH we are and have been taking lots of fixes for
non-stoppers, some of which are big.

At this stage of 1.8, having taken big patches, we should take little patches
if they spot-fix well.	We can determine that in this case by code review and
testing.  So I think this should go into the 1.8 tomorrow based on expected
results of testing today.  The reviews are done.

/be
(Assignee)

Comment 5

12 years ago
(In reply to comment #4)
> (From update of attachment 200177 [details] [diff] [review] [edit])
> Reduction in code size, and it fixes a trivial, non-exploitable crash bug. This
> is not a release stopper, OTOH we are and have been taking lots of fixes for
> non-stoppers, some of which are big.

To amplify on this, I mean we have recently taken non-stopper, bigger patches
(recently == in the last month).  Followup fixes that are small and targeted
should go in.  This bug's patch fixes an E4X bug that went in months ago, but
was not found till now.  Better late than never.

The risk of regression is that normal access checking for native objects would
break some E4X object access.  But any such E4X access would be a security bug,
or a logic bug in existing access checking code.  We want to prevent the first,
and find the second.  Testing shows no sign of the second.

/be

Updated

12 years ago
Attachment #200177 - Flags: approval1.8rc1? → approval1.8rc1+
(Assignee)

Comment 6

12 years ago
Fixed on branch and trunk.

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8, js1.6
Resolution: --- → FIXED

Comment 7

12 years ago
Checking in regress-313080.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-313080.js,v  <--  regress-313080.js
initial revision: 1.1
Flags: testcase+
You need to log in before you can comment on or make changes to this bug.