"Assertion failure: !caller || caller->pc" in obj_eval involving setter and watch

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
JavaScript Engine
P3
critical
VERIFIED FIXED
12 years ago
11 years ago

People

(Reporter: Jesse Ruderman, Assigned: brendan)

Tracking

(Blocks: 1 bug, {crash, testcase, verified1.8.1.1})

Trunk
mozilla1.9alpha1
crash, testcase, verified1.8.1.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1.1 -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
js> this.__defineSetter__('x', eval); this.watch('x', function(){}); x = 3;
Assertion failure: !caller || caller->pc, at jsobj.c:1220

Security-sensitive because other bugs involving setter and watch are security-sensitive.
This is bug 355341's cousin. I wonder if we should make the pseudo frame's pc be the end of its script or something...

I think this is a simple null deref. crash (which manifests itself as an assertion in debug builds).
(Assignee)

Comment 2

12 years ago
Please don't over-use the s-s setting.

/be
(Assignee)

Comment 3

12 years ago
Created attachment 246184 [details] [diff] [review]
fix

Like this?  Want to point at a real bytecode, not past end of vector, of course.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #246184 - Flags: review?(mrbkap)
(Assignee)

Comment 4

12 years ago
Pure null deref or assertbotch.

/be
Group: security
Flags: blocking1.8.1.1?
OS: Mac OS X 10.4 → All
Priority: -- → P3
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 246184 [details] [diff] [review]
fix

Yeah, this is what I had in mind.
Attachment #246184 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 6

12 years ago
Fixed on trunk:

Checking in jsdbgapi.c;
/cvsroot/mozilla/js/src/jsdbgapi.c,v  <--  jsdbgapi.c
new revision: 3.74; previous revision: 3.73
done

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Comment 7

12 years ago
Comment on attachment 246184 [details] [diff] [review]
fix

Essentially a one-line fix to avoid a null deref crash.

/be
Attachment #246184 - Flags: approval1.8.1.1?

Comment 8

12 years ago
RCS file: /cvsroot/mozilla/js/tests/js1_5/Regress/regress-361360.js,v
done
Checking in regress-361360.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-361360.js,v  <--  regress-361360.js
initial revision: 1.1
done
Flags: in-testsuite+

Updated

12 years ago
Flags: blocking1.8.1.1? → blocking1.8.1.1-

Comment 9

12 years ago
Comment on attachment 246184 [details] [diff] [review]
fix

Approved for 1.8.1 branch, a=jay for drivers.  Please land asap, thanks!
Attachment #246184 - Flags: approval1.8.1.1? → approval1.8.1.1+
(Assignee)

Comment 10

12 years ago
Want patch for bug 361467 along with this bug's patch.

/be
Blocks: 361467

Comment 11

12 years ago
verified fixed 20061122 1.9 windows/linux
Status: RESOLVED → VERIFIED
(Assignee)

Comment 12

12 years ago
revision 3.56.2.6
date: 2006/11/23 19:36:24;  author: brendan%mozilla.org;  state: Exp;  lines: +12 -3
Fix 361360 and 361467, a=jay.

/be
Keywords: fixed1.8.1.1

Comment 13

12 years ago
verified fixed 20061125 1.8.1.1, windows/linux/mac*, 1.9 windows/linux, note test passes in 1.8.0.9.
Keywords: fixed1.8.1.1 → verified1.8.1.1
(Reporter)

Updated

11 years ago
No longer blocks: 349611
(Reporter)

Updated

11 years ago
Blocks: 349611
You need to log in before you can comment on or make changes to this bug.