Closed
Bug 369404
Opened 18 years ago
Closed 18 years ago
Assertion failure: !SPROP_HAS_STUB_SETTER(sprop) || (sprop->attrs & JSPROP_GETTER)
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: brendan)
References
Details
(4 keywords)
Attachments
(3 files)
191 bytes,
text/html
|
Details | |
1.19 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
1.28 KB,
patch
|
brendan
:
review+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
Debug:
Assertion failure: !SPROP_HAS_STUB_SETTER(sprop) || (sprop->attrs & JSPROP_GETTER), at /Users/jruderman/trunk/mozilla/js/src/jsobj.c:3663
Opt:
Crash with 0 on top --> security-sensitive
This reminds me of bug 367589.
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Updated•18 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Comment 2•18 years ago
|
||
Just missed this case in the js_Native{Get,Set} fixing the other month.
Jesse, why is a null dereference security-sensitive? IIRC that requires either structured exception handling on Windows (which we don't use) or some broken version of Linux (which we should not ship on).
/be
Assignee | ||
Comment 3•18 years ago
|
||
I don't believe this is exploitable.
/be
OS: Mac OS X → All
Hardware: PC → All
Updated•18 years ago
|
Attachment #256280 -
Flags: review?(mrbkap) → review+
Reporter | ||
Comment 4•18 years ago
|
||
I filed it as security-sensitive because I saw 0 as the top item in the stack (as the instruction pointer). Most bugs that can cause 0 to be the top item in the stack can also cause other numbers to be the top item in the stack.
Assignee | ||
Comment 5•18 years ago
|
||
It's a guaranteed null pointer dereference -- the assertion is botching due to the null "stub setter" pointer.
Fixed on trunk: js/src/jsobj.c 3.329
/be
Group: security
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Resolution: --- → FIXED
Whiteboard: [sg:critical?]
Assignee | ||
Comment 6•18 years ago
|
||
Comment on attachment 256280 [details] [diff] [review]
fix
Patch applies cleanly with hunk skew.
/be
Attachment #256280 -
Flags: approval1.8.1.3?
Attachment #256280 -
Flags: approval1.8.0.11?
Comment 7•18 years ago
|
||
I think this might have caused bug 371724, is that possible?
Comment 8•18 years ago
|
||
So yeah, I backed out this patch on current trunk, and that made the testcase on bug 371724 succeed. Marking deps and all that.
Comment 9•18 years ago
|
||
Er, I backed out locally, that is. Should this bug be reopened?
Really marking deps.
Blocks: 371724
Assignee | ||
Comment 10•18 years ago
|
||
I took bug 371724 and have a patch in it -- please test it with this bug's patch restored, and update that bug with good news. I will put an all-in-one 1.8* branch patch here when the followup patch for bug 371724 has landed. Thanks,
/be
Assignee | ||
Updated•18 years ago
|
Attachment #256280 -
Flags: approval1.8.1.3?
Attachment #256280 -
Flags: approval1.8.0.11?
Assignee | ||
Comment 11•18 years ago
|
||
Attachment #256476 -
Flags: review+
Attachment #256476 -
Flags: approval1.8.1.3?
Attachment #256476 -
Flags: approval1.8.0.11?
Comment 12•18 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-369404.js,v <-- regress-369404.js
initial revision: 1.1
Flags: in-testsuite+
Comment 14•18 years ago
|
||
regressions are usually marked as depends on, not blocking.
Comment 15•18 years ago
|
||
Comment on attachment 256476 [details] [diff] [review]
1.8* branch patch, including fix for 371724
approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #256476 -
Flags: approval1.8.1.4?
Attachment #256476 -
Flags: approval1.8.1.4+
Attachment #256476 -
Flags: approval1.8.0.12?
Attachment #256476 -
Flags: approval1.8.0.12+
Assignee | ||
Comment 16•18 years ago
|
||
Fixed on the
1.8 branch: js/src/jsobj.c 3.208.2.50
1.8.0 branch: js/src/jsobj.c 3.208.2.12.2.24
/be
Keywords: fixed1.8.0.12,
fixed1.8.1.4
Comment 18•17 years ago
|
||
Browser based tests which rely on the delayed ending of the test must call reportCompare before jsTestDriverEnd in order for the test results to be recorded prior to their dumping to stdout.
Checking in regress-369404.js;
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-369404.js,v <-- regress-369404.js
new revision: 1.4; previous revision: 1.3
You need to log in
before you can comment on or make changes to this bug.
Description
•