Closed Bug 369404 Opened 18 years ago Closed 18 years ago

Assertion failure: !SPROP_HAS_STUB_SETTER(sprop) || (sprop->attrs & JSPROP_GETTER)

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(4 keywords)

Attachments

(3 files)

Debug: Assertion failure: !SPROP_HAS_STUB_SETTER(sprop) || (sprop->attrs & JSPROP_GETTER), at /Users/jruderman/trunk/mozilla/js/src/jsobj.c:3663 Opt: Crash with 0 on top --> security-sensitive This reminds me of bug 367589.
Attached file testcase
Whiteboard: [sg:critical?]
Attached patch fixSplinter Review
Just missed this case in the js_Native{Get,Set} fixing the other month. Jesse, why is a null dereference security-sensitive? IIRC that requires either structured exception handling on Windows (which we don't use) or some broken version of Linux (which we should not ship on). /be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #256280 - Flags: review?(mrbkap)
I don't believe this is exploitable. /be
OS: Mac OS X → All
Hardware: PC → All
Attachment #256280 - Flags: review?(mrbkap) → review+
I filed it as security-sensitive because I saw 0 as the top item in the stack (as the instruction pointer). Most bugs that can cause 0 to be the top item in the stack can also cause other numbers to be the top item in the stack.
It's a guaranteed null pointer dereference -- the assertion is botching due to the null "stub setter" pointer. Fixed on trunk: js/src/jsobj.c 3.329 /be
Group: security
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Resolution: --- → FIXED
Whiteboard: [sg:critical?]
Comment on attachment 256280 [details] [diff] [review] fix Patch applies cleanly with hunk skew. /be
Attachment #256280 - Flags: approval1.8.1.3?
Attachment #256280 - Flags: approval1.8.0.11?
Blocks: js1.7src
I think this might have caused bug 371724, is that possible?
So yeah, I backed out this patch on current trunk, and that made the testcase on bug 371724 succeed. Marking deps and all that.
Er, I backed out locally, that is. Should this bug be reopened? Really marking deps.
Blocks: 371724
I took bug 371724 and have a patch in it -- please test it with this bug's patch restored, and update that bug with good news. I will put an all-in-one 1.8* branch patch here when the followup patch for bug 371724 has landed. Thanks, /be
Attachment #256280 - Flags: approval1.8.1.3?
Attachment #256280 - Flags: approval1.8.0.11?
Attachment #256476 - Flags: review+
Attachment #256476 - Flags: approval1.8.1.3?
Attachment #256476 - Flags: approval1.8.0.11?
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-369404.js,v <-- regress-369404.js initial revision: 1.1
Flags: in-testsuite+
verified fixed 1.9.0 20070320 win/mac*/linux
Status: RESOLVED → VERIFIED
regressions are usually marked as depends on, not blocking.
No longer blocks: 371724
Depends on: 371724
Comment on attachment 256476 [details] [diff] [review] 1.8* branch patch, including fix for 371724 approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #256476 - Flags: approval1.8.1.4?
Attachment #256476 - Flags: approval1.8.1.4+
Attachment #256476 - Flags: approval1.8.0.12?
Attachment #256476 - Flags: approval1.8.0.12+
Fixed on the 1.8 branch: js/src/jsobj.c 3.208.2.50 1.8.0 branch: js/src/jsobj.c 3.208.2.12.2.24 /be
verified fixed linux, windows, mac* 1.8.0, 1.8.1 shell 20070406
Browser based tests which rely on the delayed ending of the test must call reportCompare before jsTestDriverEnd in order for the test results to be recorded prior to their dumping to stdout. Checking in regress-369404.js; /cvsroot/mozilla/js/tests/js1_5/extensions/regress-369404.js,v <-- regress-369404.js new revision: 1.4; previous revision: 1.3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: