getfunns does not call SAVE_SP_AND_PC

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
11 years ago
10 years ago

People

(Reporter: Igor Bukanov, Assigned: Igor Bukanov)

Tracking

({fixed1.8.0.12, fixed1.8.1.4})

Trunk
fixed1.8.0.12, fixed1.8.1.4
Points:
---
Bug Flags:
blocking1.8.1.4 +
wanted1.8.1.x +
blocking1.8.0.12 +
wanted1.8.0.x +
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(3 attachments)

(Assignee)

Description

11 years ago
JSOP_GETFUNNS does not call SAVE_SP_AND_PC before calling js_GetFunctionNamespace. The latter on the first initialization of function:: namespace can call JS_InitClass for namespace and qname classes which uses the stack for the constructor call. In that the unsaved portion of the stack will be nuked. I was hit by that while developing fixes for bug 370016, bug 370048 and bug  369740. 

But without a fix for bugs I was not able to come up so far with a test case to show the bug. With code like:
  with(Math)
    print(function::sin)
the function::sin triggers not found function exception. That in turn throws away the damaged portion of the stack. But the bug should be visible in the js debugger.
(Assignee)

Comment 1

11 years ago
Created attachment 254759 [details] [diff] [review]
Fix v1
Attachment #254759 - Flags: review?(brendan)
Comment on attachment 254759 [details] [diff] [review]
Fix v1

r=me, d'oh.

/be
Attachment #254759 - Flags: review?(brendan) → review+
(Assignee)

Comment 3

11 years ago
I committed the patch from comment 1 to the trunk:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.328; previous revision: 3.327
done
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Assignee)

Comment 4

11 years ago
Nominating for branches this very safe fix. 
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
(Assignee)

Updated

11 years ago
Flags: blocking1.8.1.3?
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.11?
Flags: blocking1.8.0.10?
(Assignee)

Comment 5

11 years ago
Created attachment 254960 [details] [diff] [review]
1.8.1 version of fix v
Attachment #254960 - Flags: approval1.8.1.3?
(Assignee)

Comment 6

11 years ago
Created attachment 254961 [details] [diff] [review]
1.8.0 version of fix v
Attachment #254961 - Flags: approval1.8.0.11?
(Assignee)

Updated

11 years ago
Attachment #254961 - Attachment is patch: true
Attachment #254961 - Attachment mime type: application/octet-stream → text/plain

Updated

11 years ago
Flags: in-testsuite-

Updated

11 years ago
Summary: getfuns does not call SAVE_SP_AND_PC → getfunns does not call SAVE_SP_AND_PC
Whiteboard: [sg:critical?]

Updated

11 years ago
Flags: blocking1.8.1.3?

Updated

11 years ago
Flags: blocking1.8.1.3?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Attachment #254961 - Flags: approval1.8.0.12? → approval1.8.0.12+
Comment on attachment 254960 [details] [diff] [review]
1.8.1 version of fix v

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #254960 - Flags: approval1.8.1.4? → approval1.8.1.4+
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
(Assignee)

Comment 8

10 years ago
I committed the patch from comment 5 to MOZILLA_1_8_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.85; previous revision: 3.181.2.84
done
Keywords: fixed1.8.1.4
(Assignee)

Comment 9

10 years ago
I committed the patch from comment 6 to MOZILLA_1_8_0_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.17.2.30; previous revision: 3.181.2.17.2.29
done
Keywords: fixed1.8.0.12
Group: security
You need to log in before you can comment on or make changes to this bug.