Closed
Bug 370101
Opened 18 years ago
Closed 18 years ago
getfunns does not call SAVE_SP_AND_PC
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: igor, Assigned: igor)
Details
(Keywords: fixed1.8.0.12, fixed1.8.1.4, Whiteboard: [sg:critical?])
Attachments
(3 files)
|
732 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
|
754 bytes,
patch
|
dveditz
:
approval1.8.1.4+
|
Details | Diff | Splinter Review |
|
752 bytes,
patch
|
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
JSOP_GETFUNNS does not call SAVE_SP_AND_PC before calling js_GetFunctionNamespace. The latter on the first initialization of function:: namespace can call JS_InitClass for namespace and qname classes which uses the stack for the constructor call. In that the unsaved portion of the stack will be nuked. I was hit by that while developing fixes for bug 370016, bug 370048 and bug 369740.
But without a fix for bugs I was not able to come up so far with a test case to show the bug. With code like:
with(Math)
print(function::sin)
the function::sin triggers not found function exception. That in turn throws away the damaged portion of the stack. But the bug should be visible in the js debugger.
|
Assignee | |
Comment 1•18 years ago
|
||
Attachment #254759 -
Flags: review?(brendan)
|
||
Comment 2•18 years ago
|
||
Comment on attachment 254759 [details] [diff] [review]
Fix v1
r=me, d'oh.
/be
Attachment #254759 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 3•18 years ago
|
||
I committed the patch from comment 1 to the trunk:
Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c
new revision: 3.328; previous revision: 3.327
done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 4•18 years ago
|
||
Nominating for branches this very safe fix.
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
|
|
Assignee | |
Updated•18 years ago
|
Flags: blocking1.8.1.3?
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.11?
Flags: blocking1.8.0.10?
|
|
Assignee | |
Comment 5•18 years ago
|
||
Attachment #254960 -
Flags: approval1.8.1.3?
|
|
Assignee | |
Comment 6•18 years ago
|
||
Attachment #254961 -
Flags: approval1.8.0.11?
|
|
Assignee | |
Updated•18 years ago
|
Attachment #254961 -
Attachment is patch: true
Attachment #254961 -
Attachment mime type: application/octet-stream → text/plain
|
||
Updated•18 years ago
|
Flags: in-testsuite-
|
|
||
Updated•18 years ago
|
Summary: getfuns does not call SAVE_SP_AND_PC → getfunns does not call SAVE_SP_AND_PC
|
||
Updated•18 years ago
|
Whiteboard: [sg:critical?]
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.3?
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.3?
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
|
|
||
Updated•18 years ago
|
Attachment #254961 -
Flags: approval1.8.0.12? → approval1.8.0.12+
|
|
||
Comment 7•18 years ago
|
||
Comment on attachment 254960 [details] [diff] [review]
1.8.1 version of fix v
approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #254960 -
Flags: approval1.8.1.4? → approval1.8.1.4+
|
|
||
Updated•18 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
|
|
Assignee | |
Comment 8•18 years ago
|
||
I committed the patch from comment 5 to MOZILLA_1_8_BRANCH:
Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c
new revision: 3.181.2.85; previous revision: 3.181.2.84
done
Keywords: fixed1.8.1.4
|
|
Assignee | |
Comment 9•18 years ago
|
||
I committed the patch from comment 6 to MOZILLA_1_8_0_BRANCH:
Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c
new revision: 3.181.2.17.2.30; previous revision: 3.181.2.17.2.29
done
Keywords: fixed1.8.0.12
|
|
||
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•