testcase (crashes Firefox when loaded) 10 years ago moz_bug_r_a4 387 bytes, text/html		Details
fix 10 years ago Igor Bukanov 1.98 KB, patch	brendan : review+ dveditz : approval1.8.1.12+ brendan : approval1.9+ Alexander Sack : approval1.8.0.next-	Details \| Diff \| Splinter Review
real 1.8.0 10 years ago Alexander Sack 1.76 KB, patch	Igor Bukanov : review+ Alexander Sack : approval1.8.0.next+	Details \| Diff \| Splinter Review

moz_bug_r_a4

(Reporter)

Description

•

10 years ago

http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/js/src/jsobj.c&rev=3.403&mark=2780-2781,2790-2792#2780

A found property can be a getter/setter, in which case sprop->slot is
0xffffffff.

moz_bug_r_a4

(Reporter)

Comment 1

•

10 years ago

Created attachment 292388 [details]
testcase (crashes Firefox when loaded)

With this testcase, on trunk:
*vp = pobj->dslots[-7]

on 1.8/1.8.0 branches:
*vp = pobj->slots[-1] = 8

:Gavin Sharp [email: gavin@gavinsharp.com]

Updated

•

10 years ago

Flags: blocking1.9?

Flags: blocking1.8.1.12?

Keywords: crash

Igor Bukanov

(Assignee)

Comment 2

•

10 years ago

Created attachment 292398 [details] [diff] [review]
fix

This is a targeted fix to make sure that the slot for constructor is accessed only when it exists and the return from the function is either non-primitive or void.

Assignee: general → igor

Status: NEW → ASSIGNED

Attachment #292398 - Flags: review?(brendan)

Brendan Eich [:brendan]

Updated

•

10 years ago

Attachment #292398 - Flags: review?(brendan)

Attachment #292398 - Flags: review+

Attachment #292398 - Flags: approval1.9+

Brendan Eich [:brendan]

Updated

•

10 years ago

Flags: blocking1.9? → blocking1.9+

Daniel Veditz [:dveditz]

Updated

•

10 years ago

Flags: wanted1.8.1.x+

Flags: blocking1.8.1.12?

Flags: blocking1.8.1.12+

Whiteboard: [sg:critical?]

Igor Bukanov

(Assignee)

Comment 3

•

10 years ago

I accidentally committed the patch from comment 1 when I committed the patch for bug 397215, see bug 397215 comment 81.

Status: ASSIGNED → RESOLVED

Last Resolved: 10 years ago

Resolution: --- → FIXED

Samuel Sidler (old account; do not CC)

Comment 4

•

10 years ago

Igor, is this patch applicable on the 1.8 branch or do we need a new one? If this one works please ask for approval1.8.1.12 on it, or else please create the branch version of this patch.

Whiteboard: [sg:critical?] → [sg:critical?] need 1.8 patch

Igor Bukanov

(Assignee)

Comment 5

•

10 years ago

Comment on attachment 292398 [details] [diff] [review]
fix

The patch applies to 1.8.1 branch as-is.

Attachment #292398 - Flags: approval1.8.1.12?

Daniel Veditz [:dveditz]

Comment 6

•

10 years ago

Comment on attachment 292398 [details] [diff] [review]
fix

approved for 1.8.1.12, a=dveditz for release-drivers

Attachment #292398 - Flags: approval1.8.1.12? → approval1.8.1.12+

Igor Bukanov

(Assignee)

Comment 7

•

10 years ago

I checked in the patch from comment 2 to MOZILLA_1_8_BRANCH:

Checking in jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.208.2.56; previous revision: 3.208.2.55
done

Keywords: fixed1.8.1.12

Whiteboard: [sg:critical?] need 1.8 patch → [sg:critical?]

Al Billings [:abillings]

Comment 8

•

10 years ago

Verified in branch with https://bugzilla.mozilla.org/attachment.cgi?id=292388. No crash with testcase (though it crashes nicely in 2.0.0.11).

Keywords: fixed1.8.1.12 → verified1.8.1.12

Daniel Veditz [:dveditz]

Updated

•

10 years ago

Group: security

Alexander Sack

Comment 9

•

10 years ago

distro patches block 1.8.0.15

Flags: blocking1.8.0.15+

Alexander Sack

Comment 10

•

10 years ago

Comment on attachment 292398 [details] [diff] [review]
fix

we ship an unmodified patch in distros. caillon, please sign off.

Attachment #292398 - Flags: approval1.8.0.15?

Christopher Aillon (sabbatical, not receiving bugmail)

Comment 11

•

10 years ago

Comment on attachment 292398 [details] [diff] [review]
fix

a=caillon for 1.8.0

Attachment #292398 - Flags: approval1.8.0.15? → approval1.8.0.15+

Reed Loden [:reed] (use needinfo?)

Comment 12

•

10 years ago

(In reply to comment #10)
> (From update of attachment 292398 [details] [diff] [review])
> we ship an unmodified patch in distros. caillon, please sign off.

You do? Not sure how, considering there isn't a js_FindClassObject() in js/src/jsobj.c on MOZILLA_1_8_0_BRANCH! ;)

igor, is this patch needed on 1.8.0? If so, do we need some other patch first?

Alexander Sack

Comment 13

•

10 years ago

Created attachment 311136 [details] [diff] [review]
real 1.8.0

indeed, thanks for catching this.

Attachment #311136 - Flags: review?(igor)

Alexander Sack

Updated

•

10 years ago

Attachment #292398 - Flags: approval1.8.0.15+ → approval1.8.0.15-

Igor Bukanov

(Assignee)

Updated

•

10 years ago

Attachment #311136 - Flags: review?(igor) → review+

Reed Loden [:reed] (use needinfo?)

Updated

•

10 years ago

Attachment #311136 - Flags: approval1.8.0.15?

Alexander Sack

Comment 14

•

10 years ago

Comment on attachment 311136 [details] [diff] [review]
real 1.8.0

a=asac for 1.8.0.15

Attachment #311136 - Flags: approval1.8.0.15? → approval1.8.0.15+

Reed Loden [:reed] (use needinfo?)

Comment 15

•

10 years ago

MOZILLA_1_8_0_BRANCH:

Checking in js/src/jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.208.2.12.2.29; previous revision: 3.208.2.12.2.28
done

Keywords: fixed1.8.0.15

Bob Clary [:bc:]

Comment 16

•

10 years ago

verified linux|mac|windows

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-407720.js,v  <--  regress-407720.js
initial revision: 1.1

Status: RESOLVED → VERIFIED

Flags: in-testsuite+

Flags: in-litmus-

You need to log in before you can comment on or make changes to this bug.