Closed Bug 462851 Opened 17 years ago Closed 17 years ago

JS_SealObject crash if deep is true.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: soubok, Assigned: mrbkap)

References

Details

(Keywords: fixed1.9.1)

Attachments

(1 file)

Fix
675 bytes, patch
brendan
: review+
sayrer
: approval1.9.1+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 Build Identifier: mozilla-central-5bd6876be7f2/js/src (tip at Oct 28, 2008) calling JS_SealObject(cx, myObj, deep) crash if deep is true. Reproducible: Always Steps to Reproduce: JSObject *myObj = JS_NewObject(cx, NULL, NULL, NULL); JS_SealObject(cx, myObj, JS_TRUE); Actual Results: crash in jsfun.cpp:716 (call_enumerate function): ... fun = js_GetCallObjectFunction(); // returns NULL JS_GET_LOCAL_NAME_COUNT(fun); // (fun)->u.i.nupvars -> Access violation ... I use TraceMonkey code from mozilla-central-5bd6876be7f2/js/src compiled with JIT disabled.
Attached patch FixSplinter Review
This is an amazingly rare case, I think it's only exposed via the seal() API.
Assignee: general → mrbkap
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #351304 - Flags: review?(brendan)
Attachment #351304 - Flags: review?(brendan)
Attachment #351304 - Flags: review+
Attachment #351304 - Flags: approval1.9.1?
Attachment #351304 - Flags: approval1.9.1? → approval1.9.1+
Note that in 469124 this happened via Venkman, so it's not quite as rare as we thought. Is there a reason not to push this?
The patch just got approved -- mrbkap will push soon, I'm sure. /be
http://hg.mozilla.org/mozilla-central/rev/3a4b803d4e47
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
JJB had marked this as blocking? in bug 471066, carrying that over here.
Flags: blocking1.9.1?
I built: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090105 Shiretoko/3.1b3pre and I repeated the test from bug 471066. No crash.Thanks!
Flags: blocking1.9.1? → blocking1.9.1+
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: