Closed Bug 465901 Opened 16 years ago Closed 16 years ago

DVG confused by |let|

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(Keywords: testcase, verified1.9.1, Whiteboard: [sg:moderate?])

Attachments

(3 files)

Fix
839 bytes, patch
brendan
: review+
sayrer
: approval1.9.1b2+
Details | Diff | Splinter Review
js1_8/regress/regress-465901-01.js
2.20 KB, text/plain
Details
js1_8/regress/regress-465901-02.js
2.19 KB, text/plain
Details 
js> { let d = 3;  new (this.d |= d |= d); }
typein:1: TypeError: this.d |= ???this |= d is not a constructor

Security-sensitive because the "???" makes me think it's reading from uninitialized memory, and making that memory available to scripts through try..catch.

The fuzzer in bug 465479 found this accidentally: it noticed a slight difference in the error message, due to what I'm guessing is uninitialized memory, and interpreted it as a difference between JIT and non-JIT.

I'll see if I can retrofit one of my fuzzers to really look for bugs like this, perhaps by trying to compile every expression that appears in a "is not a constructor" error message.
js> for each (let x in [1]) { (x = {}).y(); }
typein:1: TypeError: (???{} = {}).y is not a function
Whiteboard: [sg:moderate?]
Attached patch FixSplinter Review 
Seems like an obvious fix...
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #349301 - Flags: review?(brendan)
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Comment on attachment 349301 [details] [diff] [review]
Fix

Whoops, was this never right? Thanks for fixing.

/be
Attachment #349301 - Flags: review?(brendan) → review+
Attachment #349301 - Flags: approval1.9.1b2?
Attachment #349301 - Flags: approval1.9.1b2? → approval1.9.1b2+
http://hg.mozilla.org/mozilla-central/rev/1c0893f3e640
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: wanted1.9.0.x?
Flags: in-testsuite+
Flags: in-litmus-
verified fixed mozilla-central but not tracemonkey
Status: RESOLVED → VERIFIED
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6+
Whiteboard: [sg:moderate?] → [sg:moderate?][needs 1.9.0 patch]
The 1.9.0 branch is not affected by this bug.
Keywords: fixed1.9.0.6
Whiteboard: [sg:moderate?][needs 1.9.0 patch] → [sg:moderate?]
If 1.9.0 is not affected by this, why did we fix it there?
For security bugs we use wanted-minus to indicate "Not needed for branch, and yes, we've checked". (For other bugs it tends to mean "we don't care--stop bugging us")
Flags: wanted1.9.0.x-
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6-
Flags: blocking1.9.0.6+
Keywords: fixed1.9.0.6
Sorry, I was confused by what we did in bug 464174.
v 1.9.1, 1.9.2
Keywords: fixed1.9.1verified1.9.1
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: