Closed
Bug 465901
Opened 17 years ago
Closed 17 years ago
DVG confused by |let|
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(Keywords: testcase, verified1.9.1, Whiteboard: [sg:moderate?])
Attachments
(3 files)
|
839 bytes,
patch
|
brendan
:
review+
sayrer
:
approval1.9.1b2+
|
Details | Diff | Splinter Review |
|
2.20 KB,
text/plain
|
Details | |
|
2.19 KB,
text/plain
|
Details |
js> { let d = 3; new (this.d |= d |= d); }
typein:1: TypeError: this.d |= ???this |= d is not a constructor
Security-sensitive because the "???" makes me think it's reading from uninitialized memory, and making that memory available to scripts through try..catch.
The fuzzer in bug 465479 found this accidentally: it noticed a slight difference in the error message, due to what I'm guessing is uninitialized memory, and interpreted it as a difference between JIT and non-JIT.
I'll see if I can retrofit one of my fuzzers to really look for bugs like this, perhaps by trying to compile every expression that appears in a "is not a constructor" error message.
|
Reporter | |
Comment 1•17 years ago
|
||
js> for each (let x in [1]) { (x = {}).y(); }
typein:1: TypeError: (???{} = {}).y is not a function
|
|
Reporter | |
Updated•17 years ago
|
Whiteboard: [sg:moderate?]
|
Assignee | |
Comment 2•17 years ago
|
||
Seems like an obvious fix...
|
|
Reporter | |
Updated•17 years ago
|
Flags: blocking1.9.1?
|
||
Updated•17 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
||
Comment 3•17 years ago
|
||
Comment on attachment 349301 [details] [diff] [review]
Fix
Whoops, was this never right? Thanks for fixing.
/be
Attachment #349301 -
Flags: review?(brendan) → review+
|
|
||
Updated•17 years ago
|
Attachment #349301 -
Flags: approval1.9.1b2?
|
|
||
Updated•17 years ago
|
Attachment #349301 -
Flags: approval1.9.1b2? → approval1.9.1b2+
|
|
Assignee | |
Comment 4•17 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Comment 5•17 years ago
|
||
|
|
||
Comment 6•17 years ago
|
||
|
|
||
Updated•17 years ago
|
Flags: wanted1.9.0.x?
Flags: in-testsuite+
Flags: in-litmus-
|
|
||
Comment 8•17 years ago
|
||
verified fixed mozilla-central but not tracemonkey
Status: RESOLVED → VERIFIED
|
||
Updated•17 years ago
|
Keywords: fixed1.9.1
|
||
Updated•17 years ago
|
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6+
|
|
||
Updated•17 years ago
|
Whiteboard: [sg:moderate?] → [sg:moderate?][needs 1.9.0 patch]
|
|
Assignee | |
Comment 9•17 years ago
|
||
The 1.9.0 branch is not affected by this bug.
Keywords: fixed1.9.0.6
Whiteboard: [sg:moderate?][needs 1.9.0 patch] → [sg:moderate?]
|
||
Comment 10•17 years ago
|
||
If 1.9.0 is not affected by this, why did we fix it there?
|
|
||
Comment 11•17 years ago
|
||
For security bugs we use wanted-minus to indicate "Not needed for branch, and yes, we've checked". (For other bugs it tends to mean "we don't care--stop bugging us")
Flags: wanted1.9.0.x-
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6-
Flags: blocking1.9.0.6+
Keywords: fixed1.9.0.6
|
|
Assignee | |
Comment 12•17 years ago
|
||
Sorry, I was confused by what we did in bug 464174.
|
|
||
Comment 14•16 years ago
|
||
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•