Closed
Bug 465901
Opened 16 years ago
Closed 16 years ago
DVG confused by |let|
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(Keywords: testcase, verified1.9.1, Whiteboard: [sg:moderate?])
Attachments
(3 files)
839 bytes,
patch
|
brendan
:
review+
sayrer
:
approval1.9.1b2+
|
Details | Diff | Splinter Review |
2.20 KB,
text/plain
|
Details | |
2.19 KB,
text/plain
|
Details |
js> { let d = 3; new (this.d |= d |= d); } typein:1: TypeError: this.d |= ???this |= d is not a constructor Security-sensitive because the "???" makes me think it's reading from uninitialized memory, and making that memory available to scripts through try..catch. The fuzzer in bug 465479 found this accidentally: it noticed a slight difference in the error message, due to what I'm guessing is uninitialized memory, and interpreted it as a difference between JIT and non-JIT. I'll see if I can retrofit one of my fuzzers to really look for bugs like this, perhaps by trying to compile every expression that appears in a "is not a constructor" error message.
Reporter | ||
Comment 1•16 years ago
|
||
js> for each (let x in [1]) { (x = {}).y(); } typein:1: TypeError: (???{} = {}).y is not a function
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:moderate?]
Assignee | ||
Comment 2•16 years ago
|
||
Seems like an obvious fix...
Reporter | ||
Updated•16 years ago
|
Flags: blocking1.9.1?
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Comment 3•16 years ago
|
||
Comment on attachment 349301 [details] [diff] [review] Fix Whoops, was this never right? Thanks for fixing. /be
Attachment #349301 -
Flags: review?(brendan) → review+
Updated•16 years ago
|
Attachment #349301 -
Flags: approval1.9.1b2?
Updated•16 years ago
|
Attachment #349301 -
Flags: approval1.9.1b2? → approval1.9.1b2+
Assignee | ||
Comment 4•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/1c0893f3e640
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 5•16 years ago
|
||
Comment 6•16 years ago
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x?
Flags: in-testsuite+
Flags: in-litmus-
Comment 8•16 years ago
|
||
verified fixed mozilla-central but not tracemonkey
Status: RESOLVED → VERIFIED
Updated•16 years ago
|
Keywords: fixed1.9.1
Updated•16 years ago
|
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6+
Updated•16 years ago
|
Whiteboard: [sg:moderate?] → [sg:moderate?][needs 1.9.0 patch]
Assignee | ||
Comment 9•16 years ago
|
||
The 1.9.0 branch is not affected by this bug.
Keywords: fixed1.9.0.6
Whiteboard: [sg:moderate?][needs 1.9.0 patch] → [sg:moderate?]
Comment 10•16 years ago
|
||
If 1.9.0 is not affected by this, why did we fix it there?
Comment 11•16 years ago
|
||
For security bugs we use wanted-minus to indicate "Not needed for branch, and yes, we've checked". (For other bugs it tends to mean "we don't care--stop bugging us")
Flags: wanted1.9.0.x-
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6-
Flags: blocking1.9.0.6+
Keywords: fixed1.9.0.6
Assignee | ||
Comment 12•16 years ago
|
||
Sorry, I was confused by what we did in bug 464174.
Comment 14•14 years ago
|
||
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•