Closed
Bug 501270
(CVE-2009-2664)
Opened 15 years ago
Closed 15 years ago
Assertion failure: !fp->fun || !(fp->fun->flags & JSFUN_HEAVYWEIGHT) || fp->callobj
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bc, Assigned: mrbkap)
References
()
Details
(Keywords: assertion, testcase, verified1.9.0.12, Whiteboard: [sg:investigate] fixed-in-tracemonkey)
Attachments
(2 files)
1.92 KB,
patch
|
brendan
:
review+
dveditz
:
approval1.9.0.12+
|
Details | Diff | Splinter Review |
2.07 KB,
patch
|
brendan
:
review+
samuel.sidler+old
:
approval1.9.1.2+
|
Details | Diff | Splinter Review |
browser only, js1_5/extensions/regress-361964.js on mac and nt at least. security sensitive until I can find the regressor. Assertion failure: !fp->fun || !(fp->fun->flags & JSFUN_HEAVYWEIGHT) || fp->callobj, at /work/mozilla/builds/1.9.0/mozilla/js/src/jsinterp.c:663
Flags: in-testsuite+
Flags: blocking1.9.0.12?
Reporter | ||
Comment 2•15 years ago
|
||
ping?
Updated•15 years ago
|
Flags: blocking1.9.2?
Flags: blocking1.9.1.1?
Reporter | ||
Comment 3•15 years ago
|
||
bz: i'm only seeing this on 1.9.0. Is there an underlying bug on 1.9.1/1.9.2?
Assignee | ||
Comment 5•15 years ago
|
||
As far as I can tell, the only reason this doesn't bite on trunk is that we're a lot smarter about what we call "heavyweight" and what forces a call object. Also, document.title is quickstubbed on trunk and 1.9.1, so we end up computing this with a frame pushed on top of the pseudo-frame created by the watchpoint code. I think this patch is generally correct, so I'll attach a trunk version right away.
Assignee | ||
Comment 6•15 years ago
|
||
Attachment #386154 -
Flags: review?(brendan)
Comment 7•15 years ago
|
||
Comment on attachment 386149 [details] [diff] [review] Proposed fix Looks right. /be
Attachment #386149 -
Flags: review?(brendan) → review+
Updated•15 years ago
|
Attachment #386154 -
Flags: review?(brendan) → review+
Comment 8•15 years ago
|
||
Comment on attachment 386154 [details] [diff] [review] For trunk I diff'ed the patches to see the changes from 1.9.0 -- looks good again. /be
Assignee | ||
Comment 9•15 years ago
|
||
Comment on attachment 386149 [details] [diff] [review] Proposed fix This is needed to fix a regression from a security fix. It's preventing bc from running the JS testsuite in debug builds.
Attachment #386149 -
Flags: approval1.9.0.12?
Assignee | ||
Comment 10•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/02eca43038ef
Whiteboard: fixed-in-tracemonkey
Updated•15 years ago
|
Attachment #386149 -
Flags: approval1.9.0.12? → approval1.9.0.12+
Comment 11•15 years ago
|
||
Comment on attachment 386149 [details] [diff] [review] Proposed fix Approved for 1.9.0.12, a=dveditz for release-drivers bc: please verify this after Blake lands.
Assignee | ||
Comment 12•15 years ago
|
||
Checking in js/src/jsdbgapi.c; /cvsroot/mozilla/js/src/jsdbgapi.c,v <-- jsdbgapi.c new revision: 3.153; previous revision: 3.152 done
Keywords: fixed1.9.0.12
Reporter | ||
Comment 13•15 years ago
|
||
v 1.9.0.12 on mac browser. no assert on 1.9.1-tracemonkey either.
Keywords: fixed1.9.0.12 → verified1.9.0.12
Updated•15 years ago
|
Flags: blocking1.9.0.12? → blocking1.9.0.12+
Comment 14•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/02eca43038ef
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 15•15 years ago
|
||
Fixed this in 1.9.0.12, so we should fix it in 1.9.1.1.
Flags: blocking1.9.1.1+
Comment 16•15 years ago
|
||
Blake: Can you request approval on a patch that applies?
Updated•15 years ago
|
Whiteboard: fixed-in-tracemonkey → [sg:investigate]fixed-in-tracemonkey
Updated•15 years ago
|
Whiteboard: [sg:investigate]fixed-in-tracemonkey → [sg:investigate] fixed-in-tracemonkey
Comment 17•15 years ago
|
||
mrbkap says that we can wait until 1.9.1.2 if that's coming in the next few weeks, which it is!
blocking1.9.1: --- → .2+
Updated•15 years ago
|
Flags: blocking1.9.1.1+ → blocking1.9.1.1-
Comment 18•15 years ago
|
||
Blake: can you whip us up a mozilla-1.9.1 patch so we can get it landed insteda of rushing at the last minute to get it in?
Assignee | ||
Updated•15 years ago
|
Attachment #386154 -
Flags: approval1.9.1.2?
Assignee | ||
Comment 19•15 years ago
|
||
Comment on attachment 386154 [details] [diff] [review] For trunk If this gets approval, please approve the patch in bug 502449 at the same time.
Comment 20•15 years ago
|
||
Comment on attachment 386154 [details] [diff] [review] For trunk Approved for 1.9.1.2. a=ss for release-drivers Please land on mozilla-1.9.1 and use the ".2-fixed" option of the "status1.9.1" flag.
Attachment #386154 -
Flags: approval1.9.1.2? → approval1.9.1.2+
Assignee | ||
Comment 21•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/7853bc76a1e3
status1.9.1:
--- → .2-fixed
Reporter | ||
Comment 22•15 years ago
|
||
the referenced test never failed on 1.9.1/1.9.2. it still doesn't.
Comment 23•15 years ago
|
||
What is the best/simplest way for QA to verify this for 3.5.2?
Comment 24•15 years ago
|
||
(In reply to comment #23) > What is the best/simplest way for QA to verify this for 3.5.2? Compile a js shell and see if the testcase file in comment #0 still asserts.
Reporter | ||
Comment 25•15 years ago
|
||
(In reply to comment #24) > (In reply to comment #23) > > What is the best/simplest way for QA to verify this for 3.5.2? > > Compile a js shell and see if the testcase file in comment #0 still asserts. it never did.
Comment 26•15 years ago
|
||
(In reply to comment #25) > (In reply to comment #24) > > (In reply to comment #23) > > > What is the best/simplest way for QA to verify this for 3.5.2? > > > > Compile a js shell and see if the testcase file in comment #0 still asserts. > > it never did. D'oh, sorry, never noticed "browser-only" in comment #0 till now, so I guess you have to compile a debug browser build.
Reporter | ||
Comment 27•15 years ago
|
||
no, actually it never asserted on 1.9.1/1.9.2 only 1.9.0. The underlying bug wasn't exposed by the test case there.
Comment 28•15 years ago
|
||
bc: Do you think it safe to mark this bug verified1.9.1 based on comment 27?
Reporter | ||
Comment 29•15 years ago
|
||
nope, otherwise I would have. I don't think it is a problem shipping like this, but what's the point in rubber stamping it other than to clean up a bug query?
Updated•15 years ago
|
Group: core-security
Updated•15 years ago
|
Alias: CVE-2009-2664
You need to log in
before you can comment on or make changes to this bug.
Description
•