Last Comment Bug 501270 - (CVE-2009-2664) Assertion failure: !fp->fun || !(fp->fun->flags & JSFUN_HEAVYWEIGHT) || fp->callobj
(CVE-2009-2664)
: Assertion failure: !fp->fun || !(fp->fun->flags & JSFUN_HEAVYWEIGHT) || fp->c...
Status: RESOLVED FIXED
[sg:investigate] fixed-in-tracemonkey
: assertion, testcase, verified1.9.0.12
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 1.9.0 Branch
: x86 Mac OS X
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
: Jason Orendorff [:jorendorff]
Mentors:
http://test.bclary.com/tests/mozilla....
Depends on: 502449 503679 506567
Blocks: 460882
  Show dependency treegraph
 
Reported: 2009-06-29 18:24 PDT by Bob Clary [:bc:]
Modified: 2009-09-18 14:12 PDT (History)
8 users (show)
mbeltzner: blocking1.9.1.1-
samuel.sidler+old: blocking1.9.0.12+
bob: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.2+
.2-fixed


Attachments
Proposed fix (1.92 KB, patch)
2009-06-30 16:52 PDT, Blake Kaplan (:mrbkap)
brendan: review+
dveditz: approval1.9.0.12+
Details | Diff | Splinter Review
For trunk (2.07 KB, patch)
2009-06-30 16:58 PDT, Blake Kaplan (:mrbkap)
brendan: review+
samuel.sidler+old: approval1.9.1.2+
Details | Diff | Splinter Review

Description Bob Clary [:bc:] 2009-06-29 18:24:28 PDT
browser only, js1_5/extensions/regress-361964.js on mac and nt at least. security sensitive until I can find the regressor.

Assertion failure: !fp->fun || !(fp->fun->flags & JSFUN_HEAVYWEIGHT) || fp->callobj, at /work/mozilla/builds/1.9.0/mozilla/js/src/jsinterp.c:663
Comment 1 Bob Clary [:bc:] 2009-06-30 01:58:52 PDT
bug 460882 regressed this.
Comment 2 Bob Clary [:bc:] 2009-06-30 11:06:39 PDT
ping?
Comment 3 Bob Clary [:bc:] 2009-06-30 14:42:21 PDT
bz: i'm only seeing this on 1.9.0. Is there an underlying bug on 1.9.1/1.9.2?
Comment 4 Boris Zbarsky [:bz] (still a bit busy) 2009-06-30 14:44:41 PDT
Blake says no.
Comment 5 Blake Kaplan (:mrbkap) 2009-06-30 16:52:42 PDT
Created attachment 386149 [details] [diff] [review]
Proposed fix

As far as I can tell, the only reason this doesn't bite on trunk is that we're a lot smarter about what we call "heavyweight" and what forces a call object. Also, document.title is quickstubbed on trunk and 1.9.1, so we end up computing this with a frame pushed on top of the pseudo-frame created by the watchpoint code.

I think this patch is generally correct, so I'll attach a trunk version right away.
Comment 6 Blake Kaplan (:mrbkap) 2009-06-30 16:58:12 PDT
Created attachment 386154 [details] [diff] [review]
For trunk
Comment 7 Brendan Eich [:brendan] 2009-06-30 17:56:22 PDT
Comment on attachment 386149 [details] [diff] [review]
Proposed fix

Looks right.

/be
Comment 8 Brendan Eich [:brendan] 2009-06-30 17:57:09 PDT
Comment on attachment 386154 [details] [diff] [review]
For trunk

I diff'ed the patches to see the changes from 1.9.0 -- looks good again.

/be
Comment 9 Blake Kaplan (:mrbkap) 2009-06-30 18:03:12 PDT
Comment on attachment 386149 [details] [diff] [review]
Proposed fix

This is needed to fix a regression from a security fix. It's preventing bc from running the JS testsuite in debug builds.
Comment 10 Blake Kaplan (:mrbkap) 2009-07-01 11:42:01 PDT
http://hg.mozilla.org/tracemonkey/rev/02eca43038ef
Comment 11 Daniel Veditz [:dveditz] 2009-07-01 13:14:37 PDT
Comment on attachment 386149 [details] [diff] [review]
Proposed fix

Approved for 1.9.0.12, a=dveditz for release-drivers

bc: please verify this after Blake lands.
Comment 12 Blake Kaplan (:mrbkap) 2009-07-01 13:19:00 PDT
Checking in js/src/jsdbgapi.c;
/cvsroot/mozilla/js/src/jsdbgapi.c,v  <--  jsdbgapi.c
new revision: 3.153; previous revision: 3.152
done
Comment 13 Bob Clary [:bc:] 2009-07-01 16:16:44 PDT
v 1.9.0.12 on mac browser. no assert on 1.9.1-tracemonkey either.
Comment 15 Samuel Sidler (old account; do not CC) 2009-07-06 20:12:02 PDT
Fixed this in 1.9.0.12, so we should fix it in 1.9.1.1.
Comment 16 Samuel Sidler (old account; do not CC) 2009-07-13 14:58:48 PDT
Blake: Can you request approval on a patch that applies?
Comment 17 Mike Beltzner [:beltzner, not reading bugmail] 2009-07-14 14:10:12 PDT
mrbkap says that we can wait until 1.9.1.2 if that's coming in the next few weeks, which it is!
Comment 18 Mike Beltzner [:beltzner, not reading bugmail] 2009-07-21 17:47:50 PDT
Blake: can you whip us up a mozilla-1.9.1 patch so we can get it landed insteda of rushing at the last minute to get it in?
Comment 19 Blake Kaplan (:mrbkap) 2009-07-22 18:13:59 PDT
Comment on attachment 386154 [details] [diff] [review]
For trunk

If this gets approval, please approve the patch in bug 502449 at the same time.
Comment 20 Samuel Sidler (old account; do not CC) 2009-07-22 20:26:37 PDT
Comment on attachment 386154 [details] [diff] [review]
For trunk

Approved for 1.9.1.2. a=ss for release-drivers

Please land on mozilla-1.9.1 and use the ".2-fixed" option of the "status1.9.1" flag.
Comment 21 Blake Kaplan (:mrbkap) 2009-07-23 13:05:47 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/7853bc76a1e3
Comment 22 Bob Clary [:bc:] 2009-07-30 10:56:15 PDT
the referenced test never failed on 1.9.1/1.9.2. it still doesn't.
Comment 23 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2009-07-31 13:51:17 PDT
What is the best/simplest way for QA to verify this for 3.5.2?
Comment 24 Gary Kwong [:gkw] [:nth10sd] 2009-07-31 19:49:49 PDT
(In reply to comment #23)
> What is the best/simplest way for QA to verify this for 3.5.2?

Compile a js shell and see if the testcase file in comment #0 still asserts.
Comment 25 Bob Clary [:bc:] 2009-08-01 03:54:12 PDT
(In reply to comment #24)
> (In reply to comment #23)
> > What is the best/simplest way for QA to verify this for 3.5.2?
> 
> Compile a js shell and see if the testcase file in comment #0 still asserts.

it never did.
Comment 26 Gary Kwong [:gkw] [:nth10sd] 2009-08-01 04:06:45 PDT
(In reply to comment #25)
> (In reply to comment #24)
> > (In reply to comment #23)
> > > What is the best/simplest way for QA to verify this for 3.5.2?
> > 
> > Compile a js shell and see if the testcase file in comment #0 still asserts.
> 
> it never did.

D'oh, sorry, never noticed "browser-only" in comment #0 till now, so I guess you have to compile a debug browser build.
Comment 27 Bob Clary [:bc:] 2009-08-01 04:17:22 PDT
no, actually it never asserted on 1.9.1/1.9.2 only 1.9.0. The underlying bug wasn't exposed by the test case there.
Comment 28 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2009-08-01 09:47:10 PDT
bc: Do you think it safe to mark this bug verified1.9.1 based on comment 27?
Comment 29 Bob Clary [:bc:] 2009-08-01 15:34:30 PDT
nope, otherwise I would have. I don't think it is a problem shipping like this, but what's the point in rubber stamping it other than to clean up a bug query?

Note You need to log in before you can comment on or make changes to this bug.