Closed Bug 601247 Opened 14 years ago Closed 14 years ago

"Assertion failure: JSVAL_IS_DOUBLE(v)" with localStorage, __proto__ [@ nsStorage2SH::NewEnumerate]

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b7

People

(Reporter: jruderman, Assigned: bzbarsky)

Details

(Keywords: assertion, testcase)

Attachments

(4 files)

testcase (fatal assertion failure when loaded)
124 bytes, text/html
Details
stack trace+
7.34 KB, text/plain
Details
. Don't JSVAL_TO_PRIVATE a random jsval.
6.63 KB, patch
Details | Diff | Splinter Review
diff -w for ease of review
5.78 KB, patch
jst
: review+
jst
: approval2.0+
Details | Diff | Splinter Review 
Assertion failure: JSVAL_IS_DOUBLE(v), at jsapi.h:284

Security-sensitive because I think this means JSVAL_TO_PRIVATE is about to treat a non-pointer as a pointer.  But an opt build does not crash on this testcase.
Attached file stack trace+ 

    
    

    
  
This is technically a bug in this function, but a benign one, I think.  These cases:

10743     case JSENUMERATE_INIT:
10744     case JSENUMERATE_INIT_ALL:

don't read keys; they only write it.  And it happens that in those cases we do set keys to JSVAL_TO_PRIVATE(*statep) and *statep is not a private jsval.... but since we don't use the resulting value in those cases it's not really a problem, except for not making any sense.  ;)

Rewriting with if/then instead of a switch and only setting keys to *statep after the first if block would fix this....

    
  
Group: core-security
Whiteboard: [sg:critical?]

    
    

    
  


  
I don't think this needs to stay sec-sensitive, btw.
Assignee: nobody → bzbarsky

        Attachment #480360 -
        Flags: review?(jst)

    
  
Priority: -- → P1

        Attachment #480360 -
        Flags: review?(jst) → review+

    
  
Whiteboard: [need approval]

    
    

    
  
Comment on attachment 480360 [details] [diff] [review]
diff -w for ease of review

Requesting approval for 2.0.

        Attachment #480360 -
        Flags: approval2.0?

        Attachment #480360 -
        Flags: approval2.0? → approval2.0+

    
  
Whiteboard: [need approval] → [need landing]

    
    

    
  
Backed out in rev 0de6603ae6cb due to orange.

TEST-UNEXPECTED-FAIL | /tests/browser/components/feeds/test/test_bug408328.html | Exited with code 1 during test run
PROCESS-CRASH | /tests/browser/components/feeds/test/test_bug408328.html | application crashed (minidump found)

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1287181873.1287181994.11157.gz

    
  
Whiteboard: [need landing]

    
    

    
  
Gah.  Jesse, please do NOT remove my status whiteboard markings, unless you want bugs to get lost....

Especially because it's not obvious that it was this bug that caused the orange, and not the other patch that landed with it.
Whiteboard: [need landing]

    
    

    
  
Yeah, the failure was from the other bug.  I repushed this patch: http://hg.mozilla.org/mozilla-central/rev/7a0f558020ed
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [need landing]
Target Milestone: --- → mozilla2.0b8

    
  
Target Milestone: mozilla2.0b8 → mozilla2.0b7
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: