Closed
Bug 601247
Opened 14 years ago
Closed 14 years ago
"Assertion failure: JSVAL_IS_DOUBLE(v)" with localStorage, __proto__ [@ nsStorage2SH::NewEnumerate]
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla2.0b7
People
(Reporter: jruderman, Assigned: bzbarsky)
Details
(Keywords: assertion, testcase)
Attachments
(4 files)
124 bytes,
text/html
|
Details | |
7.34 KB,
text/plain
|
Details | |
6.63 KB,
patch
|
Details | Diff | Splinter Review | |
5.78 KB,
patch
|
jst
:
review+
jst
:
approval2.0+
|
Details | Diff | Splinter Review |
Assertion failure: JSVAL_IS_DOUBLE(v), at jsapi.h:284 Security-sensitive because I think this means JSVAL_TO_PRIVATE is about to treat a non-pointer as a pointer. But an opt build does not crash on this testcase.
Reporter | ||
Comment 1•14 years ago
|
||
Assignee | ||
Comment 2•14 years ago
|
||
This is technically a bug in this function, but a benign one, I think. These cases: 10743 case JSENUMERATE_INIT: 10744 case JSENUMERATE_INIT_ALL: don't read keys; they only write it. And it happens that in those cases we do set keys to JSVAL_TO_PRIVATE(*statep) and *statep is not a private jsval.... but since we don't use the resulting value in those cases it's not really a problem, except for not making any sense. ;) Rewriting with if/then instead of a switch and only setting keys to *statep after the first if block would fix this....
Reporter | ||
Updated•14 years ago
|
Group: core-security
Whiteboard: [sg:critical?]
Assignee | ||
Comment 3•14 years ago
|
||
Assignee | ||
Comment 4•14 years ago
|
||
I don't think this needs to stay sec-sensitive, btw.
Assignee: nobody → bzbarsky
Attachment #480360 -
Flags: review?(jst)
Assignee | ||
Updated•14 years ago
|
Priority: -- → P1
Updated•14 years ago
|
Attachment #480360 -
Flags: review?(jst) → review+
Assignee | ||
Updated•14 years ago
|
Whiteboard: [need approval]
Assignee | ||
Comment 5•14 years ago
|
||
Comment on attachment 480360 [details] [diff] [review] diff -w for ease of review Requesting approval for 2.0.
Attachment #480360 -
Flags: approval2.0?
Updated•14 years ago
|
Attachment #480360 -
Flags: approval2.0? → approval2.0+
Assignee | ||
Updated•14 years ago
|
Whiteboard: [need approval] → [need landing]
Comment 6•14 years ago
|
||
Backed out in rev 0de6603ae6cb due to orange. TEST-UNEXPECTED-FAIL | /tests/browser/components/feeds/test/test_bug408328.html | Exited with code 1 during test run PROCESS-CRASH | /tests/browser/components/feeds/test/test_bug408328.html | application crashed (minidump found) http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1287181873.1287181994.11157.gz
Reporter | ||
Updated•14 years ago
|
Whiteboard: [need landing]
Assignee | ||
Comment 7•14 years ago
|
||
Gah. Jesse, please do NOT remove my status whiteboard markings, unless you want bugs to get lost.... Especially because it's not obvious that it was this bug that caused the orange, and not the other patch that landed with it.
Whiteboard: [need landing]
Assignee | ||
Comment 8•14 years ago
|
||
Yeah, the failure was from the other bug. I repushed this patch: http://hg.mozilla.org/mozilla-central/rev/7a0f558020ed
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [need landing]
Target Milestone: --- → mozilla2.0b8
Assignee | ||
Updated•14 years ago
|
Target Milestone: mozilla2.0b8 → mozilla2.0b7
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•