Assertion failure: isObject() on |new Error.prototype|

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
7 years ago
3 years ago

People

(Reporter: cdleary, Assigned: luke)

Tracking

unspecified
Points:
---

Firefox Tracking Flags

(blocking2.0 betaN+)

Details

(Whiteboard: [sg:critical] fixed-in-tracemonkey)

Attachments

(1 attachment, 1 obsolete attachment)

$ js/src/dbg64/js
js> function CustomError() {}
js> CustomError.prototype = new Error.prototype;
Assertion failure: isObject(), at ../jsvalue.h:592

Updated

7 years ago
Group: core-security

Comment 1

7 years ago
confused types are often exploitable, lets make sure this bug isn't before we make it public (and whether this exists in shipped products)
This test shows an undefined-as-object confusion instance. Still, there is a bad bug at work: Error.prototype is a (the first) Error instance created, and per ECMA-262,

"Error instances have no special properties."

(Same for //Native//Error, e.g. SyntaxError, etc. instances).

But our Error.prototype has a clasp->construct hook. D'oh! It should not get this far. JSC (in Safari as tested) gives

TypeError: Result of expression 'Error.prototype' [Error: Unknown error] is not a constructor.

This should get fixed. I believe the latent bug is old, but slow native removal (bug 581263) exposed it.

/be
Depends on: 581263
blocking2.0: --- → ?
OS: Mac OS X → All
Hardware: x86 → All

Updated

7 years ago
blocking2.0: ? → betaN+
(Assignee)

Comment 3

7 years ago
So is the fix simply to init js_ErrorClass.construct to NULL instead of Exception?  With that, is it valid for Exception to assume that the prototype lookup returns an object?
(In reply to comment #3)
> So is the fix simply to init js_ErrorClass.construct to NULL instead of
> Exception?  With that, is it valid for Exception to assume that the prototype
> lookup returns an object?

Yes, because the Exception native constructor can be invoked only via a direct call or new, not via new someExceptionInstance.

/be
Luke, can you take this one?

/be
(Assignee)

Comment 6

7 years ago
Created attachment 480773 [details] [diff] [review]
set js_ErrorClass.construct to null

You bet.
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #480773 - Flags: review?(brendan)
(Assignee)

Comment 7

7 years ago
Created attachment 480779 [details] [diff] [review]
with test

And with a test.
Attachment #480773 - Attachment is obsolete: true
Attachment #480779 - Flags: review?(brendan)
Attachment #480773 - Flags: review?(brendan)
Comment on attachment 480779 [details] [diff] [review]
with test

Great, thanks.

/be
Attachment #480779 - Flags: review?(brendan) → review+

Updated

7 years ago
Whiteboard: [sg:critical]
(Assignee)

Comment 9

7 years ago
http://hg.mozilla.org/tracemonkey/rev/cf3746fc25f9
Whiteboard: [sg:critical] → [sg:critical] fixed-in-tracemonkey
Summary: TM: Assertion failure: isObject() on |new Error.prototype| → Assertion failure: isObject() on |new Error.prototype|

Comment 10

7 years ago
http://hg.mozilla.org/mozilla-central/rev/cf3746fc25f9
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.