Closed Bug 615440 Opened 14 years ago Closed 14 years ago

Method jit crash with "Array.prototype.__proto__ = null"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Assigned: dvander)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dos][fixed-in-tracemonkey])

Attachments

(1 file)

fix
3.66 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
./js -m

Array.prototype.__proto__ = null;
for (var r = 0; r < 3; ++r) [][0] = 1;

Crash under js::mjit::EnterMethodJIT, which seems to be a null deref.
Nice. This is definitely my fault, it broke after GetElementIC changes and I've been meaning to file.
Assignee: general → dvander
Status: NEW → ASSIGNED
blocking2.0: --- → betaN+
The first bad revision is:
changeset:   85ea6b284b30
user:        David Anderson
date:        Mon Nov 01 11:14:58 2010 -0700
summary:     Refactor SETELEM into an IC (bug 607293, r=dmandelin).
Blocks: 607293
Keywords: regression
Group: core-security
Whiteboard: [sg:dos]
Attached patch fixSplinter Review 
Simplifies this code, and makes it look more like the tracer.
Attachment #494178 - Flags: review?(dmandelin)
Comment on attachment 494178 [details] [diff] [review]
fix

Nice comment, and nice simplification.
Attachment #494178 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/tracemonkey/rev/e5a107d91377
Whiteboard: [sg:dos] → [sg:dos][fixed-in-tracemonkey]
http://hg.mozilla.org/mozilla-central/rev/e5a107d91377
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug615440.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: