Closed Bug 618614 Opened 14 years ago Closed 14 years ago

Incorrect result for array, for-in without GC

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jandem, Assigned: dvander)

References

Details

(Keywords: regression, Whiteboard: [sg:nse][fixed-in-tracemonkey])

Attachments

(1 file)

fix
2.38 KB, patch
gal
: review+
Details | Diff | Splinter Review 
Consider this test case:
---
for(var i=0; i<3; i++) {
    var s = '';
    var a = [0, 1];
    a.b = 10;
    for (var x in a) {
	s += x;
	a.pop();
    }
    print(s);
    //gc();
}
---
This prints (interpreter/JM):
0b
01b
01b

Commenting out the gc() call makes the problem go away:
0b
0b
0b
(In reply to comment #0)
> Commenting out the gc() call makes the problem go away:

s/commenting out/uncommenting
blocking2.0: --- → ?
Looks like a security bug.
Assignee: general → dvander
Group: core-security
Keywords: regression
Whiteboard: [sg:critical?]
blocking2.0: ? → betaN+
Attached patch fixSplinter Review 
This is probably not sg:anything.
Attachment #497560 - Flags: review?(gal)
Attachment #497560 - Flags: review?(gal) → review+
http://hg.mozilla.org/tracemonkey/rev/abd854c5d634
Whiteboard: [sg:critical?] → [sg:critical?][fixed-in-tracemonkey]
http://hg.mozilla.org/mozilla-central/rev/abd854c5d634
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
not an exploit per comment 3
Whiteboard: [sg:critical?][fixed-in-tracemonkey] → [sg:nse][fixed-in-tracemonkey]
Depends on: 633409
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: