Closed
Bug 737251
Opened 11 years ago
Closed 11 years ago
Crash [@ JS_EncodeString] or "Assertion failure: JSID_IS_STRING(iden),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla14
| Tracking | Status | |
|---|---|---|
| firefox13 | --- | unaffected |
| firefox14 | --- | affected |
| firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: bholley)
References
()
Details
(4 keywords, Whiteboard: js-triage-needed)
Crash Data
Attachments
(2 files)
|
8.03 KB,
text/plain
|
Details | |
|
6.80 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
a = {}
a.getOwnPropertyDescriptor = XML;
b = Proxy.create(a)
for (x in this)
try {
(function() {
"use strict";
b[2] = x
})()
} catch (e) {}
asserts js debug shell on m-c changeset 8414a5a38e56 without any CLI arguments at Assertion failure: JSID_IS_STRING(iden), and crashes js opt shell at JS_EncodeString
Seems like a null deref, but setting sg:critical just to play safe unless shown otherwise.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 89620:bba06c18d52d
user: Bobby Holley
date: Fri Mar 16 12:47:21 2012 -0700
summary: Bug 596351 - Proxies should throw TypeErrors for assignments to read-only properties in ES5 strict mode.
r=luke
|
Reporter | |
Comment 1•11 years ago
|
||
> Seems like a null deref, but setting sg:critical just to play safe unless
> shown otherwise.
I certainly meant *s-s* to play safe, changing to sg:dos based on that assumption.Whiteboard: [sg:critical] js-triage-needed → [sg:dos] js-triage-needed
|
|
Reporter | |
Comment 2•11 years ago
|
||
> I certainly meant *s-s* to play safe, changing to sg:dos based on that
> assumption.
I'm actually entirely not sure, I see similar crashes on Windows but with possibly different register values.
I'll leave it to someone knowledgeable to determine the rating.Whiteboard: [sg:dos] js-triage-needed → js-triage-needed
|
||
Comment 3•11 years ago
|
||
Assigning to bobby based on the regression range.
Assignee: general → bobbyholley+bmo
status-firefox-esr10:
--- → unaffected
status-firefox13:
--- → unaffected
status-firefox14:
--- → affected
|
Assignee | |
Comment 4•11 years ago
|
||
Attaching a patch. Flagging luke for review.
Attachment #612277 -
Flags: review?(luke)
|
|
||
Comment 5•11 years ago
|
||
Comment on attachment 612277 [details] [diff] [review] Reuse the throwing code in jsobj.cpp for jsproxy.cpp. v1 Review of attachment 612277 [details] [diff] [review]: ----------------------------------------------------------------- Nice ::: js/src/jsobj.cpp @@ +1839,5 @@ > + jsid idstr; > + > + if (!js_ValueToStringId(cx, IdToValue(id), &idstr)) > + return false; > + JSAutoByteString bytes(cx, JSID_TO_STRING(idstr)); Pre-existing, but can you replace JSID_TO_STRING(js_ValueToStringId(IdToValue)) with IdToString?
Attachment #612277 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 6•11 years ago
|
||
Sure. Pushed to try: https://tbpl.mozilla.org/?tree=Try&rev=32ba0266b16c
|
|
Assignee | |
Comment 7•11 years ago
|
||
Looks green enough. Pushed to m-i: http://hg.mozilla.org/integration/mozilla-inbound/rev/36bae719a2d4
Flags: in-testsuite+
Target Milestone: --- → mozilla14
|
||
Comment 8•11 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/36bae719a2d4
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
|
||
Comment 9•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Updated•8 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•