Closed Bug 737251 Opened 12 years ago Closed 12 years ago

Crash [@ JS_EncodeString] or "Assertion failure: JSID_IS_STRING(iden),"

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla14
Tracking Status
firefox13 --- unaffected
firefox14 --- affected
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: bholley)

References

()

Details

(4 keywords, Whiteboard: js-triage-needed)

Crash Data

Attachments

(2 files)

Attached file stacks
a = {}
a.getOwnPropertyDescriptor = XML;
b = Proxy.create(a)
for (x in this)
try {
  (function() {
    "use strict";
    b[2] = x
  })()
} catch (e) {}

asserts js debug shell on m-c changeset 8414a5a38e56 without any CLI arguments at Assertion failure: JSID_IS_STRING(iden), and crashes js opt shell at JS_EncodeString

Seems like a null deref, but setting sg:critical just to play safe unless shown otherwise.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   89620:bba06c18d52d
user:        Bobby Holley
date:        Fri Mar 16 12:47:21 2012 -0700
summary:     Bug 596351 - Proxies should throw TypeErrors for assignments to read-only properties in ES5 strict mode.
 r=luke
> Seems like a null deref, but setting sg:critical just to play safe unless
> shown otherwise.

I certainly meant *s-s* to play safe, changing to sg:dos based on that assumption.
Whiteboard: [sg:critical] js-triage-needed → [sg:dos] js-triage-needed
> I certainly meant *s-s* to play safe, changing to sg:dos based on that
> assumption.

I'm actually entirely not sure, I see similar crashes on Windows but with possibly different register values.

I'll leave it to someone knowledgeable to determine the rating.
Whiteboard: [sg:dos] js-triage-needed → js-triage-needed
Assigning to bobby based on the regression range.
Assignee: general → bobbyholley+bmo
Attaching a patch. Flagging luke for review.
Attachment #612277 - Flags: review?(luke)
Comment on attachment 612277 [details] [diff] [review]
Reuse the throwing code in jsobj.cpp for jsproxy.cpp. v1

Review of attachment 612277 [details] [diff] [review]:
-----------------------------------------------------------------

Nice

::: js/src/jsobj.cpp
@@ +1839,5 @@
> +    jsid idstr;
> +
> +    if (!js_ValueToStringId(cx, IdToValue(id), &idstr))
> +       return false;
> +    JSAutoByteString bytes(cx, JSID_TO_STRING(idstr));

Pre-existing, but can you replace JSID_TO_STRING(js_ValueToStringId(IdToValue)) with IdToString?
Attachment #612277 - Flags: review?(luke) → review+
Looks green enough. Pushed to m-i:

http://hg.mozilla.org/integration/mozilla-inbound/rev/36bae719a2d4
Flags: in-testsuite+
Target Milestone: --- → mozilla14
http://hg.mozilla.org/mozilla-central/rev/36bae719a2d4
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: