Closed
Bug 897403
Opened 11 years ago
Closed 11 years ago
"Assertion failure: !((attrs ^ shape->attrs) & 0x40) || !(attrs & 0x40)" with bound function proxy
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: jruderman, Assigned: jorendorff)
Details
(Keywords: assertion, regression, testcase)
Attachments
(3 files)
var boundFun = (function(){}).bind({});
var prox = new Proxy(boundFun, {});
Object.defineProperty(prox, "caller", {get: function(){}});
Assertion failure: !((attrs ^ shape->attrs) & 0x40) || !(attrs & 0x40), at js/src/vm/Shape.cpp:767
This testcase causes trouble all the way back to the landing of direct proxies in bug 703537. Bug 788172 made it easier for one of my fuzzers to find it.
|
||
Comment 1•11 years ago
|
||
Bug 703537 landed in Firefox 18, setting tracking flags as necessary.
tracking-b2g18:
--- → ?
tracking-firefox23:
--- → ?
tracking-firefox24:
--- → ?
tracking-firefox25:
--- → ?
|
||
Comment 2•11 years ago
|
||
If this is present all the way back to FF18 we have no reason to track this but a low risk uplift nomination can be considered when a fix is available.
status-firefox22:
--- → affected
status-firefox23:
--- → affected
status-firefox24:
--- → affected
status-firefox25:
--- → affected
|
||
Comment 3•11 years ago
|
||
The assertion is this:
/* Allow only shared (slotless) => unshared (slotful) transition. */
JS_ASSERT(!((attrs ^ shape->attrs) & JSPROP_SHARED) ||
!(attrs & JSPROP_SHARED));
I have no idea what that means, so I'm going to assume it is bad. Feel free to adjust.Keywords: sec-high
|
||
Comment 4•11 years ago
|
||
|
|
||
Comment 5•11 years ago
|
||
jandem, you fixed a similar bug 867082 as well, possible to take a look?
Flags: needinfo?(jdemooij)
|
||
Comment 6•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5) > jandem, you fixed a similar bug 867082 as well, possible to take a look? Unfortunately I've no idea what's causing this. Somebody more familiar with proxies should take a look (maybe Eddy or Jason).
Flags: needinfo?(jdemooij)
|
|
||
Comment 7•11 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #6) > (In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5) > > jandem, you fixed a similar bug 867082 as well, possible to take a look? > > Unfortunately I've no idea what's causing this. Somebody more familiar with > proxies should take a look (maybe Eddy or Jason). Jason, thoughts?
Flags: needinfo?(jorendorff)
|
Assignee | |
Comment 8•11 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #3) > The assertion is this: > > /* Allow only shared (slotless) => unshared (slotful) transition. */ > JS_ASSERT(!((attrs ^ shape->attrs) & JSPROP_SHARED) || > !(attrs & JSPROP_SHARED)); > > I have no idea what that means, so I'm going to assume it is bad. Feel free > to adjust. I don't think this assertion is security-important. Changing a property from slotful to slotless leaks a slot, I think. I have a shallow fix for the symptom here: just make the property slotless to begin with. fun_getProperty doesn't use the slot for anything. Of course the real fix would be to make it so JS_DefineProperty doesn't flunk an assertion in this sort of case; I think it should fail with an exception instead. Let's save that for a followup.
Flags: needinfo?(jorendorff)
|
|
Assignee | |
Comment 9•11 years ago
|
||
Assignee: general → jorendorff
Attachment #803100 -
Flags: review?(jwalden+bmo)
|
|
Assignee | |
Updated•11 years ago
|
Group: core-security
|
||
Updated•11 years ago
|
Attachment #803100 -
Flags: review?(jwalden+bmo) → review+
|
|
Assignee | |
Comment 11•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/3cb16a4bf227
|
||
Comment 12•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3cb16a4bf227
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in
before you can comment on or make changes to this bug.
Description
•