Assertion failure: obj->isNative(), at js/src/json.cpp:728

RESOLVED DUPLICATE of bug 901351

Status

()

Core
JavaScript Engine
RESOLVED DUPLICATE of bug 901351
5 years ago
4 years ago

People

(Reporter: anba, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 901351])

(Reporter)

Description

5 years ago
The following test case asserts with: obj->isNative(), at js/src/json.cpp:728


JSON.parse('{"a":0, "b":1}', function(n, v) {
  if (n == "a") {
    Object.defineProperty(this, "b", {value: new Int8Array(new ArrayBuffer(4))})
  }
  return v
})
(Reporter)

Comment 1

5 years ago
Simplified test case with arrays as mentioned in bug 901351 comment 1:

JSON.parse('[0, 1]', function(n, v) {
  if (n == "0") {
    this[1] = new Int8Array(1);
  }
  return v;
})

Comment 2

5 years ago
Uh...DefineNativeProperty on a non-native object, without looking super-closely into things, sounds bad enough to give me the heebie-jeebies.  Closing, taking.
Group: core-security
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Comment 3

5 years ago
I hid the comment in bug 901351 that mentions this possibility, just to be safe.  All but certainly both bugs will be fixed at once, but I think only this part of it is the worrisome part.

Comment 4

5 years ago
Eh, this is close enough to the other bug in effect, once you consider that release builds will ignore all these assertion failures and just merrily continue along executing into conceptually-bogus code.  Fun fun fun!
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 901351
Group: javascript-core-security
Whiteboard: [sg:dupe 901351]
Group: core-security, javascript-core-security
You need to log in before you can comment on or make changes to this bug.