Closed
Bug 776484
Opened 13 years ago
Closed 13 years ago
Assertion failure: end >= begin, at ./dist/include/mozilla/Util.h:297 with decompileBody
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla17
| Tracking | Status | |
|---|---|---|
| firefox16 | --- | unaffected |
| firefox17 | --- | verified |
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: Benjamin)
References
Details
(4 keywords, Whiteboard: [js:t][adv-track-main17-])
Attachments
(1 file)
|
4.43 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 462106f027af (no options required):
decompileBody(function () { });
This might be debug-only (it only seems to work with decompileBody, not with toString), but until that's confirmed, I'll mark it s-s since it's likely some offset/range problem that could be exploitable.
Also note that this test is whitespace sensitive (you need at least one space in the function body).
|
Assignee | |
Comment 1•13 years ago
|
||
I think not being smart about removing whitespace about bodies is braces is a better behavior anyway.
Assignee: general → bpeterson
Attachment #645003 -
Flags: review?(luke)
|
|
Assignee | |
Updated•13 years ago
|
Attachment #645003 -
Flags: review?(luke) → review?(jorendorff)
|
||
Updated•13 years ago
|
Whiteboard: [js:t]
|
|
Assignee | |
Updated•13 years ago
|
Blocks: savesource
|
||
Comment 2•13 years ago
|
||
Comment on attachment 645003 [details] [diff] [review]
only strip whitespace on expression bodies
Review of attachment 645003 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jsfun.cpp
@@ +664,5 @@
> // comment.
> if (!out.append("/* use strict */ "))
> return NULL;
> } else {
> + if (!out.append("\n\"use strict\";\n"))
This is unrelated to the crash, right?
I don't think it's necessary, but if you think the output looks nicer this way, ok.
Attachment #645003 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 4•13 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #2)
> Comment on attachment 645003 [details] [diff] [review]
> only strip whitespace on expression bodies
>
> Review of attachment 645003 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> ::: js/src/jsfun.cpp
> @@ +664,5 @@
> > // comment.
> > if (!out.append("/* use strict */ "))
> > return NULL;
> > } else {
> > + if (!out.append("\n\"use strict\";\n"))
>
> This is unrelated to the crash, right?
Correct. But it's related to the fix. :)
>
> I don't think it's necessary, but if you think the output looks nicer this
> way, ok.
I did it because it at least guarantees "use strict"; is on its own line.
|
|
Assignee | |
Comment 5•13 years ago
|
||
|
||
Comment 6•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox17:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
|
Reporter | |
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 7•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Comment 8•13 years ago
|
||
I'm interpreting that this "blocks" bug 761723 to mean it's a regression from it, and therefore earlier branches do not need this fix. If they do please request approval to land the patch on those branches and clear the "unaffected" statuses.
(In reply to Christian Holler (:decoder) from comment #7)
> JSBugMon: This bug has been automatically verified fixed.
Looks like the automated verifier does not know how to set status flags, doing so now.
|
||
Updated•13 years ago
|
Whiteboard: [js:t] → [js:t][adv-track-main17-]
|
|
||
Updated•13 years ago
|
Group: core-security
|
|
Reporter | |
Comment 10•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•