Closed Bug 700295 Opened 13 years ago Closed 13 years ago

Crash at its_getter

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
11 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

patch (95d98e8ab9f3)
3.28 KB, patch
Waldo
: review+
Details | Diff | Splinter Review 
The following testcase asserts on jaegermonkey branch revision 1210706b4576 (run with -m -n -a), tested on 64 bit:


this.__proto__ = null;
Object.prototype.__proto__ = this;
function exploreProperties(obj) {
  var props = [];
  for (var o = obj; o; o = Object.getPrototypeOf(o)) {
    props = props.concat(Object.getOwnPropertyNames(o));
  }
  for (var i = 0; i < props.length; ++i) {
    var p = props[i];
    var v = obj[p];
  }
}
var c = [{}];
exploreProperties(c);
This testcase crashes on m-i cset e05e46646dc3.

its_getter and its_setter (PropertyOp hooks only defined in the shell) do not have checks that they are being called on the right object, and will go straight to the object's private data.  The accessed object is an array; this crashes on JM because on JM arrays do not have private data, and crashes on trunk because the array private data is an integer (array length) rather than a pointer (as expected by the hook).
Summary: [ObjShrink]: Assertion failure: hasPrivate(), at ../../jsobjinlines.h:90 → Crash at its_getter
Target Milestone: --- → mozilla10
Version: Other Branch → 11 Branch
Target Milestone: mozilla10 → ---
I guess this is the right fix, though I don't know how the PropertyOp API works so well.
Assignee: general → bhackett1024
Attachment #573207 - Flags: review?
Attachment #573207 - Flags: review? → review?(jwalden+bmo)
Comment on attachment 573207 [details] [diff] [review]
patch (95d98e8ab9f3)

Review of attachment 573207 [details] [diff] [review]:
-----------------------------------------------------------------

I wonder how many of the bugs related to the its class are bugs due to its buggy implementation, versus bugs that reveal actual problems.
Attachment #573207 - Flags: review?(jwalden+bmo) → review+
I feel like at some point I wrote comment 1 in another bug, then nobody acted on it because it wasn't an actual bug, and it got rediscovered here in a somewhat different manner.  But I might be wrong about that.  :-\
https://hg.mozilla.org/mozilla-central/rev/c2ed79d6fea9
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: