Closed
Bug 700295
Opened 13 years ago
Closed 13 years ago
Crash at its_getter
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla11
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
3.28 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on jaegermonkey branch revision 1210706b4576 (run with -m -n -a), tested on 64 bit: this.__proto__ = null; Object.prototype.__proto__ = this; function exploreProperties(obj) { var props = []; for (var o = obj; o; o = Object.getPrototypeOf(o)) { props = props.concat(Object.getOwnPropertyNames(o)); } for (var i = 0; i < props.length; ++i) { var p = props[i]; var v = obj[p]; } } var c = [{}]; exploreProperties(c);
Assignee | ||
Comment 1•13 years ago
|
||
This testcase crashes on m-i cset e05e46646dc3. its_getter and its_setter (PropertyOp hooks only defined in the shell) do not have checks that they are being called on the right object, and will go straight to the object's private data. The accessed object is an array; this crashes on JM because on JM arrays do not have private data, and crashes on trunk because the array private data is an integer (array length) rather than a pointer (as expected by the hook).
Summary: [ObjShrink]: Assertion failure: hasPrivate(), at ../../jsobjinlines.h:90 → Crash at its_getter
Target Milestone: --- → mozilla10
Version: Other Branch → 11 Branch
Assignee | ||
Updated•13 years ago
|
Target Milestone: mozilla10 → ---
Assignee | ||
Comment 2•13 years ago
|
||
I guess this is the right fix, though I don't know how the PropertyOp API works so well.
Assignee: general → bhackett1024
Attachment #573207 -
Flags: review?
Assignee | ||
Updated•13 years ago
|
Attachment #573207 -
Flags: review? → review?(jwalden+bmo)
Comment 3•13 years ago
|
||
Comment on attachment 573207 [details] [diff] [review] patch (95d98e8ab9f3) Review of attachment 573207 [details] [diff] [review]: ----------------------------------------------------------------- I wonder how many of the bugs related to the its class are bugs due to its buggy implementation, versus bugs that reveal actual problems.
Attachment #573207 -
Flags: review?(jwalden+bmo) → review+
Comment 4•13 years ago
|
||
I feel like at some point I wrote comment 1 in another bug, then nobody acted on it because it wasn't an actual bug, and it got rediscovered here in a somewhat different manner. But I might be wrong about that. :-\
Assignee | ||
Comment 5•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/c2ed79d6fea9
Comment 7•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/c2ed79d6fea9
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
Reporter | ||
Comment 9•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•