Hang with "for each" over object with a getter set to "map"

VERIFIED FIXED in mozilla1.8.1

Status

()

Product:
Core
Component:
JavaScript Engine
Importance:
P1
critical
Status:
VERIFIED FIXED
Reported:
12 years ago
Modified:
12 years ago

People

(Reporter: jruderman, Assigned: brendan)

Tracking

(Blocks: 1 bug, {hang, testcase, verified1.8.1})

Version:
Trunk
Target:
mozilla1.8.1
Keywords:
hang, testcase, verified1.8.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

fix-patch on top of bug 350417's patch
442 bytes, patch
mrbkap
: review+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
(Reporter)

Description

12 years ago 
obj = { };
obj.y getter = Array.prototype.map;
(function() { for each(let z in obj) { } })();

Hangs within js_ReportIsNotFunction, trying to decompile something.

Comment 1

12 years ago 
On Linux I got segmentation fault when run against the shell. It happens because the following code from the decompiler, jsopcode.c line 2644, 

              case JSOP_NAME:
              case JSOP_GETGVAR:
                atom = GET_ATOM(cx, jp->script, pc);
              do_name:
                lval = "";
              do_qname:
                sn = js_GetSrcNote(jp->script, pc);
                rval = QuoteString(&ss->sprinter, ATOM_TO_STRING(atom), 0);

passes junk, not JSString to QuoteString.

The full stack trace:

Program received signal SIGSEGV, Segmentation fault.
0x080ca0ce in QuoteString (sp=0xbfab6e08, str=0x815b098, quote=0)
    at jsopcode.c:468
468	        c = *t;
(gdb) backtrace
#0  0x080ca0ce in QuoteString (sp=0xbfab6e08, str=0x815b098, quote=0)
    at jsopcode.c:468
#1  0x080d1b74 in Decompile (ss=0xbfab6e08, pc=0x816cbe8 ";", nb=3)
    at jsopcode.c:2644
#2  0x080d46ab in js_DecompileCode (jp=0x816cbf8, script=0x816e150, 
    pc=0x816cbe8 ";", len=3) at jsopcode.c:3382
#3  0x080d5409 in js_DecompileValueGenerator (cx=0x8159668, spindex=-8, 
    v=-2147483647, fallback=0x815a808) at jsopcode.c:3737
#4  0x080928b3 in js_ReportIsNotFunction (cx=0x8159668, vp=0x816e33c, 
    flags=0) at jsfun.c:2251
#5  0x080925a0 in js_ValueToFunction (cx=0x8159668, vp=0x816e33c, flags=0)
    at jsfun.c:2177
#6  0x08092675 in js_ValueToFunctionObject (cx=0x8159668, vp=0x816e33c, 
    flags=0) at jsfun.c:2194
#7  0x08092806 in js_ValueToCallableObject (cx=0x8159668, vp=0x816e33c, 
    flags=0) at jsfun.c:2229
#8  0x08065710 in array_extra (cx=0x8159668, obj=0x815b0a0, argc=0, 
    argv=0x816e33c, rval=0xbfab7140, mode=MAP) at jsarray.c:1587
#9  0x08065b1f in array_map (cx=0x8159668, obj=0x815b0a0, argc=0, 
    argv=0x816e33c, rval=0xbfab7140) at jsarray.c:1727
#10 0x08098b2c in js_Invoke (cx=0x8159668, argc=0, flags=2)
    at jsinterp.c:1372
#11 0x08098f3f in js_InternalInvoke (cx=0x8159668, obj=0x815b0a0, 
    fval=135639064, flags=0, argc=0, argv=0x0, rval=0xbfab73f0)
    at jsinterp.c:1466
#12 0x08099183 in js_InternalGetOrSet (cx=0x8159668, obj=0x815b0a0, 
    id=135709864, fval=135639064, mode=JSACC_READ, argc=0, argv=0x0, 
    rval=0xbfab73f0) at jsinterp.c:1526
#13 0x080c4ff1 in js_GetProperty (cx=0x8159668, obj=0x815b0a0, id=135709864, 
    vp=0xbfab73f0) at jsobj.c:3442
#14 0x080b7ce3 in iterator_next (cx=0x8159668, obj=0x815b110, argc=0, 
    argv=0x0, rval=0xbfab7b10) at jsiter.c:257
#15 0x080b8a5d in js_CallIteratorNext (cx=0x8159668, iterobj=0x815b110, 
    flags=3, idp=0xbfab7ae0, rval=0xbfab7b10) at jsiter.c:523
#16 0x0809d190 in js_Interpret (cx=0x8159668, pc=0x816e189 "Ï", 
    result=0xbfab7e64) at jsinterp.c:2751
#17 0x08099472 in js_Execute (cx=0x8159668, chain=0x815aac0, 
    script=0x816e1e0, down=0x0, flags=0, result=0xbfab8f34)
    at jsinterp.c:1617
#18 0x08060409 in JS_ExecuteScript (cx=0x8159668, obj=0x815aac0, 
    script=0x816e1e0, rval=0xbfab8f34) at jsapi.c:4256
#19 0x080495c4 in Process (cx=0x8159668, obj=0x815aac0, 
    filename=0xbfab9a28 "/home/igor/s/x.js", forceTTY=0) at js.c:229
#20 0x08049ecb in ProcessArgs (cx=0x8159668, obj=0x815aac0, argv=0xbfab90c8, 
    argc=3) at js.c:486
#21 0x0804e37b in main (argc=3, argv=0xbfab90c8, envp=0xbfab90d8)
    at js.c:3086

Comment 2

12 years ago 
(In reply to comment #1)
>               case JSOP_NAME:
>               case JSOP_GETGVAR:
>                 atom = GET_ATOM(cx, jp->script, pc);

Here with the test case atom is object, not string. Is it the getter presentation?

>               do_name:
>                 lval = "";
>               do_qname:
>                 sn = js_GetSrcNote(jp->script, pc);
>                 rval = QuoteString(&ss->sprinter, ATOM_TO_STRING(atom), 0);
(Assignee)

Comment 3

12 years ago 
This is another bug like bug 350417, where js_DecompileValueGenerator's bad old code that copies a slice of bytecode and prepends some special bytecode is and always has been hazardous.

Suggest we dup bugs with js_DecompileValueGenerator calling Decompile where the pc in Decompile is way out of bounds for the script against the lowest-numbered such bug.  Igor, if you want to take a crack at fixing this, that's ok with me, but I could use more help on the reopened bug 350793 -- that one is not understood (at least not by me).

/be
 (Reporter)

Updated

12 years ago
Depends on: 350417
 (Assignee)

Updated

12 years ago
Assignee: general → brendan
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1
 (Assignee)

Comment 4

12 years ago 
I'm wrong, this is not a dup of 350417 (the patch for that bug doesn't help).

The problem is block object atom indexing.  The atom at index 0 in jp->script->atomMap.vector is the block object for the for each (let ...) loop, while the atom at index 1 is the "obj" name.

/be
Status: NEW → ASSIGNED
No longer depends on: 350417
 (Assignee)

Comment 5

12 years ago 
The bug is that JSOP_FORLOCAL<0> is rewritten by the js_DecompileValueGenerator opcode-rewriting magic as JSOP_NAME.  So the patch for this bug will conflict with the patch for bug 350417.  I'll interdiff to extract the relevant bits, so what I attach here won't apply unless you first apply bug 350417's patch.

/be
 (Assignee)

Comment 6

12 years ago 
Created attachment 238316 [details] [diff] [review]
fix-patch on top of bug 350417's patch

Adding a new opcode format requires fiddling with js_DVG -- you mess with the bull, you get the horns!  Or I do, in this case. :-P

/be
Attachment #238316 - Flags: review?(mrbkap)
 (Assignee)

Updated

12 years ago
Flags: blocking1.8.1?

Updated

12 years ago
Flags: blocking1.8.1? → blocking1.8.1+
Attachment #238316 - Flags: review?(mrbkap) → review+
 (Assignee)

Comment 7

12 years ago 
Comment on attachment 238316 [details] [diff] [review]
fix-patch on top of bug 350417's patch

Fixed on trunk.

/be
Attachment #238316 - Flags: approval1.8.1?
 (Assignee)

Updated

12 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Comment 8

12 years ago 
Comment on attachment 238316 [details] [diff] [review]
fix-patch on top of bug 350417's patch

a=schrep
Attachment #238316 - Flags: approval1.8.1? → approval1.8.1+
 (Assignee)

Updated

12 years ago
Depends on: 350417
 (Assignee)

Comment 9

12 years ago 
Fixed on the 1.8 branch.

/be
Keywords: fixed1.8.1

Comment 10

12 years ago 
Checking in regress-352392.js;
/cvsroot/mozilla/js/tests/js1_6/Regress/regress-352392.js,v  <--  regress-352392.js
initial revision: 1.1
done
Flags: in-testsuite+

Comment 11

12 years ago 
verified fixed 1.8 20060914 windows/linux 1.9 20060914 windows/mac*/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
You need to log in before you can comment on or make changes to this bug.