Closed
Bug 352392
Opened 19 years ago
Closed 19 years ago
Hang with "for each" over object with a getter set to "map"
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8.1
People
(Reporter: jruderman, Assigned: brendan)
References
Details
(Keywords: hang, testcase, verified1.8.1)
Attachments
(1 file)
|
442 bytes,
patch
|
mrbkap
:
review+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
obj = { };
obj.y getter = Array.prototype.map;
(function() { for each(let z in obj) { } })();
Hangs within js_ReportIsNotFunction, trying to decompile something.
|
||
Comment 1•19 years ago
|
||
On Linux I got segmentation fault when run against the shell. It happens because the following code from the decompiler, jsopcode.c line 2644,
case JSOP_NAME:
case JSOP_GETGVAR:
atom = GET_ATOM(cx, jp->script, pc);
do_name:
lval = "";
do_qname:
sn = js_GetSrcNote(jp->script, pc);
rval = QuoteString(&ss->sprinter, ATOM_TO_STRING(atom), 0);
passes junk, not JSString to QuoteString.
The full stack trace:
Program received signal SIGSEGV, Segmentation fault.
0x080ca0ce in QuoteString (sp=0xbfab6e08, str=0x815b098, quote=0)
at jsopcode.c:468
468 c = *t;
(gdb) backtrace
#0 0x080ca0ce in QuoteString (sp=0xbfab6e08, str=0x815b098, quote=0)
at jsopcode.c:468
#1 0x080d1b74 in Decompile (ss=0xbfab6e08, pc=0x816cbe8 ";", nb=3)
at jsopcode.c:2644
#2 0x080d46ab in js_DecompileCode (jp=0x816cbf8, script=0x816e150,
pc=0x816cbe8 ";", len=3) at jsopcode.c:3382
#3 0x080d5409 in js_DecompileValueGenerator (cx=0x8159668, spindex=-8,
v=-2147483647, fallback=0x815a808) at jsopcode.c:3737
#4 0x080928b3 in js_ReportIsNotFunction (cx=0x8159668, vp=0x816e33c,
flags=0) at jsfun.c:2251
#5 0x080925a0 in js_ValueToFunction (cx=0x8159668, vp=0x816e33c, flags=0)
at jsfun.c:2177
#6 0x08092675 in js_ValueToFunctionObject (cx=0x8159668, vp=0x816e33c,
flags=0) at jsfun.c:2194
#7 0x08092806 in js_ValueToCallableObject (cx=0x8159668, vp=0x816e33c,
flags=0) at jsfun.c:2229
#8 0x08065710 in array_extra (cx=0x8159668, obj=0x815b0a0, argc=0,
argv=0x816e33c, rval=0xbfab7140, mode=MAP) at jsarray.c:1587
#9 0x08065b1f in array_map (cx=0x8159668, obj=0x815b0a0, argc=0,
argv=0x816e33c, rval=0xbfab7140) at jsarray.c:1727
#10 0x08098b2c in js_Invoke (cx=0x8159668, argc=0, flags=2)
at jsinterp.c:1372
#11 0x08098f3f in js_InternalInvoke (cx=0x8159668, obj=0x815b0a0,
fval=135639064, flags=0, argc=0, argv=0x0, rval=0xbfab73f0)
at jsinterp.c:1466
#12 0x08099183 in js_InternalGetOrSet (cx=0x8159668, obj=0x815b0a0,
id=135709864, fval=135639064, mode=JSACC_READ, argc=0, argv=0x0,
rval=0xbfab73f0) at jsinterp.c:1526
#13 0x080c4ff1 in js_GetProperty (cx=0x8159668, obj=0x815b0a0, id=135709864,
vp=0xbfab73f0) at jsobj.c:3442
#14 0x080b7ce3 in iterator_next (cx=0x8159668, obj=0x815b110, argc=0,
argv=0x0, rval=0xbfab7b10) at jsiter.c:257
#15 0x080b8a5d in js_CallIteratorNext (cx=0x8159668, iterobj=0x815b110,
flags=3, idp=0xbfab7ae0, rval=0xbfab7b10) at jsiter.c:523
#16 0x0809d190 in js_Interpret (cx=0x8159668, pc=0x816e189 "Ï",
result=0xbfab7e64) at jsinterp.c:2751
#17 0x08099472 in js_Execute (cx=0x8159668, chain=0x815aac0,
script=0x816e1e0, down=0x0, flags=0, result=0xbfab8f34)
at jsinterp.c:1617
#18 0x08060409 in JS_ExecuteScript (cx=0x8159668, obj=0x815aac0,
script=0x816e1e0, rval=0xbfab8f34) at jsapi.c:4256
#19 0x080495c4 in Process (cx=0x8159668, obj=0x815aac0,
filename=0xbfab9a28 "/home/igor/s/x.js", forceTTY=0) at js.c:229
#20 0x08049ecb in ProcessArgs (cx=0x8159668, obj=0x815aac0, argv=0xbfab90c8,
argc=3) at js.c:486
#21 0x0804e37b in main (argc=3, argv=0xbfab90c8, envp=0xbfab90d8)
at js.c:3086
|
|
||
Comment 2•19 years ago
|
||
(In reply to comment #1)
> case JSOP_NAME:
> case JSOP_GETGVAR:
> atom = GET_ATOM(cx, jp->script, pc);
Here with the test case atom is object, not string. Is it the getter presentation?
> do_name:
> lval = "";
> do_qname:
> sn = js_GetSrcNote(jp->script, pc);
> rval = QuoteString(&ss->sprinter, ATOM_TO_STRING(atom), 0);
|
Assignee | |
Comment 3•19 years ago
|
||
This is another bug like bug 350417, where js_DecompileValueGenerator's bad old code that copies a slice of bytecode and prepends some special bytecode is and always has been hazardous.
Suggest we dup bugs with js_DecompileValueGenerator calling Decompile where the pc in Decompile is way out of bounds for the script against the lowest-numbered such bug. Igor, if you want to take a crack at fixing this, that's ok with me, but I could use more help on the reopened bug 350793 -- that one is not understood (at least not by me).
/be
|
|
Assignee | |
Updated•19 years ago
|
Assignee: general → brendan
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1
|
|
Assignee | |
Comment 4•19 years ago
|
||
I'm wrong, this is not a dup of 350417 (the patch for that bug doesn't help).
The problem is block object atom indexing. The atom at index 0 in jp->script->atomMap.vector is the block object for the for each (let ...) loop, while the atom at index 1 is the "obj" name.
/be
Status: NEW → ASSIGNED
No longer depends on: 350417
|
|
Assignee | |
Comment 5•19 years ago
|
||
The bug is that JSOP_FORLOCAL<0> is rewritten by the js_DecompileValueGenerator opcode-rewriting magic as JSOP_NAME. So the patch for this bug will conflict with the patch for bug 350417. I'll interdiff to extract the relevant bits, so what I attach here won't apply unless you first apply bug 350417's patch.
/be
|
|
Assignee | |
Comment 6•19 years ago
|
||
Adding a new opcode format requires fiddling with js_DVG -- you mess with the bull, you get the horns! Or I do, in this case. :-P
/be
Attachment #238316 -
Flags: review?(mrbkap)
|
|
Assignee | |
Updated•19 years ago
|
Flags: blocking1.8.1?
|
||
Updated•19 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
|
||
Updated•19 years ago
|
Attachment #238316 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 7•19 years ago
|
||
Comment on attachment 238316 [details] [diff] [review]
fix-patch on top of bug 350417's patch
Fixed on trunk.
/be
Attachment #238316 -
Flags: approval1.8.1?
|
|
Assignee | |
Updated•19 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
||
Comment 8•19 years ago
|
||
Comment on attachment 238316 [details] [diff] [review]
fix-patch on top of bug 350417's patch
a=schrep
Attachment #238316 -
Flags: approval1.8.1? → approval1.8.1+
|
||
Comment 10•19 years ago
|
||
Checking in regress-352392.js;
/cvsroot/mozilla/js/tests/js1_6/Regress/regress-352392.js,v <-- regress-352392.js
initial revision: 1.1
done
Flags: in-testsuite+
|
|
||
Comment 11•19 years ago
|
||
verified fixed 1.8 20060914 windows/linux 1.9 20060914 windows/mac*/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
You need to log in
before you can comment on or make changes to this bug.
Description
•