Closed Bug 352392 Opened 19 years ago Closed 19 years ago

Hang with "for each" over object with a getter set to "map"

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla1.8.1

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(Keywords: hang, testcase, verified1.8.1)

Attachments

(1 file)

obj = { }; obj.y getter = Array.prototype.map; (function() { for each(let z in obj) { } })(); Hangs within js_ReportIsNotFunction, trying to decompile something.
On Linux I got segmentation fault when run against the shell. It happens because the following code from the decompiler, jsopcode.c line 2644, case JSOP_NAME: case JSOP_GETGVAR: atom = GET_ATOM(cx, jp->script, pc); do_name: lval = ""; do_qname: sn = js_GetSrcNote(jp->script, pc); rval = QuoteString(&ss->sprinter, ATOM_TO_STRING(atom), 0); passes junk, not JSString to QuoteString. The full stack trace: Program received signal SIGSEGV, Segmentation fault. 0x080ca0ce in QuoteString (sp=0xbfab6e08, str=0x815b098, quote=0) at jsopcode.c:468 468 c = *t; (gdb) backtrace #0 0x080ca0ce in QuoteString (sp=0xbfab6e08, str=0x815b098, quote=0) at jsopcode.c:468 #1 0x080d1b74 in Decompile (ss=0xbfab6e08, pc=0x816cbe8 ";", nb=3) at jsopcode.c:2644 #2 0x080d46ab in js_DecompileCode (jp=0x816cbf8, script=0x816e150, pc=0x816cbe8 ";", len=3) at jsopcode.c:3382 #3 0x080d5409 in js_DecompileValueGenerator (cx=0x8159668, spindex=-8, v=-2147483647, fallback=0x815a808) at jsopcode.c:3737 #4 0x080928b3 in js_ReportIsNotFunction (cx=0x8159668, vp=0x816e33c, flags=0) at jsfun.c:2251 #5 0x080925a0 in js_ValueToFunction (cx=0x8159668, vp=0x816e33c, flags=0) at jsfun.c:2177 #6 0x08092675 in js_ValueToFunctionObject (cx=0x8159668, vp=0x816e33c, flags=0) at jsfun.c:2194 #7 0x08092806 in js_ValueToCallableObject (cx=0x8159668, vp=0x816e33c, flags=0) at jsfun.c:2229 #8 0x08065710 in array_extra (cx=0x8159668, obj=0x815b0a0, argc=0, argv=0x816e33c, rval=0xbfab7140, mode=MAP) at jsarray.c:1587 #9 0x08065b1f in array_map (cx=0x8159668, obj=0x815b0a0, argc=0, argv=0x816e33c, rval=0xbfab7140) at jsarray.c:1727 #10 0x08098b2c in js_Invoke (cx=0x8159668, argc=0, flags=2) at jsinterp.c:1372 #11 0x08098f3f in js_InternalInvoke (cx=0x8159668, obj=0x815b0a0, fval=135639064, flags=0, argc=0, argv=0x0, rval=0xbfab73f0) at jsinterp.c:1466 #12 0x08099183 in js_InternalGetOrSet (cx=0x8159668, obj=0x815b0a0, id=135709864, fval=135639064, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfab73f0) at jsinterp.c:1526 #13 0x080c4ff1 in js_GetProperty (cx=0x8159668, obj=0x815b0a0, id=135709864, vp=0xbfab73f0) at jsobj.c:3442 #14 0x080b7ce3 in iterator_next (cx=0x8159668, obj=0x815b110, argc=0, argv=0x0, rval=0xbfab7b10) at jsiter.c:257 #15 0x080b8a5d in js_CallIteratorNext (cx=0x8159668, iterobj=0x815b110, flags=3, idp=0xbfab7ae0, rval=0xbfab7b10) at jsiter.c:523 #16 0x0809d190 in js_Interpret (cx=0x8159668, pc=0x816e189 "Ï", result=0xbfab7e64) at jsinterp.c:2751 #17 0x08099472 in js_Execute (cx=0x8159668, chain=0x815aac0, script=0x816e1e0, down=0x0, flags=0, result=0xbfab8f34) at jsinterp.c:1617 #18 0x08060409 in JS_ExecuteScript (cx=0x8159668, obj=0x815aac0, script=0x816e1e0, rval=0xbfab8f34) at jsapi.c:4256 #19 0x080495c4 in Process (cx=0x8159668, obj=0x815aac0, filename=0xbfab9a28 "/home/igor/s/x.js", forceTTY=0) at js.c:229 #20 0x08049ecb in ProcessArgs (cx=0x8159668, obj=0x815aac0, argv=0xbfab90c8, argc=3) at js.c:486 #21 0x0804e37b in main (argc=3, argv=0xbfab90c8, envp=0xbfab90d8) at js.c:3086
(In reply to comment #1) > case JSOP_NAME: > case JSOP_GETGVAR: > atom = GET_ATOM(cx, jp->script, pc); Here with the test case atom is object, not string. Is it the getter presentation? > do_name: > lval = ""; > do_qname: > sn = js_GetSrcNote(jp->script, pc); > rval = QuoteString(&ss->sprinter, ATOM_TO_STRING(atom), 0);
This is another bug like bug 350417, where js_DecompileValueGenerator's bad old code that copies a slice of bytecode and prepends some special bytecode is and always has been hazardous. Suggest we dup bugs with js_DecompileValueGenerator calling Decompile where the pc in Decompile is way out of bounds for the script against the lowest-numbered such bug. Igor, if you want to take a crack at fixing this, that's ok with me, but I could use more help on the reopened bug 350793 -- that one is not understood (at least not by me). /be
Depends on: 350417
Assignee: general → brendan
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1
I'm wrong, this is not a dup of 350417 (the patch for that bug doesn't help). The problem is block object atom indexing. The atom at index 0 in jp->script->atomMap.vector is the block object for the for each (let ...) loop, while the atom at index 1 is the "obj" name. /be
Status: NEW → ASSIGNED
No longer depends on: 350417
The bug is that JSOP_FORLOCAL<0> is rewritten by the js_DecompileValueGenerator opcode-rewriting magic as JSOP_NAME. So the patch for this bug will conflict with the patch for bug 350417. I'll interdiff to extract the relevant bits, so what I attach here won't apply unless you first apply bug 350417's patch. /be
Adding a new opcode format requires fiddling with js_DVG -- you mess with the bull, you get the horns! Or I do, in this case. :-P /be
Attachment #238316 - Flags: review?(mrbkap)
Flags: blocking1.8.1?
Flags: blocking1.8.1? → blocking1.8.1+
Attachment #238316 - Flags: review?(mrbkap) → review+
Comment on attachment 238316 [details] [diff] [review] fix-patch on top of bug 350417's patch Fixed on trunk. /be
Attachment #238316 - Flags: approval1.8.1?
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment on attachment 238316 [details] [diff] [review] fix-patch on top of bug 350417's patch a=schrep
Attachment #238316 - Flags: approval1.8.1? → approval1.8.1+
Depends on: 350417
Fixed on the 1.8 branch. /be
Keywords: fixed1.8.1
Checking in regress-352392.js; /cvsroot/mozilla/js/tests/js1_6/Regress/regress-352392.js,v <-- regress-352392.js initial revision: 1.1 done
Flags: in-testsuite+
verified fixed 1.8 20060914 windows/linux 1.9 20060914 windows/mac*/linux
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: