Closed
Bug 352455
Opened 18 years ago
Closed 18 years ago
JS engine stops execution trying to uneval an object w/ some non-function getters/setters
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: crowderbt)
References
Details
(Keywords: fixed1.8.1.1, testcase)
Attachments
(1 file)
1.09 KB,
patch
|
igor
:
review+
dveditz
:
approval1.8.1.1+
|
Details | Diff | Splinter Review |
z = ({}); z.x getter= /g/i; print("This line should not be the last output you see."); try { print(uneval(z)); } catch(e) { print("Threw!"); print(e); } print('PASS'); The second line should probably throw "invalid getter usage". If that's not possible, uneval() should throw or return something that isn't quite right instead of halting the entire script.
Reporter | ||
Comment 1•18 years ago
|
||
If you test this by pasting into the shell, you'll want "print('PASS');" on the same line as the try..catch.
Comment 2•18 years ago
|
||
That get/set js_obj_toSource code was not careful. /be
Comment 3•18 years ago
|
||
Of course, this patch just avoids the silent out of memory. What we really want is what Jesse said: runtime check for non-function object being bound as a getter or setter. I'm thinking this bug is a post-js1.7/mozilla1.8.1 work item. I'm putting it back in the general@js.bugs pool. /be
Assignee: brendan → general
Status: ASSIGNED → NEW
Updated•18 years ago
|
Attachment #238150 -
Flags: review?(igor.bukanov) → review+
Reporter | ||
Comment 4•18 years ago
|
||
js> function() { return { x setter: 3 }; } Assertion failure: strncmp(rval, js_function_str, 8) == 0 && rval[8] == ' ', at jsopcode.c:3191
Comment 5•18 years ago
|
||
(In reply to comment #4) > js> function() { return { x setter: 3 }; } > Assertion failure: strncmp(rval, js_function_str, 8) == 0 && rval[8] == ' ', at > jsopcode.c:3191 Yes, that's a consequence of not insisting on a function object at runtime, if not at compile time, as you allude to in this part of comment 0: > The second line should probably throw "invalid getter usage". /be
Comment 6•18 years ago
|
||
*** Bug 352986 has been marked as a duplicate of this bug. ***
Comment 7•18 years ago
|
||
Brian, could I interest you in this one? /be
Assignee | ||
Updated•18 years ago
|
Assignee: general → crowder
Assignee | ||
Updated•18 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 8•18 years ago
|
||
My patch for bug 61911 fixes this. Alternatively, I can special-case the getter/setter code to explicitly also check for regexp or something else. Thoughts?
Assignee | ||
Comment 9•18 years ago
|
||
Scratch that; my 61911 patch fixed the regexp problem. More investigation needed.
Summary: JS engine stops execution trying to uneval an object with a regexp getter → JS engine stops execution trying to uneval an object w/ some non-function getters/setters
Assignee | ||
Comment 10•18 years ago
|
||
Okay. There are two different bugs here, one of which is genuinely fixed by my patch to bug 61911. RegExp objects should not be considered as JSTYPE_FUNCTION (or if they are, they should be special cased to be invalid as getter/setters via an exception at runtime). I'll write that patch if that's what Brendan wants to do. The other bug (revealed by comment #4) is that the decompiler is making an assertion about something the compiler can't enforce. That assertion should instead be a runtime error. Separate bug?
Reporter | ||
Comment 11•18 years ago
|
||
Ok, that is now bug 355992.
Comment 12•18 years ago
|
||
Yeah, we should fix bug 61911 asap so that typeof /hi/ == "object". If we do that and fix this bug (toSource, object graph to source) and the decompiler (Decompile, code to source), we are done. /be
Assignee | ||
Comment 13•18 years ago
|
||
Still need code from comment 2 to land, then mark fixed?
Assignee | ||
Updated•18 years ago
|
Whiteboard: [checkin needed]
Comment 14•18 years ago
|
||
mozilla/js/src/jsobj.c 3.295
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All
Resolution: --- → FIXED
Whiteboard: [checkin needed]
Comment 15•18 years ago
|
||
Checking in regress-352455.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-352455.js,v <-- regress-352455.js initial revision: 1.1 done
Flags: in-testsuite+
Updated•18 years ago
|
Flags: blocking1.8.1.1? → blocking1.8.1.1+
Comment 17•18 years ago
|
||
As this is blocking1.8.1.1+, please either request approval1.8.1.1 on the current patch or, if needed, attach a branch version of the patch and request approval1.8.1.1 on it.
Assignee | ||
Comment 18•18 years ago
|
||
Comment on attachment 238150 [details] [diff] [review] fix Sorry, I missed this one in the mayhem (maybe didn't get the blocking approval mail somehow?)
Attachment #238150 -
Flags: approval1.8.1.1?
Comment 19•18 years ago
|
||
Comment on attachment 238150 [details] [diff] [review] fix approved for 1.8 branch, a=dveditz for drivers
Attachment #238150 -
Flags: approval1.8.1.1? → approval1.8.1.1+
Comment 21•18 years ago
|
||
20061128 1.8.1.1 windows/linux/mac* browser|shell no longer stops execution but fails to throw the expected Syntax Error. Is this bug considered fixed and the failure to throw Syntax Error a different bug?
Assignee | ||
Comment 22•18 years ago
|
||
Probably need 61911 too?
Comment 23•14 years ago
|
||
I changed the test to set '5' as getter, which is invalid. A regexp is a callable object and thus actually a valid getter/setter value. http://hg.mozilla.org/tracemonkey/rev/dca026286095
You need to log in
before you can comment on or make changes to this bug.
Description
•