Closed Bug 353078 Opened 18 years ago Closed 18 years ago

"Assertion failure: top < ss->printer->script->depth" with bogus toString, map, split

Categories

(Core :: JavaScript Engine, defect)

PowerPC
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Unassigned)

Details

(Keywords: crash, Whiteboard: post 1.8-branch)

Attachments

(1 file)

With "prep patch for plan A, v7b" in bug 346642:

js> this.toString = function() { return {}; }; p = [11].map('foo'.split);
Assertion failure: top < ss->printer->script->depth, at jsopcode.c:792
Brendan fixed this yesterday around 3pm (so in v8, I guess).  v9d was checked into trunk around 4am.

[3:03pm] brendan: js>  this.toString = function() { return {}; }; p = [11].map('foo'.split);
[3:03pm] brendan: typein:1: TypeError: can't convert global to string
[3:03pm] brendan: fixed
[3:03pm] Jesse_: is that what the error message should be?
[3:03pm] Jesse_: (can you explain why it's trying to convert the global to string?)
[3:03pm] brendan: sure
[3:03pm] brendan: split is a method
[3:04pm] brendan: it operates on its |this| param
[3:04pm] brendan: map passes the global unless you pass an explicit |this| for it to use
[3:04pm] Jesse_: ok
[3:05pm] Jesse_: and it's a string method, so of course it tries to treat its |this| as a string
[3:05pm] Jesse_: didn't know you can pass an explicit |this| with map
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
assert not reproducible on 1.8
Flags: in-testsuite+
(In reply to comment #2)
> Created an attachment (id=239172) [edit]
> js1_6/Regress/regress-353078.js
> 

passes in the shell but in the browser it fails because it does not throw the type error:TypeError: can't convert global to string. I tried moving it to top level but it doesn't change the result.
Strange:

javascript:this.toString = function() { return {}; }; alert(this);
[object Window]

js> this.toString = function() { return {}; }; this
can't convert global to string
(In reply to comment #4)
> Strange:
> 
> javascript:this.toString = function() { return {}; }; alert(this);
> [object Window]

The set-property on the outer window denoted by |this| forwards to the inner window, but the alert(this) seems to be using the outer window's toString, or something else is going on.  But it's inner and outer at work here, I'll bet.  Cc'ing jst.

> js> this.toString = function() { return {}; }; this
> can't convert global to string

The shell lacks inner and outer windows.

/be

verified fixed 1.9 20060921 windows/mac*/linux because no assert but still have the issue with the lack of TypeError in the browser. jst?
Status: RESOLVED → VERIFIED
jst: ping?
Whiteboard: post 1.8-branch
Group: security
/cvsroot/mozilla/js/tests/js1_6/Regress/regress-353078.js,v  <--  regress-353078.js
initial revision: 1.1
modify test to only fail in the event of a crash.
http://hg.mozilla.org/tracemonkey/rev/756431f83427

/cvsroot/mozilla/js/tests/js1_6/Regress/regress-353078.js,v  <--  regress-353078.js
new revision: 1.3; previous revision: 1.2
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: