Note: There are a few cases of duplicates in user autocompletion which are being worked on.

"invalid getter usage" or assertion failure with "var x; x getter= function () { };"

VERIFIED FIXED in mozilla1.9

Status

()

Core
JavaScript Engine
P2
critical
VERIFIED FIXED
11 years ago
9 years ago

People

(Reporter: Jesse Ruderman, Assigned: Igor Bukanov)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
mozilla1.9
assertion, crash, testcase, verified1.8.1.15, verified1.8.1.16
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 +
blocking1.8.1.15 +
blocking1.8.1.16 +
wanted1.8.1.x +
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(5 attachments, 1 obsolete attachment)

(Reporter)

Description

11 years ago
js> (function() { var x; x getter= function () { }; })()

Opt: 
  typein:1: SyntaxError: invalid getter usage
  (Why?)

Debug: 
  Assertion failure: 0, at jsinterp.c:5128
JSOP_GETTER and JSOP_SETTER don't handle the optimized forms (getarg, getvar, getlocal, etc). My first inclination is to deoptimize variables (introduced by let or var) that have getters stuck on them, and treat them as name lookups from the point of the getter onwards. This would involve grabbing the scope chain for let variables (and somehow making sure that we don't accidentally bind the name to the slot again in that scope).

The "invalid getter usage" is because we never set rval in the JSOP_GETTER case, and it happens to contain a primitive value when we run that code.
(Reporter)

Updated

10 years ago
No longer blocks: 349611
(Reporter)

Updated

10 years ago
Blocks: 349611
(Reporter)

Comment 2

10 years ago
This assertion failure is one of the more frequent for jsfunfuzz to hit nowadays.

Comment 3

10 years ago
The procedure in comment 1 sounds like a lot of work just to make the fuzzer happy about a language construct that was deprecated over seven years ago. I'd like to point out that so far there hasn't been a single bug filed about the fact that specifying getters or setters for local variables or function arguments doesn't work at all. Wouldn't the better way to fix this bug be to finally remove support for [g|s]etter= , or even [g|s]etter altogether?
Keywords: assertion
OS: Mac OS X → All
Hardware: Macintosh → All
Summary: "invalid getter usage" or assertion faiure with "var x; x getter= function () { };" → "invalid getter usage" or assertion failure with "var x; x getter= function () { };"

Updated

10 years ago
Assignee: general → brendan
Flags: blocking1.9+
Priority: -- → P1
Target Milestone: --- → mozilla1.9beta4
Brendan: blocking1.9 with a target milestone of beta4 means that this blocks shipment of beta4. If you don't think that's necessary, please change the TM to "mozilla1.9".

Updated

10 years ago
Status: NEW → ASSIGNED
Target Milestone: mozilla1.9beta4 → mozilla1.9
(Assignee)

Comment 5

10 years ago
Brendan: I can take this to create a patch that throws a syntax error at the compile time for var getter and friends.
Igor, thanks.

/be
Assignee: brendan → igor
Status: ASSIGNED → NEW
Does this bug require a beta vector or is it safe to ship in an RC?  Just want to make sure it's on the right list.
(Reporter)

Comment 8

10 years ago
jsfunfuzz hits this about once an hour, but it doesn't really need to be a Gecko 1.9 blocker.

Comment 9

10 years ago
Based on comment 8 taking off the list...
Flags: blocking1.9+ → blocking1.9-
(Assignee)

Comment 10

10 years ago
Created attachment 311242 [details] [diff] [review]
v1

The patch changes the emitter to throw an exception when it detects unsupported getter/setter usage.
Attachment #311242 - Flags: review?(brendan)
(Assignee)

Comment 11

10 years ago
Marking the bug as security sensitive as the bug effectively means misinterpreting the values on the stack. On 1.8 branch the bug is also a GC hazard.  
Group: security
(Assignee)

Comment 12

10 years ago
Nominating for 1.9 as this is security hazard.
Flags: blocking1.9- → blocking1.9?
Flags: blocking1.9? → blocking1.9+
Priority: P1 → P2
Comment on attachment 311242 [details] [diff] [review]
v1

Thanks (especially for that second hunk -- not sure what I was thinking there!).

/be
Attachment #311242 - Flags: review?(brendan) → review+

Updated

10 years ago
Attachment #311242 - Flags: approval1.9b5?
Comment on attachment 311242 [details] [diff] [review]
v1

a=beltzner
Attachment #311242 - Flags: approval1.9b5? → approval1.9b5+
(Assignee)

Comment 15

10 years ago
I checked in the patch from the comment 10 to the trunk:

http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%2Fcvsroot&date=explicit&mindate=1206365580&maxdate=1206365632&who=igor%25mir2.org
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Comment 16

10 years ago
Nominating for 1.8 branch
Flags: blocking1.8.1.14?
Whiteboard: [sg:critical?]

Comment 17

9 years ago
Created attachment 312526 [details]
js1_5/extensions/regress-356378.js

Updated

9 years ago
Flags: in-testsuite+
Flags: in-litmus-

Comment 18

9 years ago
v 1.9.0
Status: RESOLVED → VERIFIED
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.15?
Flags: blocking1.8.1.15+
(Assignee)

Comment 19

9 years ago
Created attachment 322858 [details] [diff] [review]
fix for 18 branch

The patch is straightforward backport to 1.8 branch
Attachment #322858 - Flags: review?(brendan)
(Assignee)

Comment 20

9 years ago
Created attachment 322860 [details]
diff between 1.9 and 1.8 versions of the fix
Comment on attachment 322858 [details] [diff] [review]
fix for 18 branch

Thanks, looks good.

/be
Attachment #322858 - Flags: review?(brendan)
Attachment #322858 - Flags: review+
Attachment #322858 - Flags: approval1.8.1.15?
Comment on attachment 322858 [details] [diff] [review]
fix for 18 branch

Approved for 1.8.1.15, a=dveditz for release-drivers
Attachment #322858 - Flags: approval1.8.1.15? → approval1.8.1.15+
(Assignee)

Comment 23

9 years ago
I checked in the patch from the comment 19 to the MOZILLA_1_8_BRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.76; previous revision: 3.128.2.75
done
Keywords: fixed1.8.1.15

Comment 24

9 years ago
On the 1.8.1 branch the original assert reported in comment 0 is gone but there is a new one:

on  2008-06-05 the assert was

Assertion failure: op2 == JSOP_INITELEM, at jsinterp.c:5132

on 2008-06-08 the assert changed to 

Assertion failure: !ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT, at jsscan.c:572

removed fixed1.8.1.15 or file a different bug?


(Assignee)

Comment 25

9 years ago
(In reply to comment #24)
> removed fixed1.8.1.15 or file a different bug?

This is the result of the bad backport: I did not see the bug with the standalone testcase from the commnet 1, only the full test case exposes it. The bug is that I have used:

                js_ReportCompileErrorNumber(cx,
                                            pn2, JSREPORT_ERROR,
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                            JSMSG_BAD_GETTER_OR_SETTER,
                                            (op == JSOP_GETTER)
                                            ? js_getter_str
                                            : js_setter_str);


when it should be:

                js_ReportCompileErrorNumber(cx,
                                            pn2, JSREPORT_PN | JSREPORT_ERROR,
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                            JSMSG_BAD_GETTER_OR_SETTER,
                                            (op == JSOP_GETTER)
                                            ? js_getter_str
                                            : js_setter_str);

The result of this regression is the reinterpretation of JSParseNode as JSTokenStream. If it is not too late I would like to back out the patch and check in the proper fix.
Keywords: fixed1.8.1.15
We're going to take this on the relbranch for 1.8.1.15. Details to follow. Marking this as blocking1.8.1.16 so we make sure we get it in both places.
Flags: blocking1.8.1.16+
(Assignee)

Comment 27

9 years ago
Created attachment 324843 [details] [diff] [review]
one-liner fix for 1.8.1 regression

This is trivial correctness fix for the regression. The current plan is to land it to 1.8.1.15 release branch, then back out the broken fix from 1.8.1, then create a new patch with the fix included, and then check it in to 1.8.1 branch.
Attachment #324843 - Flags: review+
Comment on attachment 324843 [details] [diff] [review]
one-liner fix for 1.8.1 regression

approved for 1.8.1.15, a=dveditz for release-drivers

Since we've already branched for release this will need to land on BOTH the MOZILLA_1_8_BRANCH and GECKO181_20080612_RELBRANCH. when landed please add both fixed1.8.1.15 and fixed1.8.1.16 so we can track and QA both builds.
Attachment #324843 - Flags: approval1.8.1.16+
Attachment #324843 - Flags: approval1.8.1.15+
(Assignee)

Comment 29

9 years ago
I checked in the one-liner patch from the comment 27 to GECKO181_20080612_RELBRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.77.2.1; previous revision: 3.128.2.77
done
Keywords: fixed1.8.1.15
(Assignee)

Comment 30

9 years ago
I backed out the patch from the comment 19 from MOZILLA_1_8_BRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.78; previous revision: 3.128.2.77
done
(Assignee)

Comment 31

9 years ago
Created attachment 324847 [details] [diff] [review]
fix for 18 branch with the extra regression fix included

Here comes a patch that I should create in the first place for MOZILLA_1_8_BRANCH
Attachment #322858 - Attachment is obsolete: true
Attachment #324847 - Flags: review+
(Assignee)

Comment 32

9 years ago
I re-landed the update patch from the comment 31 to MOZILLA_1_8_BRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.79; previous revision: 3.128.2.78
done
Keywords: fixed1.8.1.16

Comment 33

9 years ago
js1_5/extensions/regress-356378.js passed on GECKO181_20080612_RELBRANCH and MOZILLA_1_8_BRANCH on linux for shell|browser, opt|debug

verified1.8.1.15, verified1.8.1.16

Keywords: fixed1.8.1.15, fixed1.8.1.16 → verified1.8.1.15, verified1.8.1.16
Comment on attachment 324847 [details] [diff] [review]
fix for 18 branch with the extra regression fix included

>Index: jsemit.c

>+            // FALL THROUGH
Someone pointed out in one of the newsgroups that this isn't valid C.
What's invalid about it?  C permits inter-case fall-through, and always has.  I'm pretty sure they didn't make it illegal in C99, since huge amounts of code would break.  (C99 also introduces C++-style //-to-EOL comments, if that's what you're referring to.)

Comment 36

9 years ago
It would, though, be the only use of a C99/C++-style comment anywhere in spidermonkey.  There must have once been a reason for this prevailing style?  Perhaps we should adhere to it, at least for non-mozilla-central-only patches?
Yeah, there was once a goal of compiling with C compilers that didn't support that comment syntax; I don't think that goal remains (nor could I easily name such a compiler with which we currently compile otherwise).  Still just guessing what Neil was referring to, of course. :)
Attachment #324843 - Flags: approval1.8.1.17+ → approval1.8.1.16+
Group: security
Keywords: verified1.8.1.17 → verified1.8.1.16

Comment 38

9 years ago
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-356378.js,v  <--  regress-356378.js
initial revision: 1.1

changeset:   15652:59d04267975b

Flags: blocking1.8.1.17+ → blocking1.8.1.16+
Blocks: 435497
(In reply to comment #35)
> What's invalid about it?  C permits inter-case fall-through, and always has. 
> I'm pretty sure they didn't make it illegal in C99, since huge amounts of code
> would break.  (C99 also introduces C++-style //-to-EOL comments, if that's what
> you're referring to.)

MOZILLA_1_8_BRANCH is still supported on pre-C99 compiler as VisualAge 5.0.2+fixes on AIX 4.3.3 or older HP-UX compilers.
see bug 450865
GCC and MSVC are accepting C++ style for decades, but that's not ANSI C89 conforming.

You need to log in before you can comment on or make changes to this bug.