Closed Bug 356378 Opened 14 years ago Closed 12 years ago

"invalid getter usage" or assertion failure with "var x; x getter= function () { };"

Categories

(Core :: JavaScript Engine, defect, P2, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9

People

(Reporter: jruderman, Assigned: igor)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [sg:critical?])

Attachments

(5 files, 1 obsolete file)

js> (function() { var x; x getter= function () { }; })()

Opt: 
  typein:1: SyntaxError: invalid getter usage
  (Why?)

Debug: 
  Assertion failure: 0, at jsinterp.c:5128
JSOP_GETTER and JSOP_SETTER don't handle the optimized forms (getarg, getvar, getlocal, etc). My first inclination is to deoptimize variables (introduced by let or var) that have getters stuck on them, and treat them as name lookups from the point of the getter onwards. This would involve grabbing the scope chain for let variables (and somehow making sure that we don't accidentally bind the name to the slot again in that scope).

The "invalid getter usage" is because we never set rval in the JSOP_GETTER case, and it happens to contain a primitive value when we run that code.
No longer blocks: 349611
Blocks: 349611
This assertion failure is one of the more frequent for jsfunfuzz to hit nowadays.
The procedure in comment 1 sounds like a lot of work just to make the fuzzer happy about a language construct that was deprecated over seven years ago. I'd like to point out that so far there hasn't been a single bug filed about the fact that specifying getters or setters for local variables or function arguments doesn't work at all. Wouldn't the better way to fix this bug be to finally remove support for [g|s]etter= , or even [g|s]etter altogether?
Keywords: assertion
OS: Mac OS X → All
Hardware: Macintosh → All
Summary: "invalid getter usage" or assertion faiure with "var x; x getter= function () { };" → "invalid getter usage" or assertion failure with "var x; x getter= function () { };"
Assignee: general → brendan
Flags: blocking1.9+
Priority: -- → P1
Target Milestone: --- → mozilla1.9beta4
Brendan: blocking1.9 with a target milestone of beta4 means that this blocks shipment of beta4. If you don't think that's necessary, please change the TM to "mozilla1.9".
Status: NEW → ASSIGNED
Target Milestone: mozilla1.9beta4 → mozilla1.9
Brendan: I can take this to create a patch that throws a syntax error at the compile time for var getter and friends.
Igor, thanks.

/be
Assignee: brendan → igor
Status: ASSIGNED → NEW
Does this bug require a beta vector or is it safe to ship in an RC?  Just want to make sure it's on the right list.
jsfunfuzz hits this about once an hour, but it doesn't really need to be a Gecko 1.9 blocker.
Based on comment 8 taking off the list...
Flags: blocking1.9+ → blocking1.9-
Attached patch v1Splinter Review
The patch changes the emitter to throw an exception when it detects unsupported getter/setter usage.
Attachment #311242 - Flags: review?(brendan)
Marking the bug as security sensitive as the bug effectively means misinterpreting the values on the stack. On 1.8 branch the bug is also a GC hazard.  
Group: security
Nominating for 1.9 as this is security hazard.
Flags: blocking1.9- → blocking1.9?
Flags: blocking1.9? → blocking1.9+
Priority: P1 → P2
Comment on attachment 311242 [details] [diff] [review]
v1

Thanks (especially for that second hunk -- not sure what I was thinking there!).

/be
Attachment #311242 - Flags: review?(brendan) → review+
Attachment #311242 - Flags: approval1.9b5?
Comment on attachment 311242 [details] [diff] [review]
v1

a=beltzner
Attachment #311242 - Flags: approval1.9b5? → approval1.9b5+
I checked in the patch from the comment 10 to the trunk:

http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%2Fcvsroot&date=explicit&mindate=1206365580&maxdate=1206365632&who=igor%25mir2.org
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Nominating for 1.8 branch
Flags: blocking1.8.1.14?
Whiteboard: [sg:critical?]
Flags: in-testsuite+
Flags: in-litmus-
v 1.9.0
Status: RESOLVED → VERIFIED
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.15?
Flags: blocking1.8.1.15+
Attached patch fix for 18 branch (obsolete) — Splinter Review
The patch is straightforward backport to 1.8 branch
Attachment #322858 - Flags: review?(brendan)
Comment on attachment 322858 [details] [diff] [review]
fix for 18 branch

Thanks, looks good.

/be
Attachment #322858 - Flags: review?(brendan)
Attachment #322858 - Flags: review+
Attachment #322858 - Flags: approval1.8.1.15?
Comment on attachment 322858 [details] [diff] [review]
fix for 18 branch

Approved for 1.8.1.15, a=dveditz for release-drivers
Attachment #322858 - Flags: approval1.8.1.15? → approval1.8.1.15+
I checked in the patch from the comment 19 to the MOZILLA_1_8_BRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.76; previous revision: 3.128.2.75
done
Keywords: fixed1.8.1.15
On the 1.8.1 branch the original assert reported in comment 0 is gone but there is a new one:

on  2008-06-05 the assert was

Assertion failure: op2 == JSOP_INITELEM, at jsinterp.c:5132

on 2008-06-08 the assert changed to 

Assertion failure: !ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT, at jsscan.c:572

removed fixed1.8.1.15 or file a different bug?


(In reply to comment #24)
> removed fixed1.8.1.15 or file a different bug?

This is the result of the bad backport: I did not see the bug with the standalone testcase from the commnet 1, only the full test case exposes it. The bug is that I have used:

                js_ReportCompileErrorNumber(cx,
                                            pn2, JSREPORT_ERROR,
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                            JSMSG_BAD_GETTER_OR_SETTER,
                                            (op == JSOP_GETTER)
                                            ? js_getter_str
                                            : js_setter_str);


when it should be:

                js_ReportCompileErrorNumber(cx,
                                            pn2, JSREPORT_PN | JSREPORT_ERROR,
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                            JSMSG_BAD_GETTER_OR_SETTER,
                                            (op == JSOP_GETTER)
                                            ? js_getter_str
                                            : js_setter_str);

The result of this regression is the reinterpretation of JSParseNode as JSTokenStream. If it is not too late I would like to back out the patch and check in the proper fix.
Keywords: fixed1.8.1.15
We're going to take this on the relbranch for 1.8.1.15. Details to follow. Marking this as blocking1.8.1.16 so we make sure we get it in both places.
Flags: blocking1.8.1.16+
This is trivial correctness fix for the regression. The current plan is to land it to 1.8.1.15 release branch, then back out the broken fix from 1.8.1, then create a new patch with the fix included, and then check it in to 1.8.1 branch.
Attachment #324843 - Flags: review+
Comment on attachment 324843 [details] [diff] [review]
one-liner fix for 1.8.1 regression

approved for 1.8.1.15, a=dveditz for release-drivers

Since we've already branched for release this will need to land on BOTH the MOZILLA_1_8_BRANCH and GECKO181_20080612_RELBRANCH. when landed please add both fixed1.8.1.15 and fixed1.8.1.16 so we can track and QA both builds.
Attachment #324843 - Flags: approval1.8.1.16+
Attachment #324843 - Flags: approval1.8.1.15+
I checked in the one-liner patch from the comment 27 to GECKO181_20080612_RELBRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.77.2.1; previous revision: 3.128.2.77
done
Keywords: fixed1.8.1.15
I backed out the patch from the comment 19 from MOZILLA_1_8_BRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.78; previous revision: 3.128.2.77
done
Here comes a patch that I should create in the first place for MOZILLA_1_8_BRANCH
Attachment #322858 - Attachment is obsolete: true
Attachment #324847 - Flags: review+
I re-landed the update patch from the comment 31 to MOZILLA_1_8_BRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.79; previous revision: 3.128.2.78
done
Keywords: fixed1.8.1.16
js1_5/extensions/regress-356378.js passed on GECKO181_20080612_RELBRANCH and MOZILLA_1_8_BRANCH on linux for shell|browser, opt|debug

verified1.8.1.15, verified1.8.1.16

Comment on attachment 324847 [details] [diff] [review]
fix for 18 branch with the extra regression fix included

>Index: jsemit.c

>+            // FALL THROUGH
Someone pointed out in one of the newsgroups that this isn't valid C.
What's invalid about it?  C permits inter-case fall-through, and always has.  I'm pretty sure they didn't make it illegal in C99, since huge amounts of code would break.  (C99 also introduces C++-style //-to-EOL comments, if that's what you're referring to.)
It would, though, be the only use of a C99/C++-style comment anywhere in spidermonkey.  There must have once been a reason for this prevailing style?  Perhaps we should adhere to it, at least for non-mozilla-central-only patches?
Yeah, there was once a goal of compiling with C compilers that didn't support that comment syntax; I don't think that goal remains (nor could I easily name such a compiler with which we currently compile otherwise).  Still just guessing what Neil was referring to, of course. :)
Attachment #324843 - Flags: approval1.8.1.17+ → approval1.8.1.16+
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-356378.js,v  <--  regress-356378.js
initial revision: 1.1

changeset:   15652:59d04267975b

Flags: blocking1.8.1.17+ → blocking1.8.1.16+
(In reply to comment #35)
> What's invalid about it?  C permits inter-case fall-through, and always has. 
> I'm pretty sure they didn't make it illegal in C99, since huge amounts of code
> would break.  (C99 also introduces C++-style //-to-EOL comments, if that's what
> you're referring to.)

MOZILLA_1_8_BRANCH is still supported on pre-C99 compiler as VisualAge 5.0.2+fixes on AIX 4.3.3 or older HP-UX compilers.
see bug 450865
GCC and MSVC are accepting C++ style for decades, but that's not ANSI C89 conforming.

You need to log in before you can comment on or make changes to this bug.