"delete (0 ? 3 : x())" causes "Assertion failure: pn2->pn_op == JSOP_SETCALL"

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
JavaScript Engine
P2
critical
VERIFIED FIXED
11 years ago
11 years ago

People

(Reporter: Jesse Ruderman, Assigned: mrbkap)

Tracking

(Blocks: 1 bug, {crash, testcase, verified1.8.1.1})

Trunk
mozilla1.9alpha1
crash, testcase, verified1.8.1.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1.1 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
js> delete (0 ? 3 : x())

Debug jsshell:
  Assertion failure: pn2->pn_op == JSOP_SETCALL, at jsemit.c:5702
  (abort)

Opt jsshell:
  warning: internal error compiling typein: stack underflow at pc 7
  warning: internal error compiling typein: stack underflow at pc 8
  warning: internal error compiling typein: stack underflow at pc 9
  (hang)

Marking security-sensitive for now because I don't know how bad the opt behavior is.
(Reporter)

Updated

11 years ago
Severity: normal → critical
(Assignee)

Comment 1

11 years ago
Created attachment 244493 [details] [diff] [review]
Move pn_op forcing into jsemit

The parser tries to ensure that calls under delete are JSOP_SETCALL, but it can't because of constant folding and the like. This patch moves the JSOP_SETCALLing into jsemit.c. There are other ways to fix this, but this seemed like the minimal one.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #244493 - Flags: review?(brendan)
(Assignee)

Updated

11 years ago
OS: Mac OS X 10.4 → All
Priority: -- → P2
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 244493 [details] [diff] [review]
Move pn_op forcing into jsemit

Having the correct pn_op in the AST seems better, but this is a fix for now, and the longer-term fix of unifying constant folding and other optimizations (useless expression elimination, delete-of-rvalue rewriting) will take a while.

/be
Attachment #244493 - Flags: review?(brendan)
Attachment #244493 - Flags: review+
Attachment #244493 - Flags: approval1.8.1.1?

Updated

11 years ago
Blocks: 355044
Flags: blocking1.8.1.1?
(Assignee)

Comment 3

11 years ago
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Comment 4

11 years ago
Created attachment 244862 [details]
js1_5/Regress/regress-356693.js

Updated

11 years ago
Flags: in-testsuite+

Comment 5

11 years ago
verified fixed 1.9 2006110700 windows/linux.
Status: RESOLVED → VERIFIED
Do we need this on 1.8.0, or is it part of the js1.7 stuff?
Flags: blocking1.8.1.1? → blocking1.8.1.1+
WFM in 1.8.0.

/be
Summary: "delete (0 ? 3 : x())" causes "Assertion failure: pn2->pn_op == JSOP_SETCALL" → " " causes "Assertion failure: pn2->pn_op == JSOP_SETCALL"
(Reporter)

Updated

11 years ago
Summary: " " causes "Assertion failure: pn2->pn_op == JSOP_SETCALL" → "delete (0 ? 3 : x())" causes "Assertion failure: pn2->pn_op == JSOP_SETCALL"
Comment on attachment 244493 [details] [diff] [review]
Move pn_op forcing into jsemit

approved for 1.8 branch, a=dveditz for drivers

Is this actually a security problem, or just a bug?
Attachment #244493 - Flags: approval1.8.1.1? → approval1.8.1.1+
(Assignee)

Comment 9

11 years ago
Fixed on the 1.8.1 branch.
Keywords: fixed1.8.1.1

Comment 10

11 years ago
verified fixed 20061125 1.8.1.1 windows/linux/mac*, 1.9 windows/linux. note test passes 1.8.0.9.
Keywords: fixed1.8.1.1 → verified1.8.1.1
Group: security

Comment 11

11 years ago
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-356693.js,v  <--  regress-356693.js
(Reporter)

Updated

11 years ago
No longer blocks: 349611
(Reporter)

Updated

11 years ago
Blocks: 349611
You need to log in before you can comment on or make changes to this bug.