Closed
Bug 356693
Opened 18 years ago
Closed 18 years ago
"delete (0 ? 3 : x())" causes "Assertion failure: pn2->pn_op == JSOP_SETCALL"
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(Keywords: crash, testcase, verified1.8.1.1)
Attachments
(2 files)
|
2.03 KB,
patch
|
brendan
:
review+
dveditz
:
approval1.8.1.1+
|
Details | Diff | Splinter Review |
|
2.39 KB,
text/plain
|
Details |
js> delete (0 ? 3 : x())
Debug jsshell:
Assertion failure: pn2->pn_op == JSOP_SETCALL, at jsemit.c:5702
(abort)
Opt jsshell:
warning: internal error compiling typein: stack underflow at pc 7
warning: internal error compiling typein: stack underflow at pc 8
warning: internal error compiling typein: stack underflow at pc 9
(hang)
Marking security-sensitive for now because I don't know how bad the opt behavior is.
|
Reporter | |
Updated•18 years ago
|
Severity: normal → critical
|
Assignee | |
Comment 1•18 years ago
|
||
The parser tries to ensure that calls under delete are JSOP_SETCALL, but it can't because of constant folding and the like. This patch moves the JSOP_SETCALLing into jsemit.c. There are other ways to fix this, but this seemed like the minimal one.
|
|
Assignee | |
Updated•18 years ago
|
OS: Mac OS X 10.4 → All
Priority: -- → P2
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
|
||
Comment 2•18 years ago
|
||
Comment on attachment 244493 [details] [diff] [review]
Move pn_op forcing into jsemit
Having the correct pn_op in the AST seems better, but this is a fix for now, and the longer-term fix of unifying constant folding and other optimizations (useless expression elimination, delete-of-rvalue rewriting) will take a while.
/be
Attachment #244493 -
Flags: review?(brendan)
Attachment #244493 -
Flags: review+
Attachment #244493 -
Flags: approval1.8.1.1?
|
|
Assignee | |
Comment 3•18 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
||
Comment 4•18 years ago
|
||
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+
|
||
Comment 6•18 years ago
|
||
Do we need this on 1.8.0, or is it part of the js1.7 stuff?
Flags: blocking1.8.1.1? → blocking1.8.1.1+
|
|
||
Comment 7•18 years ago
|
||
WFM in 1.8.0.
/be
Summary: "delete (0 ? 3 : x())" causes "Assertion failure: pn2->pn_op == JSOP_SETCALL" → " " causes "Assertion failure: pn2->pn_op == JSOP_SETCALL"
|
|
Reporter | |
Updated•18 years ago
|
Summary: " " causes "Assertion failure: pn2->pn_op == JSOP_SETCALL" → "delete (0 ? 3 : x())" causes "Assertion failure: pn2->pn_op == JSOP_SETCALL"
|
|
||
Comment 8•18 years ago
|
||
Comment on attachment 244493 [details] [diff] [review]
Move pn_op forcing into jsemit
approved for 1.8 branch, a=dveditz for drivers
Is this actually a security problem, or just a bug?
Attachment #244493 -
Flags: approval1.8.1.1? → approval1.8.1.1+
|
|
||
Comment 10•18 years ago
|
||
verified fixed 20061125 1.8.1.1 windows/linux/mac*, 1.9 windows/linux. note test passes 1.8.0.9.
Keywords: fixed1.8.1.1 → verified1.8.1.1
|
|
||
Updated•18 years ago
|
Group: security
|
|
||
Comment 11•18 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-356693.js,v <-- regress-356693.js
You need to log in
before you can comment on or make changes to this bug.
Description
•