Closed
Bug 416834
Opened 17 years ago
Closed 17 years ago
Assertion failure after deleting eval 16 times
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(Keywords: assertion, testcase)
Attachments
(2 files, 1 obsolete file)
2.26 KB,
text/plain
|
Details | |
1.74 KB,
patch
|
brendan
:
review+
beltzner
:
approval1.9+
|
Details | Diff | Splinter Review |
this.__proto__.x = eval;
for (i = 0; i < 16; ++i) delete eval;
(function w() { x = 1; })();
triggers
Assertion failure: !entry || entry->kpc == ((PCVCAP_TAG(entry->vcap) > 1) ? (jsbytecode *) JSID_TO_ATOM(id) : cx->fp->pc), at jsobj.c:3423
Reporter | ||
Comment 1•17 years ago
|
||
The assertion condition changed in bug 421274. The testcase in this bug still triggers the assertion.
Assertion failure: entry->kpc == ((PCVCAP_TAG(entry->vcap) > 1) ? (jsbytecode *) JSID_TO_ATOM(id) : cx->fp->regs->pc), at jsobj.c:3477
Reporter | ||
Comment 2•17 years ago
|
||
See bug 424311 for another way to trigger this assertion.
Comment 3•17 years ago
|
||
The shell uses JS_ResolveStandardClass even when JSRESOLVE_ASSIGNING, which is a bug, but not the bug. This means each delete eval reference will resolve via the JSOP_BINDNAME bytecode the 'eval' identifier. This somehow results in a 16-deep prototype chain being created. I didn't have time to debug fully, but it appeared as though js_InitFunctionAndObjectClasses etc. were not suppressing recursion or otherwise being idempotent as before.
Igor, could the function changes have broken how JSProto_Function is initialized?
/be
Reporter | ||
Comment 4•17 years ago
|
||
WFM.
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → WORKSFORME
Comment 5•17 years ago
|
||
BUGNUMBER: 416834
STATUS: Do not assert: !entry || entry->kpc == ((PCVCAP_TAG(entry->vcap) > 1) ? (jsbytecode *) JSID_TO_ATOM(id) : cx->fp->pc)
Assertion failure: entry->kpc == ((PCVCAP_TAG(entry->vcap) > 1) ? (jsbytecode *) JSID_TO_ATOM(id) : cx->fp->regs->pc), at jsobj.c:3491
Aborted
Updated•17 years ago
|
Status: RESOLVED → REOPENED
Flags: blocking1.9?
Resolution: WORKSFORME → ---
Updated•17 years ago
|
Assignee: general → igor
Status: REOPENED → NEW
Comment 6•17 years ago
|
||
Why would someone delete eval happen 16 times? Do we know if this is exploitable? Does this only happen if you are fuzzing?
Need more info here if we're to block on this.
Flags: blocking1.9? → blocking1.9-
Comment 7•17 years ago
|
||
Marking this blocking 1.9 as it should definitely block final based on conversation with Brendan.
Flags: blocking1.9- → blocking1.9+
Comment 8•17 years ago
|
||
I don't understand this code well enough to know whether this is simply wallpaper or not. It does fix the assertion.
Attachment #314597 -
Flags: review?(brendan)
Assignee | ||
Comment 9•17 years ago
|
||
This is an alternative that avoids the assertion. It adds the entry nulling into the most central place.
Assignee: igor → mrbkap
Attachment #314597 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #314626 -
Flags: review?(brendan)
Attachment #314597 -
Flags: review?(brendan)
Comment 10•17 years ago
|
||
If we're choosing wallpaper, I think I like mrbkap's better. :)
Comment 11•17 years ago
|
||
Comment on attachment 314626 [details] [diff] [review]
Alternative
Yeah, my bad -- thanks for fixing. Safe 1.9-ready fix.
/be
Attachment #314626 -
Flags: review?(brendan)
Attachment #314626 -
Flags: review+
Attachment #314626 -
Flags: approval1.9?
Comment 12•17 years ago
|
||
Comment on attachment 314626 [details] [diff] [review]
Alternative
a1.9=beltzner
Attachment #314626 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Updated•17 years ago
|
Keywords: checkin-needed
Comment 13•17 years ago
|
||
jsinterp.c:3.490
Status: ASSIGNED → RESOLVED
Closed: 17 years ago → 17 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Reporter | ||
Comment 14•17 years ago
|
||
Patch for the underlying problem in bug 428366.
Comment 15•17 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-416834.js,v <-- regress-416834.js
initial revision: 1.1
Flags: in-testsuite?
Flags: in-testsuite+
Flags: in-litmus-
Comment 17•17 years ago
|
||
/cvsroot/mozilla/js/tests/public-failures.txt,v <-- public-failures.txt
new revision: 1.68; previous revision: 1.67
You need to log in
before you can comment on or make changes to this bug.
Description
•