Closed
Bug 495962
Opened 16 years ago
Closed 16 years ago
TM: "Assertion failed: p->isQuad()" with "for each" assigning to const (hidden by "with")
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9.2a1
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
People
(Reporter: jruderman, Assigned: gal)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
1.06 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
(function () {
const c = 0;
with ({}) {
for each (c in [{}, {}]) {
"" + c;
}
}
})();
Assertion failed: p->isQuad() (../nanojit/Nativei386.cpp:1348)
The "with" prevents the static error "SyntaxError: invalid for/in left-hand side" from occurring (which is what now happens to the testcase in bug 465443), but "c" still refers to the constant.
|
||
Comment 1•16 years ago
|
||
autoBisect shows this is probably related to bug 481989 :
The first bad revision is:
changeset: 25779:4c66b8ccb1b8
user: Andreas Gal
date: Sat Mar 07 01:25:37 2009 -0800
summary: Check for non-stub getters/setters in SETNAME and SETPROP and invoke SetPropHit after setting the property in INITPROP (481989, r=brendan).
|
||
Updated•16 years ago
|
Flags: wanted1.9.1+
Flags: blocking1.9.1?
Flags: blocking1.9.1-
|
|
||
Updated•16 years ago
|
Flags: blocking1.9.2+
|
|
||
Updated•16 years ago
|
Group: core-security
|
Reporter | |
Comment 2•16 years ago
|
||
This can also lead to incorrect numerical results in a debug build, without asserting, fwiw.
|
|
Reporter | |
Comment 3•16 years ago
|
||
And it can lead to
Assertion failure: !JSVAL_IS_PRIMITIVE(v), at ../jsnum.cpp:921
|
|
Assignee | |
Comment 4•16 years ago
|
||
Why didn't we block on this? (just curious, probably too late now). I will try to take a look over the weekend.
|
|
||
Comment 5•16 years ago
|
||
This should get taken if it has a safe, tested patch and there's a respin or RC2.
/be
|
|
||
Comment 6•16 years ago
|
||
we didn't block on it because it requires "const" and "for each". not likely to be hit on web code.
|
|
Assignee | |
Comment 7•16 years ago
|
||
Needs const in global scope but not for each. Bad bug. Easy fix. Gary just filed a likely dup. Allows address forging. Will upload patch if I find inet.
Assignee: general → gal
Flags: blocking1.9.1- → blocking1.9.1?
Priority: -- → P1
|
|
Assignee | |
Comment 8•16 years ago
|
||
|
|
||
Comment 9•16 years ago
|
||
Comment on attachment 383128 [details] [diff] [review]
patch
Parenthesize & against && and other ops, always (same for |, ^, <<, >> but not unary ops :-P).
/be
Attachment #383128 -
Flags: review+
|
|
Assignee | |
Comment 10•16 years ago
|
||
Pushed to TM.
http://hg.mozilla.org/tracemonkey/rev/0abfb7de22d2
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Comment 12•16 years ago
|
||
Removed dependency. Bug 481989 made us trace here, but the actual problem is unrelated.
No longer blocks: 481989
|
||
Comment 13•16 years ago
|
||
Not blocking but tagging with [3.5RC2?] as per comment 5 and comment 6. Let's get this over to trunk, bien sur.
Flags: wanted1.9.1.x+
Flags: blocking1.9.1?
Flags: blocking1.9.1-
Whiteboard: fixed-in-tracemonkey → fixed-in-tracemonkey [3.5RC2?]
|
|
||
Comment 14•16 years ago
|
||
We're considering taking this as a ridealong for RC, but before we do, need to know what the breadth of effect is here. How much code touches this path? Would we be comfortable shipping this without a full week long RC evaluation period to spot any additional regression? Is there a set of testing we can do to give us additional confidence?
|
|
||
Comment 15•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
||
Comment 16•16 years ago
|
||
This is a safe and minimal fix, based on identical code nearby that was not factored or copied (as this bug's patch did) to the needed place. This code path is specific to functions containing with, eval, and other such functions, and it also needs a const binding on the activation (Call in SpiderMonkey jargon) object to bite.
So the patch is not going to break any var or other binding, and it does fix the const case.
/be
|
|
||
Comment 17•16 years ago
|
||
Comment on attachment 383128 [details] [diff] [review]
patch
OK, let's take it. Please land on mozilla-1.9.1 asap.
a=beltzner
|
|
||
Comment 18•16 years ago
|
||
No, really, please land on mozilla-1.9.1 asap :) just use CLOSED TREE to get past the closed tree.
|
||
Comment 19•16 years ago
|
||
Pushed to 1.9.1:
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/3554916b3a56
Keywords: fixed1.9.1
|
|
||
Updated•16 years ago
|
Whiteboard: fixed-in-tracemonkey [3.5RC2?] → fixed-in-tracemonkey
|
||
Comment 20•16 years ago
|
||
Jessy, can you verify this bug and that it doesn't occur anymore in RC3? I have problems to reproduce it. Thanks.
Target Milestone: --- → mozilla1.9.2a1
|
|
Reporter | |
Comment 21•16 years ago
|
||
verified1.9.1 using a 1.9.1 branch shell.
If you want to test it in a browser you'll have to use
<script type="text/javascript;version=1.8">
Keywords: fixed1.9.1 → verified1.9.1
|
||
Updated•16 years ago
|
Group: core-security
|
|
||
Comment 22•16 years ago
|
||
Mass change: adding fixed1.9.2 keyword
(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
|
|
||
Updated•16 years ago
|
status1.9.2:
--- → beta1-fixed
Keywords: fixed1.9.2
|
||
Comment 23•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•