Closed
Bug 532491
Opened 15 years ago
Closed 15 years ago
"Assertion failure: staticLevel == script->staticLevel, at ../jsobj.cpp" with eval
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | final-fixed |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: gal)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?], fixed-in-tracemonkey)
Attachments
(2 files)
947 bytes,
patch
|
igor
:
review+
|
Details | Diff | Splinter Review |
1.97 KB,
patch
|
igor
:
review+
|
Details | Diff | Splinter Review |
function f(foo) { if (a % 2 == 1) { try { eval(foo); } catch(e) {} } } a = 1; f("eval(\"x\")"); f("x"); asserts js debug shell on TM tip without -j at Assertion failure: staticLevel == script->staticLevel, at ../jsobj.cpp:1491 Nominating blocking1.9.2? because possibly-related bug 531037 is marked blocking1.9.2+. Security-sensitive because bug 531037 is also marked security-sensitive. autoBisect shows this is probably related to bug 531037: The first bad revision is: changeset: 35345:57a6ad20eae9 user: Igor Bukanov date: Tue Dec 01 00:01:11 2009 +0300 summary: bug 531037 - eval fixes. r=brendan
Flags: blocking1.9.2?
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Assignee | ||
Comment 1•15 years ago
|
||
(gdb) list 1488 i = -1; 1489 } 1490 } 1491 if (i < 0 || 1492 STOBJ_GET_PARENT(objarray->vector[i]) == scopeobj) { 1493 JS_ASSERT(staticLevel == script->staticLevel); 1494 EVAL_CACHE_METER(hit); 1495 *scriptp = script->u.nextToGC; 1496 script->u.nextToGC = NULL; 1497 break; (gdb) p staticLevel $1 = 2 (gdb) p script->staticLevel $2 = 3 (gdb) bt
Flags: blocking1.9.2+ → blocking1.9.2?
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Assignee | ||
Updated•15 years ago
|
Assignee: general → gal
Priority: -- → P2
Whiteboard: [sg:critical?]
Assignee | ||
Comment 2•15 years ago
|
||
Assignee | ||
Updated•15 years ago
|
Attachment #415767 -
Flags: review?(igor)
Comment 3•15 years ago
|
||
Comment on attachment 415767 [details] [diff] [review] qualify eval cache hit on staticLevel >diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp >--- a/js/src/jsobj.cpp >+++ b/js/src/jsobj.cpp >@@ -1446,16 +1446,17 @@ obj_eval(JSContext *cx, JSObject *obj, u > bucket = EvalCacheHash(cx, str); > if (!indirectCall && argc == 1 && caller->fun) { Drop the check for argc == 1 here. In the bug 531037 I thought that adding that check was equivalent to checking for the static depth. But I have missed the nested eval case obviously.
Attachment #415767 -
Flags: review?(igor) → review+
Assignee | ||
Comment 4•15 years ago
|
||
Pushed with test case. http://hg.mozilla.org/tracemonkey/rev/c3cc71461953
Whiteboard: [sg:critical?] → [sg:critical?], fixed-in-tracemonkey
Assignee | ||
Comment 5•15 years ago
|
||
As usual, lots of kudos to gary for finding this and reducing it.
Comment 6•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/c3cc71461953
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 7•15 years ago
|
||
Gal, js1_8/regress/regress-532491.js needs to be listed in js1_8/regress/jstests.list
Assignee | ||
Comment 8•15 years ago
|
||
Thanks bc. http://hg.mozilla.org/tracemonkey/rev/54f375249f8e
Comment 10•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ffe6a27e284c
status1.9.2:
--- → final-fixed
Comment 11•15 years ago
|
||
Getting this bug and bug 531037 landed on branch turned out to be a little tricky, because we're not taking blake's indirect-eval patch there. I think I got it right by skipping the eval cache on for indirect eval and when there's a scopeobj.
Attachment #418526 -
Flags: review?(igor)
Updated•15 years ago
|
Attachment #418526 -
Flags: review?(igor) → review+
Updated•13 years ago
|
Group: core-security
status1.9.1:
--- → unaffected
Comment 12•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/tests/js1_8/regress/regress-532491.js.
Flags: in-testsuite+
Reporter | ||
Comment 13•11 years ago
|
||
Testcases have been landed by virtue of being marked in-testsuite+ -> VERIFIED as well.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•