Closed Bug 532491 Opened 16 years ago Closed 16 years ago

"Assertion failure: staticLevel == script->staticLevel, at ../jsobj.cpp" with eval

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- final-fixed
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: gal)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?], fixed-in-tracemonkey)

Attachments

(2 files)

qualify eval cache hit on staticLevel
947 bytes, patch
igor
: review+
Details | Diff | Splinter Review
how the branch ended up.
1.97 KB, patch
igor
: review+
Details | Diff | Splinter Review
function f(foo) { if (a % 2 == 1) { try { eval(foo); } catch(e) {} } } a = 1; f("eval(\"x\")"); f("x"); asserts js debug shell on TM tip without -j at Assertion failure: staticLevel == script->staticLevel, at ../jsobj.cpp:1491 Nominating blocking1.9.2? because possibly-related bug 531037 is marked blocking1.9.2+. Security-sensitive because bug 531037 is also marked security-sensitive. autoBisect shows this is probably related to bug 531037: The first bad revision is: changeset: 35345:57a6ad20eae9 user: Igor Bukanov date: Tue Dec 01 00:01:11 2009 +0300 summary: bug 531037 - eval fixes. r=brendan
Flags: blocking1.9.2?
Flags: blocking1.9.2? → blocking1.9.2+
(gdb) list 1488 i = -1; 1489 } 1490 } 1491 if (i < 0 || 1492 STOBJ_GET_PARENT(objarray->vector[i]) == scopeobj) { 1493 JS_ASSERT(staticLevel == script->staticLevel); 1494 EVAL_CACHE_METER(hit); 1495 *scriptp = script->u.nextToGC; 1496 script->u.nextToGC = NULL; 1497 break; (gdb) p staticLevel $1 = 2 (gdb) p script->staticLevel $2 = 3 (gdb) bt
Flags: blocking1.9.2+ → blocking1.9.2?
Flags: blocking1.9.2? → blocking1.9.2+
Assignee: general → gal
Priority: -- → P2
Whiteboard: [sg:critical?]
Attachment #415767 - Flags: review?(igor)
Comment on attachment 415767 [details] [diff] [review] qualify eval cache hit on staticLevel >diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp >--- a/js/src/jsobj.cpp >+++ b/js/src/jsobj.cpp >@@ -1446,16 +1446,17 @@ obj_eval(JSContext *cx, JSObject *obj, u > bucket = EvalCacheHash(cx, str); > if (!indirectCall && argc == 1 && caller->fun) { Drop the check for argc == 1 here. In the bug 531037 I thought that adding that check was equivalent to checking for the static depth. But I have missed the nested eval case obviously.
Attachment #415767 - Flags: review?(igor) → review+
Pushed with test case. http://hg.mozilla.org/tracemonkey/rev/c3cc71461953
Whiteboard: [sg:critical?] → [sg:critical?], fixed-in-tracemonkey
As usual, lots of kudos to gary for finding this and reducing it.
http://hg.mozilla.org/mozilla-central/rev/c3cc71461953
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Gal, js1_8/regress/regress-532491.js needs to be listed in js1_8/regress/jstests.list
Getting this bug and bug 531037 landed on branch turned out to be a little tricky, because we're not taking blake's indirect-eval patch there. I think I got it right by skipping the eval cache on for indirect eval and when there's a scopeobj.
Attachment #418526 - Flags: review?(igor)
Attachment #418526 - Flags: review?(igor) → review+
Group: core-security
status1.9.1: --- → unaffected
A testcase for this bug was automatically identified at js/src/tests/js1_8/regress/regress-532491.js.
Flags: in-testsuite+
Testcases have been landed by virtue of being marked in-testsuite+ -> VERIFIED as well.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: