Closed
Bug 568867
Opened 14 years ago
Closed 14 years ago
Crash [@ js_Interpret] or "Assertion failure: !JSVAL_IS_PRIMITIVE(regs.sp[-1]),"
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: gal)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:dos], fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
1.33 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
x = Proxy.create(function() {
return {
get: Object.getPrototypeOf
}
} (), function() {})
for (z in Proxy.create(x)) {}
crashes js debug shell on TM tip without -j at js_Interpret and asserts js debug shell on TM tip without -j at Assertion failure: !JSVAL_IS_PRIMITIVE(regs.sp[-1]), at ../jsops.cpp:461
Seems to be a near null crash but setting s-s just-in-case. Assuming [sg:dos].
===
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000014
0x0005cc4b in js_Interpret ()
(gdb) bt
#0 0x0005cc4b in js_Interpret ()
#1 0x000665a0 in js_Execute ()
#2 0x0000f67c in JS_ExecuteScript ()
#3 0x00004cfc in Process ()
#4 0x000090ba in main ()
(gdb) x/i $eip
0x5cc4b <js_Interpret+26459>: mov 0x4(%edx),%eax
(gdb) x/b $edx
0x10: Cannot access memory at address 0x10
|
Assignee | |
Updated•14 years ago
|
Assignee: general → gal
|
||
Comment 1•14 years ago
|
||
I don't see iterate: here at all, but anyway, any iterate trap that returns a primitive value should provoke a type error. JS1.7+ precedent:
js> var o = {__iterator__: function () 42};
js> for (i in o);
typein:2: TypeError: o.__iterator__ returned a primitive value
/be|
|
Assignee | |
Comment 2•14 years ago
|
||
Very recent problem. Will be fixed before it hits trunk.
Group: core-security
|
|
Assignee | |
Comment 3•14 years ago
|
||
This is what the error message looks like now: host-5-104:src gal$ ./Darwin_DBG.OBJ/js x.js x.js:6: TypeError: value is not a non-null object host-5-104:src gal$ I didn't want to use our __iterator__ specific error messages. We might want to add a proxy specific error message tag though. Its hard to debug code in a hall of mirrors. Interesting research problem. We should see how this feels like in real world code. Brendan, look at the end of the test case. for (i in Proxy.create(x)). That's where iterate() is triggered.
|
|
Assignee | |
Comment 4•14 years ago
|
||
|
|
Assignee | |
Updated•14 years ago
|
Attachment #448056 -
Flags: review?(brendan)
|
|
||
Comment 5•14 years ago
|
||
Comment on attachment 448056 [details] [diff] [review] patch Ok as short-term fix -- we need to get that bug for generalizing the JSV2F_ITERATOR thing on file and patched. /be
Attachment #448056 -
Flags: review?(brendan) → review+
|
||
Updated•14 years ago
|
blocking2.0: ? → final+
|
|
Assignee | |
Updated•14 years ago
|
Severity: critical → major
OS: Mac OS X → All
Priority: -- → P2
Hardware: x86 → All
|
|
Assignee | |
Comment 6•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/36d81cc1a7de
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos], fixed-in-tracemonkey
|
|
||
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/36d81cc1a7de
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
|
||
Updated•13 years ago
|
Crash Signature: [@ js_Interpret]
You need to log in
before you can comment on or make changes to this bug.
Description
•