607659 - js_GetProperty on RegExp.prototype from TraceRecorder can reenter VM, crash

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Luke Wagner [:luke]]

The RegExp.exec -> test tjit optimization does a js_GetProperty for 'test' on RegExp.prototype.  This is bad since it can cause visible side effects during compilation.  It also kills the current trace recorder which crashes compilation.

  var g = 0;
  Object.defineProperty(RegExp.prototype, 'test', { get:function() { ++g } });
  function f() {
      for (var i = 0; i < 100; ++i)
          /a/.exec('a');
  }
  f();
  assertEq(g, 0);

I think the solution is to do something more like ClassMethodIsNative and use JSObject::nativeLookup.

Comment 1

[Luke Wagner [:luke]]

Attachment: fix

Comment 2

[Jason Orendorff [:jorendorff]]

Comment on attachment 486367 [details] [diff] [review]
fix

Looks good. Two nits:

>+JSObject *
>+HasNativeMethod(JSContext *cx, JSObject *obj, jsid methodid, Native native)

Looks like cx is unused in this. Delete it?

This function should assert that obj is native. Better, JSObject::nativeSearch should assert isNative().

r=me with that.

Comment 3

[Brendan Eich [:brendan]]

(In reply to comment #2)
> Comment on attachment 486367 [details] [diff] [review]
> fix
> 
> Looks good. Two nits:
> 
> >+JSObject *
> >+HasNativeMethod(JSContext *cx, JSObject *obj, jsid methodid, Native native)
> 
> Looks like cx is unused in this. Delete it?

+1

> This function should assert that obj is native. Better, JSObject::nativeSearch
> should assert isNative().

+2 ;-)

/be

Comment 4

[Luke Wagner [:luke]]

http://hg.mozilla.org/tracemonkey/rev/1a6993e17a93

Comment 5

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/1a6993e17a93