Closed
Bug 609256
Opened 14 years ago
Closed 14 years ago
JM: Crash at weird instruction or [@ JSObject::getGlobal], "Assertion failure: isObject(),"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla2.0b8
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta8+ |
People
(Reporter: gkw, Assigned: Waldo)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:critical?] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
2.84 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
(function() {
__defineGetter__("x",
function() {
return (eval = '')
})
x
})()
eval()
crashes js opt shell at a weird instruction and asserts js debug shell at Assertion failure: isObject(), on TM changeset 7ec0a71652a6.
Assuming s-s just to be safe.
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x00000000
0x00651006 in ?? ()
(gdb) x/i $eip
0x651006: add %al,%gs:(%eax)
(gdb) x/b $al
Value can't be converted to integer.
(gdb) x/b $gs
0x37: Cannot access memory at address 0x37
(gdb) x/b $eax
0x65006a: 0xe2
|
Reporter | |
Updated•14 years ago
|
blocking2.0: --- → ?
|
|
Reporter | |
Comment 1•14 years ago
|
||
-m is required to trigger the issue. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 56564:6abb9e45a79a user: Jeff Walden date: Thu Oct 21 14:31:29 2010 -0700 summary: Bug 604504 - Implement an eval kernel that obj_eval and JSOP_EVAL can each call. r=jorendorff,dvander
Blocks: 604504
|
|
Reporter | |
Comment 2•14 years ago
|
||
eval("\
Object.defineProperty\
(\
this,\
\"eval\",\
({\
get:function(){},\
})\
)\
in\
[]\
")
eval()
crashes js opt shell at JSObject::getGlobal instead and asserts identically.Summary: JM: Crash at weird instruction, "Assertion failure: isObject()," → JM: Crash at weird instruction or [@ JSObject::getGlobal], "Assertion failure: isObject(),"
|
Assignee | |
Updated•14 years ago
|
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•14 years ago
|
||
I have a feeling I merged through strict-this interpreter changes yet forgot to propagate the merge fixes into the methodjit version -- my own fault for not writing enough eval tests to go with the changes in that bug. :-\
Attachment #488542 -
Flags: review?(lw)
|
|
||
Comment 4•14 years ago
|
||
Comment on attachment 488542 [details] [diff] [review] Patch > if (!IsFunctionObject(*vp, &callee) || > !IsBuiltinEvalFunction((fun = callee->getFunctionPrivate()))) > { >- if (!ComputeThisFromVpInPlace(f.cx, vp) || >- !Invoke(f.cx, InvokeArgsAlreadyOnTheStack(vp, argc), 0)) >- { >+ if (!Invoke(f.cx, InvokeArgsAlreadyOnTheStack(vp, argc), 0)) > THROW(); >- } > return; > } The stubs::Eval version differs (innocuously) from the JSOP_EVAL version in that JSOP_EVAL will use an inline call (goto not_direct_eval) if IsFunctionObject but !IsBuiltinEvalFunction. For regularity, could you change the interpreter 'goto call_using_invoke' in both cases?
|
|
Assignee | |
Comment 5•14 years ago
|
||
Attachment #488542 -
Attachment is obsolete: true
Attachment #488567 -
Flags: review?(lw)
Attachment #488542 -
Flags: review?(lw)
|
|
||
Updated•14 years ago
|
Attachment #488567 -
Flags: review?(lw) → review+
|
|
Assignee | |
Comment 6•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/edc26e88b2c4
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?] fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b8
|
||
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/edc26e88b2c4
Status: ASSIGNED → RESOLVED
blocking2.0: ? → beta8+
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ JSObject::getGlobal]
|
||
Comment 8•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•