Closed
Bug 609256
Opened 14 years ago
Closed 14 years ago
JM: Crash at weird instruction or [@ JSObject::getGlobal], "Assertion failure: isObject(),"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla2.0b8
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta8+ |
People
(Reporter: gkw, Assigned: Waldo)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:critical?] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file, 1 obsolete file)
2.84 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
(function() { __defineGetter__("x", function() { return (eval = '') }) x })() eval() crashes js opt shell at a weird instruction and asserts js debug shell at Assertion failure: isObject(), on TM changeset 7ec0a71652a6. Assuming s-s just to be safe. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: 13 at address: 0x00000000 0x00651006 in ?? () (gdb) x/i $eip 0x651006: add %al,%gs:(%eax) (gdb) x/b $al Value can't be converted to integer. (gdb) x/b $gs 0x37: Cannot access memory at address 0x37 (gdb) x/b $eax 0x65006a: 0xe2
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Reporter | ||
Comment 1•14 years ago
|
||
-m is required to trigger the issue. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 56564:6abb9e45a79a user: Jeff Walden date: Thu Oct 21 14:31:29 2010 -0700 summary: Bug 604504 - Implement an eval kernel that obj_eval and JSOP_EVAL can each call. r=jorendorff,dvander
Blocks: 604504
Reporter | ||
Comment 2•14 years ago
|
||
eval("\ Object.defineProperty\ (\ this,\ \"eval\",\ ({\ get:function(){},\ })\ )\ in\ []\ ") eval() crashes js opt shell at JSObject::getGlobal instead and asserts identically.
Summary: JM: Crash at weird instruction, "Assertion failure: isObject()," → JM: Crash at weird instruction or [@ JSObject::getGlobal], "Assertion failure: isObject(),"
Assignee | ||
Updated•14 years ago
|
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•14 years ago
|
||
I have a feeling I merged through strict-this interpreter changes yet forgot to propagate the merge fixes into the methodjit version -- my own fault for not writing enough eval tests to go with the changes in that bug. :-\
Attachment #488542 -
Flags: review?(lw)
Comment 4•14 years ago
|
||
Comment on attachment 488542 [details] [diff] [review] Patch > if (!IsFunctionObject(*vp, &callee) || > !IsBuiltinEvalFunction((fun = callee->getFunctionPrivate()))) > { >- if (!ComputeThisFromVpInPlace(f.cx, vp) || >- !Invoke(f.cx, InvokeArgsAlreadyOnTheStack(vp, argc), 0)) >- { >+ if (!Invoke(f.cx, InvokeArgsAlreadyOnTheStack(vp, argc), 0)) > THROW(); >- } > return; > } The stubs::Eval version differs (innocuously) from the JSOP_EVAL version in that JSOP_EVAL will use an inline call (goto not_direct_eval) if IsFunctionObject but !IsBuiltinEvalFunction. For regularity, could you change the interpreter 'goto call_using_invoke' in both cases?
Assignee | ||
Comment 5•14 years ago
|
||
Attachment #488542 -
Attachment is obsolete: true
Attachment #488567 -
Flags: review?(lw)
Attachment #488542 -
Flags: review?(lw)
Updated•14 years ago
|
Attachment #488567 -
Flags: review?(lw) → review+
Assignee | ||
Comment 6•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/edc26e88b2c4
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?] fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b8
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/edc26e88b2c4
Status: ASSIGNED → RESOLVED
blocking2.0: ? → beta8+
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ JSObject::getGlobal]
Comment 8•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•