617405 - Assert isObject() in shell

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12
Build Identifier: 

The following code asserts in the js shell (2.0b7 and tip):

test();
files = new Array();
function test() {
        eval("var SavedArray = Array; Array = Function(''); Array.prototype = 1; Array.__defineGetter__('prototype', function() { -printStatus.expect / printStatus.Array<< expect<= actual< expect.printStatus() ;});");
}

with Assertion failure: isObject(), at jsvalue.h:602

Although the message is the same as in bug 581785, my callstack looks entirely different:

#0  0x00007ffff7bd1ebb in raise () from /lib/libpthread.so.0
#1  0x0000000000586418 in JS_Assert (s=0x6ec878 "isObject()", file=0x6ec841 "jsvalue.h", ln=602) at jsutil.cpp:83
#2  0x0000000000430790 in js::Value::toObject (this=0x7ffff6abf0b0) at jsvalue.h:602
#3  0x000000000068ab18 in JSStackFrame::constructorThis (this=0x7ffff6abf0b8) at ./jsinterp.h:420
#4  0x00000000006ab398 in ScriptEpilogue (cx=0xaa51c0, fp=0x7ffff6abf0b8, ok=0) at jsinterpinlines.h:736
#5  0x00000000006ae65d in js::Interpret (cx=0xaa51c0, entryFrame=0x7ffff6abf048, inlineCallCount=1, interpMode=JSINTERP_NORMAL) at jsinterp.cpp:2849
#6  0x00000000004c14f7 in js::RunScript (cx=0xaa51c0, script=0xac4dd0, fp=0x7ffff6abf048) at jsinterp.cpp:657
#7  0x00000000004c2873 in js::Execute (cx=0xaa51c0, chain=0x7ffff6903048, script=0xac4dd0, prev=0x0, flags=0, result=0x0) at jsinterp.cpp:1005
#8  0x000000000042cdd1 in JS_ExecuteScript (cx=0xaa51c0, obj=0x7ffff6903048, script=0xac4dd0, rval=0x0) at jsapi.cpp:4828
#9  0x000000000040524f in Process (cx=0xaa51c0, obj=0x7ffff6903048, filename=0x7fffffffe2b2 "assertIsObject/min.js", forceTTY=0) at js.cpp:453
#10 0x0000000000406048 in ProcessArgs (cx=0xaa51c0, obj=0x7ffff6903048, argv=0x7fffffffdfb0, argc=2) at js.cpp:871
#11 0x000000000040f3a6 in Shell (cx=0xaa51c0, argc=2, argv=0x7fffffffdfb0, envp=0x7fffffffdfc8) at js.cpp:5370
#12 0x000000000040f56c in main (argc=2, argv=0x7fffffffdfb0, envp=0x7fffffffdfc8) at js.cpp:5478

My fuzzer is hitting this quite often :)

Reproducible: Always

Comment 1

[Jason Orendorff [:jorendorff]]

The "prototype" property of functions is non-configurable, unless you assign to
it. Assigning creates a plain old data property. Simpler test case:

function C() {}
C.prototype = 1;
assertEq(Object.getOwnPropertyDescriptor(C, "prototype").configurable, false);

Taking. Easy fix, looks like, and I bet it'll fix more than one bug.

Comment 2

[Jason Orendorff [:jorendorff]]

I dug deeper into the assertion, which minimizes to this:

  function C(){}
  C.prototype = 1;
  C.__defineGetter__('prototype', function() { throw 0; });
  new C;

The getter is called. It throws. In js::Interpret, we go to error:, then nocatch:, then forced_return:, and finally inline_return:. That calls ScriptEpilogue which, seeing that fp->isConstructing(), calls constructingThis(). That asserts, because we never finished creating the this-object for that frame.

So we would hit this assertion whenever js_CreateThisForFunction failed, whatever the reason.

Comment 3

[Jason Orendorff [:jorendorff]]

Attachment: v1

Comment 4

[Jeff Walden [:Waldo]]

Comment on attachment 495934 [details] [diff] [review]
v1

Use Object.defineProperty rather than __defineGetter__, please?  Either that (preferred) or move it into an extensions/ directory, since __defineGetter__ is non-standard.

Comment 6

[Jason Orendorff [:jorendorff]]

First landing bounced, but I expect this one to stick:
http://hg.mozilla.org/tracemonkey/rev/8220ab3cbe99

Comment 7

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/8220ab3cbe99

Comment 8

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/tests/js1_8_5/regress/regress-617405-2.js.