Closed
Bug 652177
Opened 13 years ago
Closed 12 years ago
JSObject::freezeOrSeal misbehavior with __proto__
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: js-triage-done)
Attachments
(1 file)
|
2.11 KB,
text/plain
|
Details |
Function.toLocaleString.__proto__ = null
y = {}.__proto__
y.p = function() {}
y.__defineSetter__("", function() {})
y.__proto__ = Function.toLocaleString
function b(a) {
this.__proto__ = a;
Object.freeze(this)
}
for each(z in []) {
new b
}
asserts js debug shell on TM changeset d5fcfa622f16 without -m nor -j at Assertion failure: shape->writable(), seems to only occur when passed in as a CLI argument.
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
This testcase seems to only be fairly reproducible hence autoBisect isn't yet returning reliable results.
|
||
Comment 1•13 years ago
|
||
It repro'd for me every time on 64-bit linux (without -m and without -j). I bisected to this changeset, which kind of surprised me: changeset: 62161:f569d49576bb user: Bill McCloskey <wmccloskey@mozilla.com> date: Fri Feb 11 16:31:32 2011 -0800 summary: Bug 631951 - Shrink methodjit memory usage by interpreting a few times before compiling (r=dvander)
(In reply to comment #1) > It repro'd for me every time on 64-bit linux (without -m and without -j). I > bisected to this changeset, which kind of surprised me: I just checked the changeset right before that one (bf89669b34cb) and it still asserts for me. I'll keep looking into it, but I think it's probably just a generic VM bug.
|
||
Comment 3•13 years ago
|
||
JSObject::freezeOrSeal (or vice versa) does a loop over own properties to change attributes to reflect non-configurability and maybe non-writability. It picks up shared-permanent properties in the process. Since __proto__ is such, most of the time (modulo deliberately obnoxious prototype chain munging) this will do a setAttributes() with __proto__. That hook, assuming the object is native, will then change the attributes of __proto__ *on the object with the property*. That's |Object.prototype|. That's clearly insane, of course. The broader problem is with caching the first hit on assigning to __proto__. I'm still not entirely sure what's up with that.
|
||
Comment 4•13 years ago
|
||
Looks like there are some serious problems here, so this needs an owner. Anyone have spare time?
|
Reporter | |
Comment 5•13 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #4) > Looks like there are some serious problems here, so this needs an owner. > Anyone have spare time? I don't seem to be able to reproduce this assert (it wasn't that reproducible for me in the first place), nonetheless setting js-triage-done to get some attention here, assuming comment 3 by Waldo is the triage.
Whiteboard: js-triage-done
|
|
||
Updated•13 years ago
|
Summary: "Assertion failure: shape->writable()," → JSObject::freezeOrSeal misbehavior with __proto__
|
|
||
Comment 6•12 years ago
|
||
This was falling over for a couple different reasons: the shared-permanent hack and __proto__ being a PropertyOp property, at least. I can't find the first one in enumeration code at all any more. And the second one is no longer the case, since bug 770344. Dunno exactly what fixed this, but it's definitely no longer an issue any more.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Updated•12 years ago
|
Flags: in-testsuite?
|
||
Comment 7•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•