Closed
Bug 750307
Opened 13 years ago
Closed 12 years ago
"Assertion failure: isBoolean(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla16
People
(Reporter: gkw, Assigned: jorendorff)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [js:p1:fx15])
Attachments
(3 files, 1 obsolete file)
6.37 KB,
text/plain
|
Details | |
9.74 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
7.92 KB,
patch
|
Details | Diff | Splinter Review |
Math.tan( Object.defineProperty( evalcx("new RegExp"), "ignoreCase", {e:true} ) ) asserts js debug shell on m-c changeset cfaf90b22fc3 without any CLI arguments at Assertion failure: isBoolean(), autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 78732:61dd23c012ee user: Chris Leary date: Fri Oct 07 03:04:00 2011 -0700 summary: Bug 673188: Compile regexps lazily. (r=mrbkap)
Assignee | ||
Comment 1•13 years ago
|
||
Hmm. Having a little trouble tracking this one down actually. Taking.
Assignee: general → jorendorff
Assignee | ||
Comment 2•13 years ago
|
||
This should have been obvious to me at the outset. Not sure what I was thinking. 1. For cross-compartment wrappers, Object.defineProperty ultimately calls JS_DefinePropertyById. 2. JS_DefinePropertyById allows the redefinition of non-writable non-configurable properties, contrary to ES5. In particular it does not do all the checking that obj_DefineProperty does when the target object is native. 3. RegExpObject::toString assumes the values of the "ignoreCase" non-writable non-configurable property can't be changed.
Assignee | ||
Comment 3•13 years ago
|
||
To break it down a little bit: let a = evalcx("/x/"); // make a cross-compartment wrapper around a RegExp object Object.defineProperty(a, "ignoreCase", {value: undefined}); // see comment 2 a.toString(); // trip an assertion that ignoreCase has a boolean value
Updated•13 years ago
|
Whiteboard: js-triage-needed → [js:p1:fx15][js:ni]
Assignee | ||
Comment 4•12 years ago
|
||
My first attempt was to make JS_Define* respect the invariants. This was doomed because the JS_Define* functions are the APIs resolve hooks are supposed to use. We'd get call stacks like: some kind of lookup -> resolve hook -> JS_DefineProperty -> do a lookup to check the invariants -> resolve hook ... The resolve machinery has some goofy hash table to prevent runaway recursion in this case, but it still causes problems. I think causing JS_Define* to do lookups is too much of an API change for Aurora. A more modest change is to change wrappers so that instead of using JS_DefinePropertyById directly, they enforce the invariants. Pursuing that now.
Assignee | ||
Comment 5•12 years ago
|
||
Attachment #630656 -
Flags: review?(jwalden+bmo)
Comment 6•12 years ago
|
||
Comment on attachment 630656 [details] [diff] [review] v1 Review of attachment 630656 [details] [diff] [review]: ----------------------------------------------------------------- The property definition algorithms are complicated enough that I'm not especially confident I haven't missed anything here, but I think you might have covered the bases. ::: js/src/jit-test/tests/basic/bug750307.js @@ +1,5 @@ > +var g = newGlobal('new-compartment'); > +var a = g.RegExp("x"); > +try { > + Object.defineProperty(a, "ignoreCase", {value: undefined}); > +} catch (exc) {} assertEq(exc instanceof g.TypeError, true); // it's g.TypeError and not TypeError, right? And an assert verifying that an error was actually thrown, too.
Attachment #630656 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Comment 7•12 years ago
|
||
Good idea. https://hg.mozilla.org/integration/mozilla-inbound/rev/7166a68a7994
Comment 8•12 years ago
|
||
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/65c7255e9d15 for the "browser_bug645699.js | an unexpected uncaught JS exception reported through window.onerror - TypeError: can't redefine non-configurable property 'location' at http://example.com/browser/toolkit/mozapps/extensions/test/xpinstall/bug645699.html:12" etc. in https://tbpl.mozilla.org/php/getParsedLog.php?id=12567825&tree=Mozilla-Inbound and friends.
Assignee | ||
Comment 9•12 years ago
|
||
Thanks for the backout. Looks like we should just change the test, though. I'll push to try in a minute.
Assignee | ||
Comment 10•12 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=d87a33f7beb0
Reporter | ||
Comment 11•12 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #10) > https://tbpl.mozilla.org/?tree=Try&rev=d87a33f7beb0 Try looks green - should be good to land! \o/
Keywords: checkin-needed
Comment 12•12 years ago
|
||
That must have been intended for some other bug, since every mochitest-oth which has run has a failure in the same test (plus, what's pushed to try isn't even in this bug, so checkin-needed would just reland the same thing that already bounced).
Keywords: checkin-needed
Assignee | ||
Comment 13•12 years ago
|
||
It was just a botch. Here's the fixed try run. https://tbpl.mozilla.org/?tree=Try&rev=07957da489ad
Assignee | ||
Comment 14•12 years ago
|
||
Carrying forward review.
Attachment #630656 -
Attachment is obsolete: true
Attachment #632595 -
Flags: review+
Assignee | ||
Comment 15•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2ddb6278d1de
Comment 16•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/2ddb6278d1de
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla16
Depends on: 764688
Updated•12 years ago
|
Updated•12 years ago
|
Blocks: CVE-2012-1956
Reporter | ||
Updated•12 years ago
|
Flags: in-testsuite+
Comment 17•12 years ago
|
||
It seems it landed in 15.a2/20120629: http://hg.mozilla.org/releases/mozilla-aurora/rev/2f5ede40b4f5
Comment 18•12 years ago
|
||
Landed on beta as: https://hg.mozilla.org/releases/mozilla-beta/rev/acb98d65fa59 (Bug doesn't seem to have been updated to reflect that) However backed out of beta for M3 orange: https://tbpl.mozilla.org/?tree=Mozilla-Beta&rev=acb98d65fa59 https://hg.mozilla.org/releases/mozilla-beta/rev/61b48c85c866
Comment 20•12 years ago
|
||
I built Spidermonkey for the latest Firefox 15 version (beta5, Changeset 5b309ad1a88a) and run the test from comment #0. The reported assertion did not show, but instead I got the following assertion: test750307:5: TypeError: "ignoreCase" is read-only Is this expected? Thank you!
QA Contact: moz.mihaelav
Comment 21•12 years ago
|
||
Confirmed testcase asserts 2012-04-30 mozilla-central debug JS shell. Does not assert: 2012-06-14 mozilla-central debug JS shell 2012-07-01 mozilla-aurora debug JS shell
Updated•12 years ago
|
Whiteboard: [js:p1:fx15][js:ni] → [js:p1:fx15]
Updated•12 years ago
|
tracking-firefox-esr10:
--- → 16+
Assignee | ||
Comment 22•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr10/rev/6b471843f125 Approval granted separately in bug 756719.
Updated•12 years ago
|
Comment 23•12 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #22) > https://hg.mozilla.org/releases/mozilla-esr10/rev/6b471843f125 > > Approval granted separately in bug 756719. Had oranges in mochi-4 and mochi-oth across all platforms, backed out https://hg.mozilla.org/releases/mozilla-esr10/rev/e78926e3cef0
Assignee | ||
Comment 24•12 years ago
|
||
Re-landed: https://hg.mozilla.org/releases/mozilla-esr10/rev/9708ce55a237 https://hg.mozilla.org/releases/mozilla-esr10/rev/b3600020156d The "part 2" patch got review and approval separately, in bug 756719. There's no way to get a Try Server run on ESR10 at present, so I'm not as confident in these patches as I'd normally like to be, but at worst, we back them out again...
Comment 25•12 years ago
|
||
> but at worst, we back them out again... At worst it is! Backed out for Moth oranges. https://hg.mozilla.org/releases/mozilla-esr10/rev/96931ca23431
Comment 26•12 years ago
|
||
I managed to only back out the second part, so here's another attempt to finish the job. https://hg.mozilla.org/releases/mozilla-esr10/rev/d449bf8cd785
Comment 27•12 years ago
|
||
Moth seems to fail more with the extra ESR fix on than not, so this this is a more minimal version of the ESR fix. It's impossible to quickly figure out what's really going wrong or what's needed, but this may work. Currently running on try. I'll check again in the morning.
Attachment #668292 -
Flags: review?(jorendorff)
Comment 28•12 years ago
|
||
You can't use Try for ESR-10 (it won't build), which is kind of the root of this whole problem. You'll have to run Moth locally.
Comment 29•12 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #28) > You can't use Try for ESR-10 (it won't build), which is kind of the root of > this whole problem. You'll have to run Moth locally. That is super lame. Hopefully Jason can pick it up in the morning then.
Assignee | ||
Comment 30•12 years ago
|
||
I'm working on this now.
Comment 31•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr10/rev/f19e6807b8bb https://hg.mozilla.org/releases/mozilla-esr10/rev/89d8746d16c5
Assignee | ||
Updated•12 years ago
|
Attachment #668292 -
Flags: review?(jorendorff)
You need to log in
before you can comment on or make changes to this bug.
Description
•