Closed Bug 416834 Opened 17 years ago Closed 17 years ago

Assertion failure after deleting eval 16 times

Tracking

()

Status:

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(Keywords: assertion, testcase)

Attachments

(2 files, 1 obsolete file)

js1_5/extensions/regress-416834.js 17 years ago Bob Clary [:bc] (inactive) (deleted), text/plain		Details
wallpaper 17 years ago Brian Crowder (deleted), patch		Details \| Diff \| Splinter Review
Alternative 17 years ago Blake Kaplan (:mrbkap) (inactive) (deleted), patch	brendan : review+ beltzner : approval1.9+	Details \| Diff \| Splinter Review

Jesse Ruderman

Reporter

Description

•

17 years ago

this.__proto__.x = eval; for (i = 0; i < 16; ++i) delete eval; (function w() { x = 1; })(); triggers Assertion failure: !entry || entry->kpc == ((PCVCAP_TAG(entry->vcap) > 1) ? (jsbytecode *) JSID_TO_ATOM(id) : cx->fp->pc), at jsobj.c:3423

Jesse Ruderman

Reporter

Comment 1

•

17 years ago

The assertion condition changed in bug 421274. The testcase in this bug still triggers the assertion. Assertion failure: entry->kpc == ((PCVCAP_TAG(entry->vcap) > 1) ? (jsbytecode *) JSID_TO_ATOM(id) : cx->fp->regs->pc), at jsobj.c:3477

Jesse Ruderman

Reporter

Comment 2

•

17 years ago

See bug 424311 for another way to trigger this assertion.

Brendan Eich [:brendan]

Comment 3

•

17 years ago

The shell uses JS_ResolveStandardClass even when JSRESOLVE_ASSIGNING, which is a bug, but not the bug. This means each delete eval reference will resolve via the JSOP_BINDNAME bytecode the 'eval' identifier. This somehow results in a 16-deep prototype chain being created. I didn't have time to debug fully, but it appeared as though js_InitFunctionAndObjectClasses etc. were not suppressing recursion or otherwise being idempotent as before. Igor, could the function changes have broken how JSProto_Function is initialized? /be

Jesse Ruderman

Reporter

Comment 4

•

17 years ago

WFM.

Status: NEW → RESOLVED

Closed: 17 years ago

Flags: in-testsuite?

Resolution: --- → WORKSFORME

Bob Clary [:bc] (inactive)

Comment 5

•

17 years ago

Attached file js1_5/extensions/regress-416834.js (deleted) — Details

BUGNUMBER: 416834 STATUS: Do not assert: !entry || entry->kpc == ((PCVCAP_TAG(entry->vcap) > 1) ? (jsbytecode *) JSID_TO_ATOM(id) : cx->fp->pc) Assertion failure: entry->kpc == ((PCVCAP_TAG(entry->vcap) > 1) ? (jsbytecode *) JSID_TO_ATOM(id) : cx->fp->regs->pc), at jsobj.c:3491 Aborted

Bob Clary [:bc] (inactive)

Updated

•

17 years ago

Status: RESOLVED → REOPENED

Flags: blocking1.9?

Resolution: WORKSFORME → ---

Igor Bukanov

Updated

•

17 years ago

Assignee: general → igor

Status: REOPENED → NEW

Damon Sicore (:damons)

Comment 6

•

17 years ago

Why would someone delete eval happen 16 times? Do we know if this is exploitable? Does this only happen if you are fuzzing? Need more info here if we're to block on this.

Flags: blocking1.9? → blocking1.9-

Damon Sicore (:damons)

Comment 7

•

17 years ago

Marking this blocking 1.9 as it should definitely block final based on conversation with Brendan.

Flags: blocking1.9- → blocking1.9+

Brendan Eich [:brendan]

Updated

•

17 years ago

Depends on: 352604

Brian Crowder

Comment 8

•

17 years ago

Attached patch wallpaper (obsolete) (deleted) — Details — Splinter Review

I don't understand this code well enough to know whether this is simply wallpaper or not. It does fix the assertion.

Attachment #314597 - Flags: review?(brendan)

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 9

•

17 years ago

Attached patch Alternative (deleted) — Details — Splinter Review

This is an alternative that avoids the assertion. It adds the entry nulling into the most central place.

Assignee: igor → mrbkap

Attachment #314597 - Attachment is obsolete: true

Status: NEW → ASSIGNED

Attachment #314626 - Flags: review?(brendan)

Attachment #314597 - Flags: review?(brendan)

Brian Crowder

Comment 10

•

17 years ago

If we're choosing wallpaper, I think I like mrbkap's better. :)

Brendan Eich [:brendan]

Comment 11

•

17 years ago

Comment on attachment 314626 [details] [diff] [review] Alternative Yeah, my bad -- thanks for fixing. Safe 1.9-ready fix. /be

Attachment #314626 - Flags: review?(brendan)

Attachment #314626 - Flags: review+

Attachment #314626 - Flags: approval1.9?

Mike Beltzner [:beltzner, not reading bugmail]

Comment 12

•

17 years ago

Comment on attachment 314626 [details] [diff] [review] Alternative a1.9=beltzner

Attachment #314626 - Flags: approval1.9? → approval1.9+

Blake Kaplan (:mrbkap) (inactive)

Assignee

Updated

•

17 years ago

Keywords: checkin-needed

Blake Kaplan (:mrbkap) (inactive)

Assignee

Updated

•

17 years ago

Blocks: 428366

Brian Crowder

Comment 13

•

17 years ago

jsinterp.c:3.490

Status: ASSIGNED → RESOLVED

Closed: 17 years ago → 17 years ago

Keywords: checkin-needed

Resolution: --- → FIXED

Jesse Ruderman

Reporter

Comment 14

•

17 years ago

Patch for the underlying problem in bug 428366.

Bob Clary [:bc] (inactive)

Comment 15

•

17 years ago

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-416834.js,v <-- regress-416834.js initial revision: 1.1

Flags: in-testsuite?

Flags: in-testsuite+

Flags: in-litmus-

Bob Clary [:bc] (inactive)

Comment 16

•

17 years ago

v 1.9.0

Status: RESOLVED → VERIFIED

Bob Clary [:bc] (inactive)

Comment 17

•

17 years ago

/cvsroot/mozilla/js/tests/public-failures.txt,v <-- public-failures.txt new revision: 1.68; previous revision: 1.67

You need to log in before you can comment on or make changes to this bug.