Closed
Bug 630865
Opened 14 years ago
Closed 14 years ago
TM: Assertion failure: slot < capacity, at ../jsobj.h:658
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: jandem, Assigned: jorendorff)
References
Details
(4 keywords, Whiteboard: [sg:critical?][hardblocker][fixed-in-tracemonkey][has patch])
Attachments
(3 files)
(deleted),
patch
|
jorendorff
:
review-
|
Details | Diff | Splinter Review |
(deleted),
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
Function.prototype strikes again:
--
Function.prototype.__defineSetter__('prototype', function() { });
for(var i=0; i<20; i++) {
new Function.prototype();
}
--
Asserts with -j:
Assertion failure: slot < capacity, at ../jsobj.h:658
Reporter | ||
Comment 1•14 years ago
|
||
This does not crash in a release build, but the assert seems a bit scary. Please remove the security-sensitive flag if it's harmless.
Reporter | ||
Comment 2•14 years ago
|
||
The first bad revision is:
changeset: 54760:caa8bfd6f9b1
user: Brendan Eich <brendan@mozilla.org>
date: Sun Oct 03 22:46:39 2010 -0700
summary: Per ECMA-262, no .prototype for built-in functions and Function.prototype (445319, r=Waldo).
In revisions before this it throws TypeError: can't redefine non-configurable property 'prototype'
Blocks: 445319
Reporter | ||
Comment 3•14 years ago
|
||
Here's a version with defineProperty instead of __defineSetter__.
--
Object.defineProperty(Function.prototype, "prototype", {set:function(){}});
for(var i=0; i<20; i++) {
new Function.prototype();
}
Comment 4•14 years ago
|
||
Jason, still sick here, need your brain: js_CreateThisFromTrace looks wrong on a couple of counts:
* Unlike js_CreateThis, it does not get ctor.prototype using the full, resolving, prototype search, including calling a getter.
* If it did, or even as is (due to the later conditioanl js_SetClassPrototype call), it might deep bail. But the jstracer.cpp code that emits LIR to call js_CreateThisFromTrace does not prepare.
/be
Assignee | ||
Updated•14 years ago
|
Assignee: general → jorendorff
Comment 5•14 years ago
|
||
Please keep this hidden.
Updated•14 years ago
|
blocking2.0: --- → ?
Keywords: regression
Comment 6•14 years ago
|
||
This seems to be 64-bit only.
Updated•14 years ago
|
blocking2.0: ? → betaN+
Whiteboard: [sg:critical?][hardblocker]
Comment 7•14 years ago
|
||
What ho, this seems to be a simple case of a slotless shape.
Attachment #510435 -
Flags: review?(jorendorff)
Updated•14 years ago
|
Whiteboard: [sg:critical?][hardblocker] → [sg:critical?][hardblocker][has patch]
Assignee | ||
Comment 8•14 years ago
|
||
Comment on attachment 510435 [details] [diff] [review]
fix
I don't think that's correct. ES5 requires that we actually call the .prototype getter in this case.
I think the answer is to refuse to record if the function doesn't have its own permanent .prototype property. I'm done with watchpoints for now, touch wood, so I can fix this tomorrow morning.
Attachment #510435 -
Flags: review?(jorendorff) → review-
Assignee | ||
Comment 9•14 years ago
|
||
The interpreter creates |this| in JSOP_NEW.
The tracer creates |this| in record_EnterFrame, which isn't called until the new frame has already been pushed and cx->regs->pc is pointing to the first instruction of the callee.
Therefore the whole of record_EnterFrame, and the code that creates |this| in particular MUST NOT bail out to the interpreter. If it does, nobody will create |this|.
Whiteboard: [sg:critical?][hardblocker][has patch] → [sg:critical?][hardblocker]
Assignee | ||
Comment 10•14 years ago
|
||
It turned out to be straightforward to move the CreateThis code from TR::record_EnterFrame to TR::interpretedFunctionCall.
Assignee | ||
Comment 11•14 years ago
|
||
Attachment #511490 -
Flags: review?(dvander)
Updated•14 years ago
|
Whiteboard: [sg:critical?][hardblocker] → [sg:critical?][hardblocker][has patch]
Comment on attachment 511490 [details] [diff] [review]
v1
Thanks for getting rid of the constructing-jsnative-non-ctor case.
Attachment #511490 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 13•14 years ago
|
||
Whiteboard: [sg:critical?][hardblocker][has patch] → [sg:critical?][hardblocker][fixed-in-tracemonkey]
Updated•14 years ago
|
Whiteboard: [sg:critical?][hardblocker][fixed-in-tracemonkey] → [sg:critical?][hardblocker][fixed-in-tracemonkey][has patch]
Comment 14•14 years ago
|
||
Comment on attachment 511490 [details] [diff] [review]
v1
>+ /*
>+ * ECMA (15.3.5.2) says that a user-defined function's .prototype property
>+ * is non-configurable, non-enumerable, and (initially) writable.
13.2 is the relevant clause, and it says
"18. Call the [[DefineOwnProperty]] internal method of F with arguments "prototype", Property Descriptor {[[Value]]: proto, { [[Writable]]: true, [[Enumerable]]: false, [[Configurable]]: false}, and false."
15.3.5.2 restates this:
"This property has the attribute { [[Writable]]: true, [[Enumerable]]: false, [[Configurable]]: false }."
Configurable being false equates to JSPROP_PERMANENT being clear, not set.
>... Hence
>+ * JSPROP_PERMANENT below. By contrast, the built-in constructors, such as
>+ * Object (15.2.3.1) and Function (15.3.3.1), have non-writable
>+ * .prototype properties. Those are eagerly defined, with attributes
>+ * JSPROP_PERMANENT | JSPROP_READONLY, in js_InitClass.
>+ */
>+ if (!js_SetClassPrototype(cx, obj, proto, JSPROP_PERMANENT))
Please file and fix.
/be
Comment 15•14 years ago
|
||
Urgh, pre-caffeine. Ignore comment 15 (I was thrown by the change from ES3 to Enumerable, and the whole Dont vs. Do change :-P).
/be
Comment 16•14 years ago
|
||
Attachment #512553 -
Flags: review?(jorendorff)
Assignee | ||
Comment 17•14 years ago
|
||
Comment on attachment 512553 [details] [diff] [review]
warning fixes
Thanks!
Attachment #512553 -
Flags: review?(jorendorff) → review+
Comment 18•14 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/432915db49a8
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 19•14 years ago
|
||
Warning fixes as followup push:
http://hg.mozilla.org/tracemonkey/rev/b7066265d596
cdlearybot take note!
/be
Comment 20•14 years ago
|
||
(In reply to comment #20)
> Warning fixes as followup push:
>
> http://hg.mozilla.org/tracemonkey/rev/b7066265d596
>
> cdlearybot take note!
Reopening (keeping fixed-in-tracemonkey on whiteboard) till this gets done, lest everyone forgets.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 21•14 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/b7066265d596
Updated•14 years ago
|
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Updated•14 years ago
|
Attachment #509556 -
Attachment description: Bug Bounty Nomination → Bug Bounty Awarded + 3000
Updated•14 years ago
|
Attachment #509556 -
Attachment description: Bug Bounty Awarded + 3000 → Bug Bounty Awarded + 3000 [paid]
Updated•12 years ago
|
Group: core-security
Comment 22•12 years ago
|
||
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
Updated•11 years ago
|
Flags: sec-bounty+
You need to log in
before you can comment on or make changes to this bug.
Description
•