Bugzilla@Mozilla – Bug 356378
"invalid getter usage" or assertion failure with "var x; x getter= function () { };"
Last modified: 2008-08-16 04:00:42 PDT
Summon comment box
js> (function() { var x; x getter= function () { }; })() Opt: typein:1: SyntaxError: invalid getter usage (Why?) Debug: Assertion failure: 0, at jsinterp.c:5128
JSOP_GETTER and JSOP_SETTER don't handle the optimized forms (getarg, getvar, getlocal, etc). My first inclination is to deoptimize variables (introduced by let or var) that have getters stuck on them, and treat them as name lookups from the point of the getter onwards. This would involve grabbing the scope chain for let variables (and somehow making sure that we don't accidentally bind the name to the slot again in that scope). The "invalid getter usage" is because we never set rval in the JSOP_GETTER case, and it happens to contain a primitive value when we run that code.
This assertion failure is one of the more frequent for jsfunfuzz to hit nowadays.
The procedure in comment 1 sounds like a lot of work just to make the fuzzer happy about a language construct that was deprecated over seven years ago. I'd like to point out that so far there hasn't been a single bug filed about the fact that specifying getters or setters for local variables or function arguments doesn't work at all. Wouldn't the better way to fix this bug be to finally remove support for [g|s]etter= , or even [g|s]etter altogether?
Brendan: blocking1.9 with a target milestone of beta4 means that this blocks shipment of beta4. If you don't think that's necessary, please change the TM to "mozilla1.9".
Brendan: I can take this to create a patch that throws a syntax error at the compile time for var getter and friends.
Igor, thanks. /be
Does this bug require a beta vector or is it safe to ship in an RC? Just want to make sure it's on the right list.
jsfunfuzz hits this about once an hour, but it doesn't really need to be a Gecko 1.9 blocker.
Based on comment 8 taking off the list...
Created attachment 311242 [details] [review] v1 The patch changes the emitter to throw an exception when it detects unsupported getter/setter usage.
Marking the bug as security sensitive as the bug effectively means misinterpreting the values on the stack. On 1.8 branch the bug is also a GC hazard.
Nominating for 1.9 as this is security hazard.
Comment on attachment 311242 [details] [review] v1 Thanks (especially for that second hunk -- not sure what I was thinking there!). /be
Comment on attachment 311242 [details] [review] v1 a=beltzner
I checked in the patch from the comment 10 to the trunk: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%2Fcvsroot&date=explicit&mindate=1206365580&maxdate=1206365632&who=igor%25mir2.org
Nominating for 1.8 branch
Created attachment 312526 [details] js1_5/extensions/regress-356378.js
v 1.9.0
Created attachment 322858 [details] [review] fix for 18 branch The patch is straightforward backport to 1.8 branch
Created attachment 322860 [details] diff between 1.9 and 1.8 versions of the fix
Comment on attachment 322858 [details] [review] fix for 18 branch Thanks, looks good. /be
Comment on attachment 322858 [details] [review] fix for 18 branch Approved for 1.8.1.15, a=dveditz for release-drivers
I checked in the patch from the comment 19 to the MOZILLA_1_8_BRANCH: Checking in jsemit.c; /cvsroot/mozilla/js/src/jsemit.c,v <-- jsemit.c new revision: 3.128.2.76; previous revision: 3.128.2.75 done
On the 1.8.1 branch the original assert reported in comment 0 is gone but there is a new one: on 2008-06-05 the assert was Assertion failure: op2 == JSOP_INITELEM, at jsinterp.c:5132 on 2008-06-08 the assert changed to Assertion failure: !ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT, at jsscan.c:572 removed fixed1.8.1.15 or file a different bug?
(In reply to comment #24) > removed fixed1.8.1.15 or file a different bug? This is the result of the bad backport: I did not see the bug with the standalone testcase from the commnet 1, only the full test case exposes it. The bug is that I have used: js_ReportCompileErrorNumber(cx, pn2, JSREPORT_ERROR, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ JSMSG_BAD_GETTER_OR_SETTER, (op == JSOP_GETTER) ? js_getter_str : js_setter_str); when it should be: js_ReportCompileErrorNumber(cx, pn2, JSREPORT_PN | JSREPORT_ERROR, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ JSMSG_BAD_GETTER_OR_SETTER, (op == JSOP_GETTER) ? js_getter_str : js_setter_str); The result of this regression is the reinterpretation of JSParseNode as JSTokenStream. If it is not too late I would like to back out the patch and check in the proper fix.
We're going to take this on the relbranch for 1.8.1.15. Details to follow. Marking this as blocking1.8.1.16 so we make sure we get it in both places.
Created attachment 324843 [details] [review] one-liner fix for 1.8.1 regression This is trivial correctness fix for the regression. The current plan is to land it to 1.8.1.15 release branch, then back out the broken fix from 1.8.1, then create a new patch with the fix included, and then check it in to 1.8.1 branch.
Comment on attachment 324843 [details] [review] one-liner fix for 1.8.1 regression approved for 1.8.1.15, a=dveditz for release-drivers Since we've already branched for release this will need to land on BOTH the MOZILLA_1_8_BRANCH and GECKO181_20080612_RELBRANCH. when landed please add both fixed1.8.1.15 and fixed1.8.1.16 so we can track and QA both builds.
I checked in the one-liner patch from the comment 27 to GECKO181_20080612_RELBRANCH: Checking in jsemit.c; /cvsroot/mozilla/js/src/jsemit.c,v <-- jsemit.c new revision: 3.128.2.77.2.1; previous revision: 3.128.2.77 done
I backed out the patch from the comment 19 from MOZILLA_1_8_BRANCH: Checking in jsemit.c; /cvsroot/mozilla/js/src/jsemit.c,v <-- jsemit.c new revision: 3.128.2.78; previous revision: 3.128.2.77 done
Created attachment 324847 [details] [review] fix for 18 branch with the extra regression fix included Here comes a patch that I should create in the first place for MOZILLA_1_8_BRANCH
I re-landed the update patch from the comment 31 to MOZILLA_1_8_BRANCH: Checking in jsemit.c; /cvsroot/mozilla/js/src/jsemit.c,v <-- jsemit.c new revision: 3.128.2.79; previous revision: 3.128.2.78 done
js1_5/extensions/regress-356378.js passed on GECKO181_20080612_RELBRANCH and MOZILLA_1_8_BRANCH on linux for shell|browser, opt|debug verified1.8.1.15, verified1.8.1.16
Comment on attachment 324847 [details] [review] fix for 18 branch with the extra regression fix included >Index: jsemit.c >+ // FALL THROUGH Someone pointed out in one of the newsgroups that this isn't valid C.
What's invalid about it? C permits inter-case fall-through, and always has. I'm pretty sure they didn't make it illegal in C99, since huge amounts of code would break. (C99 also introduces C++-style //-to-EOL comments, if that's what you're referring to.)
It would, though, be the only use of a C99/C++-style comment anywhere in spidermonkey. There must have once been a reason for this prevailing style? Perhaps we should adhere to it, at least for non-mozilla-central-only patches?
Yeah, there was once a goal of compiling with C compilers that didn't support that comment syntax; I don't think that goal remains (nor could I easily name such a compiler with which we currently compile otherwise). Still just guessing what Neil was referring to, of course. :)
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-356378.js,v <-- regress-356378.js initial revision: 1.1 changeset: 15652:59d04267975b
(In reply to comment #35) > What's invalid about it? C permits inter-case fall-through, and always has. > I'm pretty sure they didn't make it illegal in C99, since huge amounts of code > would break. (C99 also introduces C++-style //-to-EOL comments, if that's what > you're referring to.) MOZILLA_1_8_BRANCH is still supported on pre-C99 compiler as VisualAge 5.0.2+fixes on AIX 4.3.3 or older HP-UX compilers. see bug 450865 GCC and MSVC are accepting C++ style for decades, but that's not ANSI C89 conforming.