Comment #1 on issue 242 by kripkensteinr: getters/setters
(__defineGetter__, __defineSetter__) fail if property name is "0"
http://code.google.com/p/v8/issues/detail?id=242
After a little more investigation here, it turns out that this issue can
actually be
used to crash V8, with e.g. the following code:
-----------
Vec3 = function() {
this.__defineGetter__("0", function() { return this.x; });
this.__defineGetter__("1", function() { return this.y; });
this.__defineGetter__("2", function() { return this.z; });
this.__defineSetter__("0", function(value) { this.x =
parseFloat(value); });
this.__defineSetter__("1", function(value) { this.y =
parseFloat(value); });
this.__defineSetter__("2", function(value) { this.z =
parseFloat(value); });
this.__defineGetter__("length", function() { return 3; }); // Necessary
};
var v = new Vec3();
v[0] = 10;
v[1] = 20;
v[2] = 40;
-----------
Note that this is sensitive - small changes to the code can make it stop
crashing.
I'm running on Linux (Ubuntu 8.10). The crash output I get is:
#
# Fatal error in src/objects-inl.h, line 1295
# CHECK(!Heap::InNewSpace(desc->GetValue())) failed
#
==== Stack trace ============================================
Security context: 0xb5800181 <JS Object>#0#
1: /* anonymous */(this=0xb58001b5 <JS Global Object>#1#)
==== Details ================================================
[1]: /* anonymous */(this=0xb58001b5 <JS Global Object>#1#) {
// stack-allocated locals
var .result = 0xb58ba135 <undefined>
// expression stack (top to bottom)
[04] : 0xb54266b9 <JS Object>#2#
[03] : 40
[02] : 2
[01] : 0xb54266b9 <JS Object>#2#
--------- s o u r c e c o d e ---------
Vec3 = function() {? this.__defineGetter__("0", function() { return
this.x; });?
this.__defineGetter__("1", function() { return this.y; });?
this.__defineGetter__("2", function() { return this.z; });??
this.__defineSetter__("0", function(value) { this.x = parseFloat(value);
});? this....
-----------------------------------------
}
==== Key ============================================
#0# 0xb5800181: 0xb5800181 <JS Object>
v: 0xb54266b9 <JS Object>#2#
NaN: 0xb58ba875 <Number: nan>
Math: 0xb5415bc5 <a MathConstructor>>#3#
Infinity: 0xb58bbee5 <Number: inf>
undefined: 0xb58ba135 <undefined>
__MODULE_SOURCE: 0xb58bf8ed <String[22]: intensity/V8crasher.js>
#1# 0xb58001b5: 0xb58001b5 <JS Global Object>
#2# 0xb54266b9: 0xb54266b9 <JS Object>
#3# 0xb5415bc5: 0xb5415bc5 <a MathConstructor>>
E: 0xb58be175 <Number: 2.718281828459045>
PI: 0xb58be1b1 <Number: 3.141592653589793>
LN2: 0xb58be18d <Number: 0.6931471805599453>
LN10: 0xb58be181 <Number: 2.302585092994046>
SQRT2: 0xb58be1c9 <Number: 1.414213562373095>
LOG2E: 0xb58be199 <Number: 1.442695040888963>
LOG10E: 0xb58be1a5 <Number: 0.4342944819032518>
SQRT1_2: 0xb58be1bd <Number: 0.7071067811865476>
=====================
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---
