Status: New
Owner: ----
New issue 186 by nth10sd: Crash [@ __kill]
http://code.google.com/p/v8/issues/detail?id=186
function f() { eval("var __proto__ = '';"); }
f();
crashes latest SVN checkout of v8 debug js shell. Seems to work as expected
in v8 js opt shell.
===
$ ./shell_g
V8 version 0.4.8 (candidate)
> function f() { eval("var __proto__ = '';"); }
f();
>
#
# Fatal error in src/runtime.cc, line 553
# CHECK(!context_ext->HasLocalProperty(*name)) failed
#
==== Stack trace ============================================
Security context: 0x1c0d449 <JS Object>#0#
1: /* anonymous */(this=0x1c0d47d <JS Global Object>#1#)
2: arguments adaptor frame: 1->0
3: f(this=0x1c0d47d <JS Global Object>#1#)
4: /* anonymous */(this=0x1c0d47d <JS Global Object>#1#)
==== Details ================================================
[1]: /* anonymous */(this=0x1c0d47d <JS Global Object>#1#) {
// stack-allocated locals
var .result = 0x1e00135 <undefined>
// expression stack (top to bottom)
[04] : 0
[03] : 0
[02] : 0x1e03551 <String[9]: __proto__>
[01] : 0x181ee71 <FixedArray[7]>#2#
--------- s o u r c e c o d e ---------
var __proto__ = '';
-----------------------------------------
}
[2]: arguments adaptor frame: 1->0 {
// actual arguments
[00] : 0x1e06e71 <String[19]: var __proto__ = '';> // not passed to
callee
}
[3]: f(this=0x1c0d47d <JS Global Object>#1#) {
// heap-allocated locals
var .arguments = 0x181ee5d <an Arguments>>#3#
var arguments = 0x181ee5d <an Arguments>>#3#
// expression stack (top to bottom)
[00] : 0x1c0f835 <JS Function>#4#
--------- s o u r c e c o d e ---------
function f() { eval("var __proto__ = '';"); }
-----------------------------------------
}
[4]: /* anonymous */(this=0x1c0d47d <JS Global Object>#1#) {
// stack-allocated locals
var .result = 0x1e00135 <undefined>
// expression stack (top to bottom)
[01] : 0x1e03e31 <String[1]: f>
--------- s o u r c e c o d e ---------
f();?
-----------------------------------------
}
==== Key ============================================
#0# 0x1c0d449: 0x1c0d449 <JS Object>
NaN: 0x1e03da5 <Number: nan>
Math: 0x180ed29 <a MathConstructor>>#5#
Infinity: 0x1e03f69 <Number: inf>
undefined: 0x1e00135 <undefined>
#1# 0x1c0d47d: 0x1c0d47d <JS Global Object>
#2# 0x181ee71: 0x181ee71 <FixedArray[7]>
0: 0x1c0f78d <JS Function f>#6#
1: 0x181ee71 <FixedArray[7]>#2#
2: 0
3: 0x181f0ed <JS Object>#7#
4: 0x1c0d449 <JS Object>#0#
5: 0x181ee5d <an Arguments>>#3#
6: 0x181ee5d <an Arguments>>#3#
#3# 0x181ee5d: 0x181ee5d <an Arguments>>
callee: 0x1c0f78d <JS Function f>#6#
length: 0
#4# 0x1c0f835: 0x1c0f835 <JS Function>
#5# 0x180ed29: 0x180ed29 <a MathConstructor>>
E: 0x1e055f9 <Number: 2.718281828459045>
PI: 0x1e05679 <Number: 3.141592653589793>
LN2: 0x1e05629 <Number: 0.6931471805599453>
LN10: 0x1e05611 <Number: 2.302585092994046>
SQRT2: 0x1e056b1 <Number: 1.414213562373095>
LOG2E: 0x1e05645 <Number: 1.442695040888963>
LOG10E: 0x1e05661 <Number: 0.4342944819032518>
SQRT1_2: 0x1e05695 <Number: 0.7071067811865476>
#6# 0x1c0f78d: 0x1c0f78d <JS Function f>
#7# 0x181f0ed: 0x181f0ed <JS Object>
=====================
Abort trap
$
Attachments:
crashlog-v8.txt 3.5 KB
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---
