[v8-dev] Issue 1121 in v8: getOwnPropertyNames can trigger "CHECK(object->IsJSObject()) failed"

Tue, 08 Feb 2011 05:07:06 -0800 

Status: New
Owner: ----
New issue 1121 by [email protected]: getOwnPropertyNames can trigger "CHECK(object->IsJSObject()) failed" 
http://code.google.com/p/v8/issues/detail?id=1121

This snippet:
--
Array.prototype.__proto__ = null;
Object.getOwnPropertyNames([]);
--

Asserts (d8 debug build, OS X):

#
# Fatal error in src/objects-inl.h, line 1741
# CHECK(object->IsJSObject()) failed
#


==== Stack trace ============================================

Security context: 0x87405d <undefined>
1: getOwnPropertyNames [native v8natives.js:723] (this=0xa97799 <JS Function Object>#0#,a=0x20735a5 <JS array[0]>#1#) 
    2: /* anonymous */ [../test.js:4] (this=0xa97999 <JS Global Object>#2#)

==== Details ================================================
[1]: getOwnPropertyNames [native v8natives.js:723] (this=0xa97799 <JS Function Object>#0#,a=0x20735a5 <JS array[0]>#1#) { 
  // stack-allocated locals
  var e = 0x87405d <undefined>
  var d = 0x87405d <undefined>
  var c = 0x87405d <undefined>
  var h = 0x87405d <undefined>
  var b = 0x20735c5 <JS array[0]>#3#
  var g = 0x87405d <undefined>
  var f = 0x87405d <undefined>
  // expression stack (top to bottom)
  [08] : 0x20735e1 <JS array[1]>#4#
  [07] : 0x20735c5 <JS array[0]>#3#
--------- s o u r c e   c o d e ---------
function getOwnPropertyNames(a){?if(!(%_IsSpecObject(a)))?throw MakeTypeError("obj_ctor_property_non_object",["getOwnPropertyNames"]);?????var b=%GetLocalElementNames(a);???if(%GetInterceptorInfo(a)&1){?var c=?%GetIndexedInterceptorElementNames(a);?if(c)?b=b.concat(c);?}?????b=b.concat(%GetLocalPropertyNames(a));????if(%GetInt... 

-----------------------------------------
}

[2]: /* anonymous */ [../test.js:4] (this=0xa97999 <JS Global Object>#2#) {
  // stack-allocated locals
  var .result = 0x87405d <undefined>
--------- s o u r c e   c o d e ---------
??Array.prototype.__proto__ = null;?Object.getOwnPropertyNames([]);??
-----------------------------------------
}

==== Key         ============================================

 #0# 0xa97799: 0xa97799 <JS Function Object>
 #1# 0x20735a5: 0x20735a5 <JS array[0]>
 #2# 0xa97999: 0xa97999 <JS Global Object>
 #3# 0x20735c5: 0x20735c5 <JS array[0]>
 #4# 0x20735e1: 0x20735e1 <JS array[1]>
                 0: 0x874321 <String[6]: length>
=====================

Abort trap

--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to