Closed
Bug 156354
Opened 23 years ago
Closed 22 years ago
Crash on propertyIsEnumerable()
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.0.1
People
(Reporter: zack-weg, Assigned: brendan)
References
Details
(Keywords: crash, js1.5, testcase)
Attachments
(3 files)
|
157 bytes,
text/html
|
Details | |
|
543 bytes,
patch
|
brendan
:
review+
brendan
:
superreview+
dbaron
:
approval+
|
Details | Diff | Splinter Review |
|
1.21 KB,
patch
|
shaver
:
review+
|
Details | Diff | Splinter Review |
propertyIsEnumerable() crashs if the property does not exist.
Build 2002070813, Linux.
|
||
Comment 2•23 years ago
|
||
confirming using build 2002070804 on Win2k (trunk): TB8117842Y.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: PC → All
Whiteboard: Need TB8117842Y data
|
||
Comment 3•23 years ago
|
||
Reassigning to Brendan and adding js1.5 keyword. The following
line causes the crash in the JS shell:
js> this.propertyIsEnumerable('XYZ');
WINNT STACK TRACE:
obj_propertyIsEnumerable(JSContext * 0x00301d60, JSObject * 0x002fb340, unsigned
int 1, long * 0x0042106c, long * 0x0012e30c) line 1187 + 3 bytes
js_Invoke(JSContext * 0x00301d60, unsigned int 1, unsigned int 0) line 788 + 23
bytes
js_Interpret(JSContext * 0x00301d60, long * 0x0012fed8) line 2743 + 15 bytes
js_Execute(JSContext * 0x00301d60, JSObject * 0x002fb340, JSScript * 0x00306250,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fed8) line 968 + 13
bytes
JS_ExecuteScript(JSContext * 0x00301d60, JSObject * 0x002fb340, JSScript *
0x00306250, long * 0x0012fed8) line 3274 + 25 bytes
Process(JSContext * 0x00301d60, JSObject * 0x002fb340, char * 0x00000000) line
371 + 22 bytes
ProcessArgs(JSContext * 0x00301d60, JSObject * 0x002fb340, char * * 0x00300054,
int 0) line 529 + 17 bytes
main(int 0, char * * 0x00300054) line 2129 + 21 bytes
JS! mainCRTStartup + 227 bytes
KERNEL32! 77f1b9ea()
Note: I looked up Olivier's Talkback incident TB8117842Y,
and found the stack trace there to be pretty similar -
|
Assignee | |
Comment 4•23 years ago
|
||
My fault, clumsy fix to old mccabe code that leaked a ref-counted property.
/be
|
|
Assignee | |
Comment 5•23 years ago
|
||
Comment on attachment 90577 [details] [diff] [review]
trivial fix
I received tachyon transmissions from 20 minutes from now saying r=khanson,
sr=shaver.
/be
Attachment #90577 -
Flags: superreview+
Attachment #90577 -
Flags: review+
|
|
Assignee | |
Comment 6•23 years ago
|
||
Fixed in the trunk. Going for drivers' approval for the branch.
/be
Comment on attachment 90577 [details] [diff] [review]
trivial fix
Please land this on MOZILLA_1_0_BRANCH. Once there, replace the
"mozilla1.0.1+" keyword with the "fixed1.0.1" keyword.
Attachment #90577 -
Flags: approval+
Keywords: mozilla1.0.1 → mozilla1.0.1+
|
|
Assignee | |
Comment 8•23 years ago
|
||
Fixed on branch, too.
/be
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Keywords: mozilla1.0.1+ → fixed1.0.1
Resolution: --- → FIXED
|
|
||
Comment 9•22 years ago
|
||
Testcase added to JS testsuite:
mozilla/js/tests/js1_5/Regress/regress-156354.js
|
|
||
Comment 10•22 years ago
|
||
Reopening bug -
I do not crash on the given HTML testcase, but I get the same
crash as in Comment #3 if I do this in the JS shell:
js> this.propertyIsEnumerable('XYZ');
WINNT STACK TRACE:
obj_propertyIsEnumerable(JSContext * 0x00301d60, JSObject * 0x002fb340, unsigned
int 1, long * 0x0042106c, long * 0x0012e308) line 1196 + 23 bytes
js_Invoke(JSContext * 0x00301d60, unsigned int 1, unsigned int 0) line 839 + 23
bytes
js_Interpret(JSContext * 0x00301d60, long * 0x0012fed8) line 2803 + 15 bytes
js_Execute(JSContext * 0x00301d60, JSObject * 0x002fb340, JSScript * 0x003051a0,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fed8) line 1020 + 13 bytes
JS_ExecuteScript(JSContext * 0x00301d60, JSObject * 0x002fb340, JSScript *
0x003051a0, long * 0x0012fed8) line 3277 + 25 bytes
Process(JSContext * 0x00301d60, JSObject * 0x002fb340, char * 0x00000000) line
369 + 22 bytes
ProcessArgs(JSContext * 0x00301d60, JSObject * 0x002fb340, char * * 0x00300054,
int 0) line 508 + 17 bytes
main(int 0, char * * 0x00300054) line 2108 + 21 bytes
JS! mainCRTStartup + 227 bytes
KERNEL32! 77f1b9ea()
Similarly, the newly-added JS shell testcase is crashing.
Here is the crashpoint in the top frame of the stack trace:
if (prop &&
obj2 != obj &&
!(OBJ_IS_NATIVE(obj2) &&
SPROP_IS_SHARED_PERMANENT((JSScopeProperty *)prop))) {
OBJ_DROP_PROPERTY(cx, obj2, prop);
*rval = JSVAL_FALSE;
return JS_TRUE;
}
ok = OBJ_GET_ATTRIBUTES(cx, obj2, id, prop, &attrs); <<<----- CRASHES HERE
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 11•22 years ago
|
||
Brainfart, sorry. This is a diff -wu, BTW.
/be
|
||
Comment 12•22 years ago
|
||
Comment on attachment 99439 [details] [diff] [review]
proposed fix
r=shaver.
Attachment #99439 -
Flags: review+
|
|
Assignee | |
Comment 13•22 years ago
|
||
Fixed, for good.
/be
Status: REOPENED → RESOLVED
Closed: 23 years ago → 22 years ago
Resolution: --- → FIXED
|
|
||
Comment 14•22 years ago
|
||
Verified FIXED.
The new testcase passes, and the JS testsuite passes.
I checked this in the debug/optimized JS shell on WinNT -
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.1
|
|
||
Comment 15•22 years ago
|
||
I should add, this is fixed on the trunk only, not on MOZILLA_1_0_BRANCH -
|
|
Assignee | |
Comment 16•22 years ago
|
||
No bugs since mid-July (IIRC) have been fixed on the 1.0 branch. I proposed in
some number of bugs that we land the 1.5 engine from the trunk onto the branch
after doing another Release Candidate.
/be
|
||
Updated•20 years ago
|
Flags: testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•