Closed
Bug 303277
Opened 19 years ago
Closed 19 years ago
crash with a watchpoint for __proto__ property [@ js_SetProtoOrParent]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8beta4
People
(Reporter: sync2d, Assigned: brendan)
References
()
Details
(Keywords: crash, js1.5)
Crash Data
Attachments
(1 file)
3.58 KB,
patch
|
shaver
:
review+
brendan
:
approval1.8b4+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b4) Gecko/20050802 Firefox/1.0+ If the object has a watchpoint for __proto__ property, JavaScript engine will crash when __proto__ is set. http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=8054749 Reproducible: Always Steps to Reproduce: 1. javascript: o={}; o.watch("__proto__", function(){return null;}); o.__proto__=null; void 0; Actual Results: crash @ js3250.dll Expected Results: no crash.
Comment 1•19 years ago
|
||
Assertion failure: (uint32)slot < JS_MIN(((obj)->map)->freeslot, ((obj)->map)->nslots), at c:/work/mozilla/builds/ff/trunk/mozilla/j s/src/jsobj.c:357 + cx 0x03b92610 - obj 0x03b39f18 + map 0x03f39f38 + slots 0x033217bc + pobj 0x00000000 slot 7814838 NTDLL! 7c901230() js_SetProtoOrParent(JSContext * 0x03b92610, JSObject * 0x03b39f18, unsigned long 7814838, JSObject * 0x00000000) line 357 + 72 bytes obj_setSlot(JSContext * 0x03b92610, JSObject * 0x03b39f18, long 15629676, long * 0x00129874) line 181 + 21 bytes js_watch_set(JSContext * 0x03b92610, JSObject * 0x03b39f18, long 15629676, long * 0x00129874) line 377 + 149 bytes js_Interpret(JSContext * 0x03b92610, unsigned char * 0x03f3d0c2, long * 0x00129968) line 3301 + 1239 bytes js_Execute(JSContext * 0x03b92610, JSObject * 0x03b3b0e0, JSScript * 0x03f3d070, JSStackFrame * 0x00000000, unsigned int 0, long * 0x00129a70) line 1403 + 19 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x03b92610, JSObject * 0x03b3b0e0, JSPrincipals * 0x031a608c, const unsigned short * 0x03f37418, unsigned int 80, const char * 0x0319c2e8, unsigned int 1, long * 0x00129a70) line 3853 + 25 bytes nsJSContext::EvaluateString(const nsAString_internal & {...}, void * 0x03b3b0e0, nsIPrincipal * 0x031a6088, const char * 0x0319c2e8, unsigned int 1, const char * 0x00000000, nsAString_internal * 0x00129cd0, int * 0x00129c74) line 1060 + 67 bytes nsJSThunk::EvaluateScript(nsIChannel * 0x03f45828) line 255 + 90 bytes nsJSChannel::InternalOpen(int 1, nsIStreamListener * 0x03f458c0, nsISupports * 0x00000000, nsIInputStream * * 0x00000000) line 508 + 30 bytes nsJSChannel::AsyncOpen(nsJSChannel * const 0x03f16db8, nsIStreamListener * 0x03f458c0, nsISupports * 0x00000000) line 480 nsDocumentOpenInfo::Open(nsIChannel * 0x03f16db8) line 224 + 18 bytes nsURILoader::OpenURI(nsURILoader * const 0x030c0a98, nsIChannel * 0x03f16db8, int 0, nsIInterfaceRequestor * 0x03bba808) line 915 + 19 bytes nsDocShell::DoChannelLoad(nsIChannel * 0x03f16db8, nsIURILoader * 0x030c0a98) line 6751 + 63 bytes nsDocShell::DoURILoad(nsIURI * 0x03f457c0, nsIURI * 0x00000000, int 1, nsISupports * 0x031a6088, const char * 0x00000000, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000, int 1, nsIDocShell * * 0x00000000, nsIRequest * * 0x0012a1d0) line 6603 + 35 bytes nsDocShell::InternalLoad(nsDocShell * const 0x03bba890, nsIURI * 0x03f457c0, nsIURI * 0x00000000, nsISupports * 0x00000000, unsigned int 1, const unsigned short * 0x03c48380, const char * 0x00000000, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000, unsigned int 1, nsISHEntry * 0x00000000, int 1, nsIDocShell * * 0x00000000, nsIRequest * * 0x00000000) line 6376 + 97 bytes nsDocShell::LoadURI(nsDocShell * const 0x03bba890, nsIURI * 0x03f457c0, nsIDocShellLoadInfo * 0x03d464e8, unsigned int 0, int 1) line 789 + 84 bytes nsDocShell::LoadURI(nsDocShell * const 0x03bba8a0, const unsigned short * 0x03f3a6c8, unsigned int 0, nsIURI * 0x00000000, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000) line 2821 + 38 bytes XPTC_InvokeByIndex(nsISupports * 0x03bba8a0, unsigned int 8, unsigned int 5, nsXPTCVariant * 0x0012a620) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2119 + 43 bytes XPC_WN_CallMethod(JSContext * 0x0318e0a0, JSObject * 0x03b39ee8, unsigned int 5, long * 0x03d8e248, long * 0x0012a8f0) line 1350 + 14 bytes js_Invoke(JSContext * 0x0318e0a0, unsigned int 5, unsigned int 0) line 1173 + 23 bytes js_Interpret(JSContext * 0x0318e0a0, unsigned char * 0x03442beb, long * 0x0012b3a4) line 3463 + 15 bytes js_Invoke(JSContext * 0x0318e0a0, unsigned int 2, unsigned int 6) line 1193 + 19 bytes fun_apply(JSContext * 0x0318e0a0, JSObject * 0x03bcb5b8, unsigned int 2, long * 0x03d8e060, long * 0x0012b4e4) line 1589 + 15 bytes js_Invoke(JSContext * 0x0318e0a0, unsigned int 2, unsigned int 0) line 1173 + 23 bytes js_Interpret(JSContext * 0x0318e0a0, unsigned char * 0x03c37cf3, long * 0x0012bf98) line 3463 + 15 bytes js_Invoke(JSContext * 0x0318e0a0, unsigned int 0, unsigned int 2) line 1193 + 19 bytes nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x03d87b40, nsXPCWrappedJS * 0x03d7e510, unsigned short 33, const nsXPTMethodInfo * 0x031ddc10, nsXPTCMiniVariant * 0x0012c2e8) line 1339 + 22 bytes nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x03d7e510, unsigned short 33, const nsXPTMethodInfo * 0x031ddc10, nsXPTCMiniVariant * 0x0012c2e8) line 462 PrepareAndDispatch(nsXPTCStubBase * 0x03d7e510, unsigned int 33, unsigned int * 0x0012c398, unsigned int * 0x0012c388) line 117 + 31 bytes SharedStub() line 147 nsAutoCompleteController::EnterMatch() line 1011 nsAutoCompleteController::HandleEnter(nsAutoCompleteController * const 0x03c95020, int * 0x0012c628) line 272 XPTC_InvokeByIndex(nsISupports * 0x03c95020, unsigned int 9, unsigned int 1, nsXPTCVariant * 0x0012c628) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2119 + 43 bytes XPC_WN_CallMethod(JSContext * 0x0318e0a0, JSObject * 0x03c7b5f8, unsigned int 0, long * 0x03d8df98, long * 0x0012c8f8) line 1350 + 14 bytes js_Invoke(JSContext * 0x0318e0a0, unsigned int 0, unsigned int 0) line 1173 + 23 bytes js_Interpret(JSContext * 0x0318e0a0, unsigned char * 0x03c3ac83, long * 0x0012d3ac) line 3463 + 15 bytes js_Invoke(JSContext * 0x0318e0a0, unsigned int 1, unsigned int 2) line 1193 + 19 bytes js_InternalInvoke(JSContext * 0x0318e0a0, JSObject * 0x03bcb5b8, long 62102848, unsigned int 0, unsigned int 1, long * 0x0012d5a4, long * 0x0012d5a0) line 1270 + 20 bytes JS_CallFunctionValue(JSContext * 0x0318e0a0, JSObject * 0x03bcb5b8, long 62102848, unsigned int 1, long * 0x0012d5a4, long * 0x0012d5a0) line 3918 + 31 bytes nsJSContext::CallEventHandler(JSObject * 0x03bcb5b8, JSObject * 0x03b39d40, unsigned int 1, long * 0x0012d5a4, long * 0x0012d5a0) line 1400 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03ed0a50, nsIDOMEvent * 0x0319bb98) line 175 + 51 bytes nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * 0x03ece8f8, nsIDOMEvent * 0x0319bb98) line 499 nsXBLKeyEventHandler::HandleEvent(nsXBLKeyEventHandler * const 0x03c289a8, nsIDOMEvent * 0x0319bb98) line 144 nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03c28b08, nsIDOMEvent * 0x0319bb98, nsIDOMEventTarget * 0x03ece8f8, unsigned int 4, unsigned int 4) line 1580 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03c198d0, nsPresContext * 0x0321cf98, nsEvent * 0x0012f13c, nsIDOMEvent * * 0x0012e90c, nsIDOMEventTarget * 0x03ece8f8, unsigned int 4, nsEventStatus * 0x0012ef30) line 1684 nsXULElement::HandleDOMEvent(nsPresContext * 0x0321cf98, nsEvent * 0x0012f13c, nsIDOMEvent * * 0x0012e90c, unsigned int 4, nsEventStatus * 0x0012ef30) line 2201 nsXULElement::HandleDOMEvent(nsPresContext * 0x0321cf98, nsEvent * 0x0012f13c, nsIDOMEvent * * 0x0012e90c, unsigned int 4, nsEventStatus * 0x0012ef30) line 2180 nsXULElement::HandleDOMEvent(nsPresContext * 0x0321cf98, nsEvent * 0x0012f13c, nsIDOMEvent * * 0x0012e90c, unsigned int 4, nsEventStatus * 0x0012ef30) line 2180 nsGenericElement::HandleDOMEvent(nsPresContext * 0x0321cf98, nsEvent * 0x0012f13c, nsIDOMEvent * * 0x0012e90c, unsigned int 7, nsEventStatus * 0x0012ef30) line 2074 nsHTMLInputElement::HandleDOMEvent(nsPresContext * 0x0321cf98, nsEvent * 0x0012f13c, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x0012ef30) line 1382 + 31 bytes PresShell::HandleEventInternal(nsEvent * 0x0012f13c, nsIView * 0x03224ca0, unsigned int 1, nsEventStatus * 0x0012ef30) line 6357 + 64 bytes PresShell::HandleEvent(PresShell * const 0x0321d79c, nsIView * 0x03224ca0, nsGUIEvent * 0x0012f13c, nsEventStatus * 0x0012ef30, int 1, int & 1) line 6193 + 25 bytes nsViewManager::HandleEvent(nsView * 0x03224ca0, nsGUIEvent * 0x0012f13c, int 0) line 2458 nsViewManager::DispatchEvent(nsViewManager * const 0x03224bf8, nsGUIEvent * 0x0012f13c, nsEventStatus * 0x0012f08c) line 2230 + 20 bytes HandleEvent(nsGUIEvent * 0x0012f13c) line 174 nsWindow::DispatchEvent(nsWindow * const 0x03224d74, nsGUIEvent * 0x0012f13c, nsEventStatus & nsEventStatus_eIgnore) line 1171 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f13c) line 1192 nsWindow::DispatchKeyEvent(unsigned int 131, unsigned short 0, unsigned int 13, long 1835009, unsigned int 0) line 3359 + 15 bytes nsWindow::OnKeyDown(unsigned int 13, unsigned int 28, long 1835009) line 3497 nsWindow::ProcessMessage(unsigned int 256, unsigned int 13, long 1835009, long * 0x0012f6ac) line 4358 + 32 bytes nsWindow::WindowProc(HWND__ * 0x000c02b2, unsigned int 256, unsigned int 13, long 1835009) line 1348 + 27 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d489cd() USER32! 77d48a10() nsAppShell::Run(nsAppShell * const 0x01352560) line 135 nsAppStartup::Run(nsAppStartup * const 0x013524c0) line 145 + 26 bytes XRE_main(int 3, char * * 0x003f6fc0, const nsXREAppData * 0x0042101c kAppData) line 2219 + 35 bytes main(int 3, char * * 0x003f6fc0) line 61 + 18 bytes mainCRTStartup() line 338 + 17 bytes
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Summary: crash with a watchpoint for __proto__ property → crash with a watchpoint for __proto__ property [@ js_SetProtoOrParent]
Assignee | ||
Comment 2•19 years ago
|
||
Old bug, easy enough to fix. /be
Assignee | ||
Comment 3•19 years ago
|
||
Asking shaver to review (soon, too!). This patch fixes two old bugs: 1. js_watch_set passed the "user" id, not the property id, to the watchpoint handler. The user id is what JSPropertyOp implementations see, and it differs from the property id precisely when SPROP_HAS_SHORTID is set in sprop->flags -- in that case, it's INT_TO_JSVAL(sprop->shortid). We must pass the correct userid to all JSPropertyOp implementations as the |id| formal, but we must not pass userid to the watchpoint handler or any high-level js_*Property object-op. Those all take the property id (propid for short), either as a jsval (ID_TO_VALUE(sprop->id)) or as a jsid (namely, sprop->id). 2. Fix the immediate problem here: prototype properties such as __proto__ that have a shortid were not being shadowed with a native property of the same id, flags, and shortid. To fix that, we must call js_DefineNativeProperty in JS_SetWatchPoint, not js_DefineProperty. Fixing 2 exposed 1, so I fixed that too. Timeless, if you could have a look, test, and whatever else you like, I'd appreciate it. Whoever gets this checked in wins a SpiderMonkey no-prize. /be
Attachment #191517 -
Flags: review?(shaver)
Attachment #191517 -
Flags: approval1.8b4+
Comment on attachment 191517 [details] [diff] [review] fix r=shaver
Attachment #191517 -
Flags: review?(shaver) → review+
Assignee | ||
Comment 6•19 years ago
|
||
Fixed. /be
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 7•19 years ago
|
||
Checking in regress-303277.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-303277.js,v <-- regress-303277.js initial revision: 1.1 done
Flags: testcase+
Updated•13 years ago
|
Crash Signature: [@ js_SetProtoOrParent]
You need to log in
before you can comment on or make changes to this bug.
Description
•