Closed
Bug 79129
Opened 24 years ago
Closed 24 years ago
Crash in debug JS shell on property assignment and deletion
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla0.9.1
People
(Reporter: pschwartau, Assigned: brendan)
Details
(Keywords: crash, js1.5)
Attachments
(1 file)
|
623 bytes,
patch
|
Details | Diff | Splinter Review |
The following code crashes the debug JS shell (but not the optimized JS shell):
obj={};
obj.a = obj.b = obj.c = 1;
delete obj.a;
delete obj.b;
delete obj.c;
obj.d = obj.e = 1; <<<<<<<<<<<<<<< CRASHES HERE
NTDLL! 77f7629c()
js_AllocSlot(JSContext * 0x00301e80, JSObject * 0x002fb9f0, unsigned long *
0x0012e318) line 1763 + 35 bytes
js_NewScopeProperty(JSContext * 0x00301e80, JSScope * 0x0030fbd0, long 3197296,
int (JSContext *, JSObject *, long, long *)* 0x610056d8
JS_PropertyStub(JSContext *, JSObject *, long, long *), int (JSContext *,
JSObject *, long, long *)* 0x610056d8 JS_PropertyStub(JSContext *, JSObject *,
long, long *), unsigned int 1) line 506 + 20 bytes
js_SetProperty(JSContext * 0x00301e80, JSObject * 0x002fb9f0, long 3197296, long
* 0x0012ed4c) line 2427 + 29 bytes
js_Interpret(JSContext * 0x00301e80, long * 0x0012fed8) line 2551 + 1287 bytes
js_Execute(JSContext * 0x00301e80, JSObject * 0x002faf40, JSScript * 0x0030c770,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fed8) line 992 + 13
bytes
JS_ExecuteScript(JSContext * 0x00301e80, JSObject * 0x002faf40, JSScript *
0x0030c770, long * 0x0012fed8) line 3183 + 25 bytes
Process(JSContext * 0x00301e80, JSObject * 0x002faf40, char * 0x003000d5) line
330 + 22 bytes
ProcessArgs(JSContext * 0x00301e80, JSObject * 0x002faf40, char * * 0x00300064,
int 6) line 481 + 17 bytes
main(int 6, char * * 0x00300064) line 2096 + 21 bytes
JS! mainCRTStartup + 227 bytes
KERNEL32! 77f1ba06()
|
Reporter | |
Updated•24 years ago
|
|
|
Reporter | |
Comment 1•24 years ago
|
||
Testcase added to JS testsuite:
js/tests/ecma_3/Object/regress-79129-001.js
|
Assignee | |
Comment 2•24 years ago
|
||
Bogus assertion, more in a bit.
/be
Assignee: rogerl → brendan
Priority: -- → P1
Target Milestone: --- → mozilla0.9.1
|
|
Assignee | |
Comment 3•24 years ago
|
||
|
|
Assignee | |
Comment 4•24 years ago
|
||
The assertion was not so bogus as the ancient code that reduces nslots (stored
in map->nslots and obj->slots[-1]) in js_FreeSlot, which did not respect the
JS_INITIAL_NSLOTS macro as the minimum nslots value. Instead, it assumed that
setting nslots = freeslot + freeslot/2 would satisfy js_AllocSlot's assertion.
But for freeslot==3, nslots = 3 + 1 = 4, and JS_INITIAL_NSLOTS is 5. D'oh!
Looking for r= and sr=, this one is easy.
/be
Status: NEW → ASSIGNED
Keywords: mozilla0.9.1
|
||
Comment 5•24 years ago
|
||
r/sr/rs=jband.
|
||
Comment 6•24 years ago
|
||
r/sr=shaver
|
|
Assignee | |
Comment 7•24 years ago
|
||
In.
/be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 8•24 years ago
|
||
Testcase passes on WinNT and Linux, in the debug and optimized JS shells.
Marking Verified -
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•