Closed Bug 361617 Opened 18 years ago Closed 18 years ago

Crash [@ js_ValueToSource] [@ js_Invoke] with getter, watch, GC

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: crowderbt)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Feeding this to the JavaScript shell as a file or by pasting it causes a crash.

(function() { this.x getter= function(){} })();
this.watch('x', print);
this.x getter= function(){};
gc();
this.unwatch('x');
x;

Sometimes the crash is js_Invoke dereferencing a random address:

0   js 	0x00094424 js_Invoke + 696 (jsinterp.c:1175)
1   js 	0x000955b4 js_InternalInvoke + 444 (jsinterp.c:1490)
2   js 	0x000958ec js_InternalGetOrSet + 552 (jsinterp.c:1550)
3   js 	0x000a8c10 js_Interpret + 72200 (jsinterp.c:4043)
4   js 	0x00095cd0 js_Execute + 960 (jsinterp.c:1643)
5   js 	0x000213a4 JS_ExecuteScript + 64 (jsapi.c:4194)
6   js 	0x00002e8c Process + 528 (js.c:233)
7   js 	0x00003bcc ProcessArgs + 2304 (js.c:490)
8   js 	0x0000a050 main + 640 (js.c:3098)
9   js 	0x00002368 _start + 340 (crt.c:272)
10  js 	0x00002210 start + 60

Sometimes the crash is js_ValueToSource jumping to 0x00000000:

Thread 0 Crashed:
0   <<00000000>> 	0x00000000 0 + 0
1   js 	0x0007e9f8 js_ValueToSource + 404 (jsstr.c:2701)
2   js 	0x0003f7ec js_DecompileValueGenerator + 3876 (jsopcode.c:4774)
3   js 	0x000574c4 js_ReportIsNotFunction + 220 (jsfun.c:2295)
4   js 	0x000953d4 js_Invoke + 4712 (jsinterp.c:1459)
5   js 	0x000955b4 js_InternalInvoke + 444 (jsinterp.c:1490)
6   js 	0x000958ec js_InternalGetOrSet + 552 (jsinterp.c:1550)
7   js 	0x000a8c10 js_Interpret + 72200 (jsinterp.c:4043)
8   js 	0x00095cd0 js_Execute + 960 (jsinterp.c:1643)
9   js 	0x000213a4 JS_ExecuteScript + 64 (jsapi.c:4194)
10  js 	0x00003004 Process + 904 (js.c:268)
11  js 	0x00003bcc ProcessArgs + 2304 (js.c:490)
12  js 	0x0000a050 main + 640 (js.c:3098)
13  js 	0x00002368 _start + 340 (crt.c:272)
14  js 	0x00002210 start + 60

I'm testing with the patches for bug 361552 and bug 361346.
Whiteboard: [sg:critical?]
Critical security bugs must have owners. If you can't work on this bug help us find another active owner for it.
Assignee: general → crowder
I can't reproduce this anymore on the trunk.  Jesse, can you?
WFM on trunk (tested opt, debug, and way-too-much-gc).
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
How about the branches?  And is this interesting enough to track down the patch that fixed it to push there, if not?
WFM on gecko 1.8 and 1.8.0 branches (tested debug only).
Group: security
Flags: in-testsuite?
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-361617.js,v  <--  regress-361617.js
initial revision: 1.1
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ js_ValueToSource] [@ js_Invoke]
You need to log in before you can comment on or make changes to this bug.