Closed
Bug 361617
Opened 18 years ago
Closed 18 years ago
Crash [@ js_ValueToSource] [@ js_Invoke] with getter, watch, GC
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Assigned: crowderbt)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?])
Crash Data
Feeding this to the JavaScript shell as a file or by pasting it causes a crash. (function() { this.x getter= function(){} })(); this.watch('x', print); this.x getter= function(){}; gc(); this.unwatch('x'); x; Sometimes the crash is js_Invoke dereferencing a random address: 0 js 0x00094424 js_Invoke + 696 (jsinterp.c:1175) 1 js 0x000955b4 js_InternalInvoke + 444 (jsinterp.c:1490) 2 js 0x000958ec js_InternalGetOrSet + 552 (jsinterp.c:1550) 3 js 0x000a8c10 js_Interpret + 72200 (jsinterp.c:4043) 4 js 0x00095cd0 js_Execute + 960 (jsinterp.c:1643) 5 js 0x000213a4 JS_ExecuteScript + 64 (jsapi.c:4194) 6 js 0x00002e8c Process + 528 (js.c:233) 7 js 0x00003bcc ProcessArgs + 2304 (js.c:490) 8 js 0x0000a050 main + 640 (js.c:3098) 9 js 0x00002368 _start + 340 (crt.c:272) 10 js 0x00002210 start + 60 Sometimes the crash is js_ValueToSource jumping to 0x00000000: Thread 0 Crashed: 0 <<00000000>> 0x00000000 0 + 0 1 js 0x0007e9f8 js_ValueToSource + 404 (jsstr.c:2701) 2 js 0x0003f7ec js_DecompileValueGenerator + 3876 (jsopcode.c:4774) 3 js 0x000574c4 js_ReportIsNotFunction + 220 (jsfun.c:2295) 4 js 0x000953d4 js_Invoke + 4712 (jsinterp.c:1459) 5 js 0x000955b4 js_InternalInvoke + 444 (jsinterp.c:1490) 6 js 0x000958ec js_InternalGetOrSet + 552 (jsinterp.c:1550) 7 js 0x000a8c10 js_Interpret + 72200 (jsinterp.c:4043) 8 js 0x00095cd0 js_Execute + 960 (jsinterp.c:1643) 9 js 0x000213a4 JS_ExecuteScript + 64 (jsapi.c:4194) 10 js 0x00003004 Process + 904 (js.c:268) 11 js 0x00003bcc ProcessArgs + 2304 (js.c:490) 12 js 0x0000a050 main + 640 (js.c:3098) 13 js 0x00002368 _start + 340 (crt.c:272) 14 js 0x00002210 start + 60 I'm testing with the patches for bug 361552 and bug 361346.
Reporter | ||
Updated•18 years ago
|
Whiteboard: [sg:critical?]
Comment 1•18 years ago
|
||
Critical security bugs must have owners. If you can't work on this bug help us find another active owner for it.
Assignee: general → crowder
Assignee | ||
Comment 2•18 years ago
|
||
I can't reproduce this anymore on the trunk. Jesse, can you?
Reporter | ||
Comment 3•18 years ago
|
||
WFM on trunk (tested opt, debug, and way-too-much-gc).
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Comment 4•18 years ago
|
||
How about the branches? And is this interesting enough to track down the patch that fixed it to push there, if not?
Reporter | ||
Comment 5•18 years ago
|
||
WFM on gecko 1.8 and 1.8.0 branches (tested debug only).
Updated•17 years ago
|
Group: security
Updated•16 years ago
|
Flags: in-testsuite?
Comment 6•16 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-361617.js,v <-- regress-361617.js initial revision: 1.1
Flags: in-testsuite? → in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ js_ValueToSource]
[@ js_Invoke]
You need to log in
before you can comment on or make changes to this bug.
Description
•