Closed
Bug 616711
Opened 14 years ago
Closed 14 years ago
Crash [@ js_SuppressDeletedProperty] or [@ JSObject::getPrivate]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:critical][fixed-in-tracemonkey])
Crash Data
Attachments
(2 files)
|
3.34 KB,
text/plain
|
Details | |
|
2.09 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
this.toString = String
try {
(function () {
for each(d in evalcx("({n:<x/>})")) {
#1#
}
})()
} catch (r) {}
gc()
delete this.toString
crashes js debug shell on TM changeset d31f58102b38 at JSObject::getPrivate and crashes js opt shell at js_SuppressDeletedProperty.
s-s because this involves gc. 0xdadadada also seems to be accessed, albeit in debug builds. Assuming [sg:critical?] unless otherwise.
|
Reporter | |
Comment 1•14 years ago
|
||
The testcase has to be passed in as a CLI argument.
blocking2.0: --- → ?
|
|
Reporter | |
Comment 2•14 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 57084:f52f5d7feb29 user: Andreas Gal date: Wed Nov 10 15:56:00 2010 -0800 summary: typeof(regexp from sandbox) is "function" (bug 607799, r=brendan).
Blocks: 607799
|
||
Updated•14 years ago
|
Assignee: general → gal
|
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
||
Comment 3•14 years ago
|
||
bisect is a red herring
|
|
||
Updated•14 years ago
|
Assignee: gal → bhackett1024
|
Assignee | |
Comment 5•14 years ago
|
||
The problem seems to be that Reify in jswrapper.cpp does not close the active iterator on its failure paths. This can leave cx->enumerators pointing to an iterObj with no other referent, and since cx->enumerators is not traversed by the GC (it is only supposed to point to things on the stack) the iterObj gets collected. Reify should always close the old iterator (it does so on successful paths), as this patch does. I don't really know the proxy/wrapper code though, is this the right interpretation?
Attachment #497420 -
Flags: review?(gal)
|
|
||
Comment 6•14 years ago
|
||
Comment on attachment 497420 [details] [diff] [review] maybe fix An Auto helper might be worth it here. Nice catch. Thanks for fixing this!
Attachment #497420 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 7•14 years ago
|
||
Yeah, the helper does look cleaner. http://hg.mozilla.org/tracemonkey/rev/b013a27e6275
|
|
Assignee | |
Updated•14 years ago
|
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical][fixed-in-tracemonkey]
|
|
||
Comment 8•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/b013a27e6275
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ js_SuppressDeletedProperty]
[@ JSObject::getPrivate]
|
||
Comment 9•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•