109635 - crash in js_GC() when marking fp->argv

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[itaj sherman]

crash on the line: nslots = JS_MAX(fp->argc, fp->fun->nargs);
when fp->fun is NULL.

happens when i'm invoking Java (instanciating a small class and calling a small 
method).
JS_GC() is simultaneously invoked by another thread, and crashes.

ofcourse the first thread called JS_BeginRequest()

Comment 1

[Phil Schwartau]

MobDotCom@hotmail.com : could you attach a reduced testcase to this bug
via the "Create a new attachment" link above? Thank you -

Also, please attach a stack trace for the crash - 

cc'ing Brendan in case the problem is already apparent to him.

Comment 2

[Phil Schwartau]

MobDotCom@hotmail.com : could you attach a reduced testcase? Or is
there a URL we can go to that shows the problem? If not, we're going
to have to close this bug; thanks -

Comment 3

[Brendan Eich [:brendan]]

We need those threads' stacks, at the least.  Also, the Java you're invoking,
and the JS that invokes it.  Please supply such data when reporting bugs!

The GC is assuming that if fp->argv is non-null, fp->fun must be non-null.  That
looks like it may be an invalid assumption for LiveConnect.  Cc'ing beard.

/be

Comment 4

[Brendan Eich [:brendan]]

Attachment: proposed fix

Comment 5

[John Bandhauer]

Comment on attachment 58390 [details] [diff] [review]
proposed fix

r/sr=jband

Comment 6

[Mike Shaver (:shaver -- probably not reading bugmail closely)]

Comment on attachment 58390 [details] [diff] [review]
proposed fix

r=shaver

Comment 7

[Brendan Eich [:brendan]]

Fixed.

/be

Comment 8

[Phil Schwartau]

Marking Verified -