Closed Bug 128057 Opened 23 years ago Closed 23 years ago

JS_GetPropertyDescArray does not check the return value of JS_GetPropertyDesc

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla0.9.9

People

(Reporter: timeless, Assigned: rginda)

References

Details

Attachments

(1 file)

proposed fix
648 bytes, patch
brendan
: review+
shaver
: superreview+
asa
: approval+
Details | Diff | Splinter Review
nsPluginHostImpl::Observe "quit-application" WEBSHELL- = 5 JS API usage error: the address passed to JS_AddNamedRoot currently holds an invalid jsval. This is usually caused by a missing call to JS_RemoveRoot. The root's name is "JSDValue". Assertion failure: root_points_to_gcArenaPool, at /home/timeless/mozilla/js/src/jsgc.c:947 Abort trap - core dumped sorry, no stack, my freebsd system only pretends to dump core. i was using ./mozilla -venkman, debug>stop on exceptions, tasks>mailnews, run [wallet], run [offline], [run [mypromptservice]], run [smime]. i have a bunch of patches that make mailnews not throw exceptions needlessly, but that's not very interesting. and then i quit (ctrl-q i think) i'll try to reproduce and get a stack...
still waiting for a stack.
Summary: JS API usage error: the address passed to JS_AddNamedRoot currently holds an invalid jsval. This is usually caused by a missing call to JS_RemoveRoot. The root's name is "JSDValue". → JS API usage error: the address passed to JS_AddNamedRoot currently holds an invalid jsval. This is usually caused by a missing call to JS_RemoveRoot. The root's name is "JSDValue".
Steps to reproduce... 1. Start venkman. 2. "loadd chrome://venkman/content/venkman-dev.js". 3. "treetest". 4. set a breakpoint in outliner-utils.js, line 1118, which should be the rowCount getter. 5. click "toggle betty". 6. continue execution. 7. Repeat steps 5 and 6 until assertion (or crash in "random" place in GC if opt build.) I can get this to crash usually in less than 10 tries. I hacked the root_points_to_gcArenaPool check into jsd_NewValue (in jsd_val.c), and tracked the problem down as far as JS_GetPropertyDescArray. JS_GetPropertyDescArray doesn't check the return value of JS_GetPropertyDesc, which leaves us with an improperly initialized pd when it fails. If the garbage in pd happens to test positive for pd.flags & JSPD_ALIAS, we add a root that points to trash, which eventually causes the assertion. I suspect there is a larger issue here, but I'm not sure where to start looking. Either way, adding the return value test fixes the assertion, and should clear up most (if not all) of the venkman related talkback incidents. I'd like to get this in for 0.9.9 in order to collect further talkback data. For the record, the object we're getting properties for has a constructor named "BoxObject" (I suspect that means it is one of hyatt's nsIBoxObjects), and the property we're failing to look up is called "view". This is probably a dupe of 129235.
Status: UNCONFIRMED → ASSIGNED
Component: JavaScript Debugger → JavaScript Engine
Ever confirmed: true
OS: FreeBSD → All
Target Milestone: --- → mozilla0.9.9
Attached patch proposed fixSplinter Review
return value check in jsdbgapi.c
Summary: JS API usage error: the address passed to JS_AddNamedRoot currently holds an invalid jsval. This is usually caused by a missing call to JS_RemoveRoot. The root's name is "JSDValue". → JS_GetPropertyDescArray does not check the return value of JS_GetPropertyDesc The root's name is "JSDValue".
Summary: JS_GetPropertyDescArray does not check the return value of JS_GetPropertyDesc The root's name is "JSDValue". → JS_GetPropertyDescArray does not check the return value of JS_GetPropertyDesc
Comment on attachment 72831 [details] [diff] [review] proposed fix Egad. r=brendan@mozilla.org. /be
Attachment #72831 - Flags: review+
Comment on attachment 72831 [details] [diff] [review] proposed fix sr=shaver, nice catch.
Attachment #72831 - Flags: superreview+
Comment on attachment 72831 [details] [diff] [review] proposed fix a=asa (on behalf of drivers) for checkin to the 0.9.9 branch and the 1.0 trunk
Attachment #72831 - Flags: approval+
checked in to trunk and branch
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Rob, do you know why the getProperty for "view" from that BoxObject is failing? /be
No, I don't. I had hopes that someone else might have an idea :( Some possibly interesting datapoints are: There are 29 properties on the BoxObject, "view" happens to be the last one. There is no "view" attribute on nsIBoxObject.
*** Bug 129481 has been marked as a duplicate of this bug. ***
The reason the property lookup is failing is due to a security manager veto. I'm following up via email.
*** Bug 129235 has been marked as a duplicate of this bug. ***
See bug 129503 for the security manager issue.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: