Closed Bug 162392 Opened 23 years ago Closed 20 years ago

Crash eval-ing void arguments in debugger [@ JS_GetReservedSlot]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta1

People

(Reporter: jrgmorrison, Assigned: brendan)

Details

(4 keywords)

Crash Data

Attachments

(3 files)

fix
892 bytes, patch
shaver
: review+
caillon
: approval-aviary1.0.1+
caillon
: approval1.7.6+
Details | Diff | Splinter Review
js shell test eval('arguments').length == 0
335 bytes, text/plain
Details
js1_5/Regress/regress-169392.js
2.46 KB, text/plain
Details
I was using the JS Debugger, and was in a function declared as |function foo(aValue)| but called as |foo()|. While at a breakpoint within that function, I typed |arguments| into the debugger. It crashed on this stack trace (obj is null in JS_GetReservedSlot): JS_GetReservedSlot(JSContext * 0x00e90610, JSObject * 0x00000000, unsigned long 0x00000000, long * 0x0012c528) line 2705 + 7 bytes ArgWasDeleted(JSContext * 0x00e90610, JSStackFrame * 0x0012c59c, unsigned int 0x00000000) line 154 args_resolve(JSContext * 0x00e90610, JSObject * 0x044cfb40, long 0x00000001, unsigned int 0x00000000, JSObject * * 0x0012c580) line 404 + 38 bytes js_LookupProperty(JSContext * 0x00e96ed0, JSObject * 0x044cfb40, long 0x00000001, JSObject * * 0x0012c5ac, JSProperty * * 0x0012c5b8) line 2261 + 25 bytes args_enumerate(JSContext * 0x00000000, JSObject * 0x044cfb40) line 489 + 23 bytes JS_GetPropertyDescArray(JSContext * 0x00e90610, JSObject * 0x044cfb40, JSPropertyDescArray * 0x0012c5f4) line 982 + 7 bytes _buildProps(JSDContext * 0x00e8e978, JSDValue * 0x044dca90) line 346 + 14 bytes jsd_GetCountOfProperties(JSDContext * 0x00e8e978, JSDValue * 0x044dca90) line 398 + 10 bytes jsdValue::GetPropertyCount(jsdValue * const 0x044c60c8, int * 0x0012c65c) line 2121 + 11 bytes XPTC_InvokeByIndex(nsISupports * 0x044c60c8, unsigned int 0x00000015, unsigned int 0x00000001, nsXPTCVariant * 0x0012c65c) line 106 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 0x024cfb98) line 1994 + 22 bytes XPC_WN_GetterSetter(JSContext * 0x02ac7a80, JSObject * 0x03992a98, unsigned int 0x00000000, long * 0x03992b64, long * 0x0012c8b0) line 1298 + 11 bytes js_Invoke(JSContext * 0x00000001, unsigned int 0x00000000, unsigned int 0x00000002) line 838 + 17 bytes js_InternalInvoke(JSContext * 0x044d337c, JSObject * 0x044cfb98, long 0x044cfbd0, unsigned int 0x00000000, unsigned int 0x00000000, long * 0x00000000, long * 0x0012cb08) line 930 + 13 bytes js_GetProperty(JSContext * 0x02ac7a80, JSObject * 0x044cfb98, long 0x039a0680, long * 0x0012cb08) line 2535 + 24 bytes js_Interpret(JSContext * 0x02ac7a80, long * 0x0012cb94) line 2622 + 491 bytes js_Invoke(JSContext * 0x00000001, unsigned int 0x00000001, unsigned int 0x00000000) line 855 + 10 bytes js_Interpret(JSContext * 0x02ac7a80, long * 0x0012cd6c) line 2792 js_Invoke(JSContext * 0x00000001, unsigned int 0x00000003, unsigned int 0x00000000) line 855 + 10 bytes js_Interpret(JSContext * 0x02ac7a80, long * 0x0012cf44) line 2792 js_Invoke(JSContext * 0x00000001, unsigned int 0x00000001, unsigned int 0x00000002) line 855 + 10 bytes js_InternalInvoke(JSContext * 0x02ac7aa8, JSObject * 0x03b251a0, long 0x044ce9e8, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012d128, long * 0x0012d05c) line 930 + 13 bytes JS_CallFunctionValue(JSContext * 0x02ac7a80, JSObject * 0x03b251a0, long 0x044ce9e8, unsigned int 0x00000001, long * 0x0012d128, long * 0x0012d05c) line 3431 + 26 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x00ee2a50, void * 0x03b251a0, void * 0x044ce9e8, unsigned int 0x00000001, void * 0x0012d128, int * 0x0012d124, int 0x00000000) line 1041 + 25 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x02ac7a80, nsIDOMEvent * 0x044c5900) line 182 + 30 bytes nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const 0x0100d37b, nsListenerStruct * 0x039e80a0, nsIDOMEvent * 0x044c5900, nsIDOMEventTarget * 0x039e7fd0, unsigned int 0x044c5908, unsigned int 0x00000002) line 1182 + 11 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x039e8008, nsIPresContext * 0x00000000, nsEvent * 0x0012dca8, nsIDOMEvent * * 0x00000000, nsIDOMEventTarget * 0x039e7fd0, unsigned int 0x00000002, nsEventStatus * 0x0012dc0c) line 1641 + 18 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x039e7fc8, nsIPresContext * 0x027f2cc8, nsEvent * 0x039e7e20, nsIDOMEvent * * 0x0012d8dc, unsigned int 0x00000002, nsEventStatus * 0x0012dc0c) line 3453 nsXULElement::HandleDOMEvent(nsXULElement * const 0x03ef7138, nsIPresContext * 0x027f2cc8, nsEvent * 0x039e7fc8, nsIDOMEvent * * 0x0012d8dc, unsigned int 0x00000002, nsEventStatus * 0x0012dc0c) line 3472 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x038444c8, nsIPresContext * 0x027f2cc8, nsEvent * 0x03ef7138, nsIDOMEvent * * 0x0012d8dc, unsigned int 0x00000001, nsEventStatus * 0x0012dc0c) line 1845 + 23 bytes nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0000000e, nsIPresContext * 0x027f2cc8, nsEvent * 0x0012dca8, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012dc0c) line 1460 PresShell::HandleEventInternal(PresShell * const 0x0100d37b, nsEvent * 0x03a337c8, nsIView * 0x038634f8, unsigned int 0x00000001, nsEventStatus * 0x0012dc0c) line 6105 + 18 bytes PresShell::HandleEvent(PresShell * const 0x03a337c8, nsIView * 0x038634f8, nsGUIEvent * 0x0012dca8, nsEventStatus * 0x0012dc0c, int 0x00000001, int & 0x00000001) line 6028 + 18 bytes nsViewManager::HandleEvent(nsViewManager * const 0x0100d37b, nsView * 0x00000001, nsGUIEvent * 0x00000000, int 0x00000000) line 2052 nsView::HandleEvent(nsView * const 0x0100d37b, nsViewManager * 0x02b9ec38, nsGUIEvent * 0x0012dca8, int 0x00000000) line 301 nsViewManager::DispatchEvent(nsViewManager * const 0x02b9ec38, nsGUIEvent * 0x038634f8, nsEventStatus * 0x0012dc70) line 1903 + 30 bytes HandleEvent(nsGUIEvent * 0x0012dca8) line 83 nsWindow::DispatchEvent(nsWindow * const 0x0387ff14, nsGUIEvent * 0x0012dca8, nsEventStatus & nsEventStatus_eIgnore) line 1038 nsWindow::DispatchWindowEvent(nsWindow * const 0x0100d37b, nsGUIEvent * 0x00000000) line 1055 nsWindow::DispatchKeyEvent(nsWindow * const 0x0100d37b, unsigned int 0x00000083, unsigned short 0x0000, unsigned int 0x0000000d, long 0x00000000) line 2885 + 14 bytes nsWindow::OnChar(nsWindow * const 0x0100d37b, unsigned int 0x0000000d, unsigned int 0x0000000d, unsigned char 0x00) line 3063 + 17 bytes nsWindow::ProcessMessage(nsWindow * const 0x0100d37b, unsigned int 0x00000102, unsigned int 0x0000000d, long 0x001c0001, long * 0x0012df28) line 3712 nsWindow::WindowProc(HWND__ * 0x008601c4, unsigned int 0x00000000, unsigned int 0x0000000d, long 0x0387ff14) line 1303 + 16 bytes USER32! 77e13eb0() USER32! 77e1401a() USER32! 77e192da() XPTC_InvokeByIndex(nsISupports * 0x00e891a8, unsigned int 0x0000002e, unsigned int 0x00000002, nsXPTCVariant * 0x0012e06c) line 106 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 0x06a1d798) line 1994 + 22 bytes XPC_WN_CallMethod(JSContext * 0x01a44d20, JSObject * 0x03a1d798, unsigned int 0x00000001, long * 0x03990ad8, long * 0x03990958) line 1266 + 10 bytes js_Invoke(JSContext * 0x00000001, unsigned int 0x00000001, unsigned int 0x00000000) line 838 + 17 bytes js_Interpret(JSContext * 0x01a44d20, long * 0x0012e4e0) line 2792 js_Invoke(JSContext * 0x00000001, unsigned int 0x00000003, unsigned int 0x00000002) line 855 + 10 bytes nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x03c46fc0, nsXPCWrappedJS * 0x03c46ff0, unsigned short 0x0003, const nsXPTMethodInfo * 0x0399b260, nsXPTCMiniVariant * 0x0012e768) line 1193 + 16 bytes nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x03c46ff0, unsigned short 0x0003, const nsXPTMethodInfo * 0x0399b260, nsXPTCMiniVariant * 0x0012e768) line 430 PrepareAndDispatch(nsXPTCStubBase * 0x00000000, unsigned int 0x00000003, unsigned int * 0x0012e820, unsigned int * 0x0012e810) line 115 + 18 bytes SharedStub() line 139 jsds_ExecutionHookProc(JSDContext * 0x043d43f8, JSDThreadState * 0x00000000, unsigned int 0x00000002, void * 0x00000000, long * 0x0012e8b8) line 673 jsd_CallExecutionHook(JSDContext * 0x00e8e978, JSContext * 0x01a44d20, unsigned int 0x00000002, unsigned int (JSDContext *, JSDThreadState *, unsigned int, void *, long *)* 0x010a5af1 jsds_ExecutionHookProc(JSDContext *, JSDThreadState *, unsigned int, void *, long *), void * 0x00000000, long * 0x0012e8b8) line 168 jsd_DebugErrorHook(JSContext * 0x01a44d20, const char * 0x043d0dd0, JSErrorReport * 0x0012e8e0, void * 0x00e8e978) line 364 + 17 bytes ReportError(JSContext * 0x01a44d20, const char * 0x043d0dd0, JSErrorReport * 0x0012e8e0) line 331 + 13 bytes js_ReportErrorNumberVA(JSContext * 0x043d0dd0, unsigned int 0x00000000, const JSErrorFormatString * (void *, const char *, const unsigned int)* 0x01008e31 js_GetErrorMessage(void *, const char *, const unsigned int), void * 0x00000000, const unsigned int 0x0000001b, int 0x00000001, char * 0x0012e944) line 643 + 13 bytes JS_ReportErrorNumber(JSContext * 0x01a44d20, const JSErrorFormatString * (void *, const char *, const unsigned int)* 0x01008e31 js_GetErrorMessage(void *, const char *, const unsigned int), void * 0x00000000, const unsigned int 0x0000001b) line 3707 + 25 bytes js_Interpret(JSContext * 0x01a44d20, long * 0x0012eaf4) line 3834 + 23 bytes js_Invoke(JSContext * 0x00000001, unsigned int 0x00000000, unsigned int 0x00000000) line 855 + 10 bytes js_Interpret(JSContext * 0x01a44d20, long * 0x0012eccc) line 2792 js_Invoke(JSContext * 0x00000001, unsigned int 0x00000001, unsigned int 0x00000002) line 855 + 10 bytes js_InternalInvoke(JSContext * 0x01a44d48, JSObject * 0x02a86700, long 0x03caf618, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012eeb0, long * 0x0012ede4) line 930 + 13 bytes JS_CallFunctionValue(JSContext * 0x01a44d20, JSObject * 0x02a86700, long 0x03caf618, unsigned int 0x00000001, long * 0x0012eeb0, long * 0x0012ede4) line 3431 + 26 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x00ee2a50, void * 0x02a86700, void * 0x03caf618, unsigned int 0x00000001, void * 0x0012eeb0, int * 0x0012eeac, int 0x00000000) line 1041 + 25 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x01a44d20, nsIDOMEvent * 0x043caf28) line 182 + 30 bytes nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const 0x0100d37b, nsListenerStruct * 0x01a97198, nsIDOMEvent * 0x043caf28, nsIDOMEventTarget * 0x01b1fe10, unsigned int 0x043caf30, unsigned int 0x01b1fe08) line 1182 + 11 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x01b1fe48, nsIPresContext * 0x00000000, nsEvent * 0x0012f89c, nsIDOMEvent * * 0x00000000, nsIDOMEventTarget * 0x01b1fe10, unsigned int 0x00000002, nsEventStatus * 0x0012f8f4) line 2168 + 16 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x01b1fe08, nsIPresContext * 0x01acbe28, nsEvent * 0x01b435f8, nsIDOMEvent * * 0x0012f788, unsigned int 0x00000002, nsEventStatus * 0x0012f8f4) line 3453 nsXULElement::HandleDOMEvent(nsXULElement * const 0x02a991b8, nsIPresContext * 0x01acbe28, nsEvent * 0x01b1fe08, nsIDOMEvent * * 0x0012f788, unsigned int 0x00000002, nsEventStatus * 0x0012f8f4) line 3472 nsXULElement::HandleDOMEvent(nsXULElement * const 0x043cb080, nsIPresContext * 0x01acbe28, nsEvent * 0x02a991b8, nsIDOMEvent * * 0x0012f788, unsigned int 0x00000001, nsEventStatus * 0x0012f8f4) line 3472 PresShell::HandleDOMEventWithTarget(PresShell * const 0x01ac40d0, nsIContent * 0x01af42dc, nsEvent * 0x0012f89c, nsEventStatus * 0x0012f8f4) line 6155 nsMenuFrame::Execute(nsMenuFrame * const 0x0100d37b) line 1679 + 23 bytes nsMenuFrame::HandleEvent(nsMenuFrame * const 0x043bfda8, nsIPresContext * 0x01acbe28, nsGUIEvent * 0x0012fb20, nsEventStatus * 0x0012fa54) line 475 + 7 bytes PresShell::HandleEventInternal(PresShell * const 0x0100d37b, nsEvent * 0x0284ac70, nsIView * 0x043ae510, unsigned int 0x00000001, nsEventStatus * 0x0012fa54) line 6120 + 17 bytes PresShell::HandleEvent(PresShell * const 0x0284ac70, nsIView * 0x043ae510, nsGUIEvent * 0x0012fb20, nsEventStatus * 0x0012fa54, int 0x00000000, int & 0x00000001) line 6028 + 18 bytes nsViewManager::HandleEvent(nsViewManager * const 0x0100d37b, nsView * 0x00000000, nsGUIEvent * 0x0012fb20, int 0x00000000) line 2098 nsView::HandleEvent(nsView * const 0x0100d37b, nsViewManager * 0x01a44ea8, nsGUIEvent * 0x0012fb20, int 0x00000000) line 301 nsViewManager::DispatchEvent(nsViewManager * const 0x01a44ea8, nsGUIEvent * 0x043afda0, nsEventStatus * 0x0012fad0) line 1903 + 30 bytes HandleEvent(nsGUIEvent * 0x0012fb20) line 83 nsWindow::DispatchEvent(nsWindow * const 0x043ae3c4, nsGUIEvent * 0x0012fb20, nsEventStatus & nsEventStatus_eIgnore) line 1038 nsWindow::DispatchWindowEvent(nsWindow * const 0x0100d37b, nsGUIEvent * 0x00000000) line 1055 nsWindow::DispatchMouseEvent(nsWindow * const 0x0100d37b, unsigned int 0x0000012d, unsigned int 0x00000000, nsPoint * 0x00000000) line 5127 ChildWindow::DispatchMouseEvent(ChildWindow * const 0x0100d37b, unsigned int 0x0000012d, unsigned int 0x00000000, nsPoint * 0x00000000) line 5381 + 19 bytes nsWindow::ProcessMessage(nsWindow * const 0x0100d37b, unsigned int 0x00000202, unsigned int 0x00000000, long 0x0046007c, long * 0x0012fda0) line 3834 nsWindow::WindowProc(HWND__ * 0x00820272, unsigned int 0x00000000, unsigned int 0x00000000, long 0x043ae3c4) line 1303 + 16 bytes USER32! 77e13eb0() USER32! 77e1401a() USER32! 77e192da() nsAppShellService::Run(nsAppShellService * const 0x00ef2d90) line 452 main1(int 0x00000001, char * * 0x00252ba8, nsISupports * 0x00252bd0) line 1519 + 9 bytes main(int 0x00000001, char * * 0x00252ba8) line 1883 + 26 bytes WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00400000, char * 0x00133338, HINSTANCE__ * 0x00400000) line 1903 + 23 bytes MOZILLA! WinMainCRTStartup + 308 bytes KERNEL32! 77e87903()
crash also evaling arguments and similar stack see TB 9484469
rogerl, didn't we have a similar bug against the js engine get marked INVALID because we couldn't reproduce it?
yep, bug 144017
Keywords: crash
Assignee: rginda → brendan
Component: JavaScript Debugger → JavaScript Engine
QA Contact: caillon → PhilSchwartau
Status: NEW → ASSIGNED
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.7alpha
Target Milestone: mozilla1.7alpha → mozilla1.8alpha
Attached patch fixSplinter Review
We must not capture an eval or debugger frame in the private data of an arguments object that can escape back to the frame that should own it. /be
Attachment #172318 - Flags: review?(shaver)
OS: Windows 2000 → All
Hardware: PC → All
Target Milestone: mozilla1.8alpha1 → mozilla1.8beta
Attachment #172318 - Flags: review?(shaver) → review+
Fixed, sorry this took so long. An "escape analysis" problem, yet. Timeless, anyone: branch fodder? /be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment on attachment 172318 [details] [diff] [review] fix yeah, this one bites me often enough that i'd go for branch. darn, this means i'll have to find a different crash to make sure talkback works.
Attachment #172318 - Flags: approval1.7.6?
Will testing if the length of eval('arguments') inside of the function is zero be sufficient to test this fix ? This fails in js.exe from Mozilla 1.4.3, Mozilla 1.7.5 but passes today's 1.8b on winxp.
you still want this on the branch?
yes
Comment on attachment 172318 [details] [diff] [review] fix a=caillon for 1.7.6 and 1.0.1
Attachment #172318 - Flags: approval1.7.6?
Attachment #172318 - Flags: approval1.7.6+
Attachment #172318 - Flags: approval-aviary1.0.1+
Landed on branches for caillon.
Keywords: fixed-aviary1.0.1, fixed1.7.6
js1_5/Regress/regress-169392.js checked in.
Flags: testcase+
(In reply to comment #13) > js1_5/Regress/regress-169392.js checked in. > this was really js1_5/Regress/regress-162392.js verified fixed.
Status: RESOLVED → VERIFIED
Crash Signature: [@ JS_GetReservedSlot]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: