Closed
Bug 273963
Opened 20 years ago
Closed 20 years ago
function arg/var vs. "static property" collision hard case runs off obj->slots
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.8alpha6
People
(Reporter: brendan, Assigned: brendan)
References
()
Details
(Keywords: crash, js1.5)
Attachments
(1 file, 1 obsolete file)
|
1.59 KB,
patch
|
jband_mozilla
:
review+
|
Details | Diff | Splinter Review |
Due to jsinterp.c:SetFunctionSlot calling js_ChangeScopePropertyAttrs to go from slot-less to slot-full. js_ChangeScopePropertyAttrs botches by following scope->object back to the prototype when calling js_AllocSlot. Fix is to call js_GetMutableScope in SetFunctionSlot before changing attributes. Could corrupt the heap => crash bug. /be
|
Assignee | |
Updated•20 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.8alpha6
|
|
Assignee | |
Comment 1•20 years ago
|
||
Er, all we need is to call js_ChangeNativePropertyAttrs instead of js_ChangeScopePropertyAttrs. js_ChangeNativePropertyAttrs does the js_GetMutableScope for us, as you'd expect for a jsobj.c:js_<verb>Native<noun>. /be
|
|
Assignee | |
Comment 2•20 years ago
|
||
|
|
Assignee | |
Updated•20 years ago
|
Attachment #168351 -
Flags: review?(jband_mozilla)
|
||
Comment 3•20 years ago
|
||
After applying the patch, we quickly hit an assert in the JS_UNLOCK_SCOPE call
shortly after the changed function call. Now that the object may have a new
scope, do we need to unlock the object's new scope, or do no unlocking here if
the scope has changed? Or is it more complicated than that -- does the rest of
the for loop still make sense if the object has a new scope? Here is a partial
stack trace showing the assert. This core dumped much much more quickly than
previous tests so we think there is no memory corruption before this point but
we haven't proven that yet:
#10 0xdde5c113 in abort () from /usr/lib/libc.so.1
#11 0xde19e464 in JS_Assert (s=0xde1ab86e "scope->u.count > 0",
file=0xde1ab6c0 "jslock.c", ln=1085) at jsutil.c:155
#12 0xde15f60f in js_UnlockScope (cx=0x85fbc58, scope=0x10833958)
at jslock.c:1085
#13 0xde14b178 in SetFunctionSlot (cx=0x85fbc58, obj=0x10404388,
setter=0xde14b19c <js_SetArgument>, id=1, v=25) at jsinterp.c:543
#14 0xde14b1c1 in js_SetArgument (cx=0x85fbc58, obj=0x10404388, id=1,
vp=0xd96dee74) at jsinterp.c:556
#15 0xde16d055 in js_SetProperty (cx=0x85fbc58, obj=0x10404388, id=222414664,
vp=0xd96dee74) at jsobj.c:2757
#16 0xde158393 in js_Interpret (cx=0x85fbc58, result=0xd96df6b0)
at jsinterp.c:2803
#17 0xde14cc35 in js_Execute (cx=0x85fbc58, chain=0xfd6e4f0, script=0xfde0ad8,
down=0x0, special=0, result=0xd96df6b0) at jsinterp.c:1155
#18 0xde11cf76 in JS_ExecuteScript (cx=0x85fbc58, obj=0xfd6e4f0,
script=0xfde0ad8, rval=0xd96df6b0) at jsapi.c:3425
|
|
Assignee | |
Updated•20 years ago
|
Attachment #168351 -
Flags: review?(jband_mozilla)
|
|
Assignee | |
Comment 4•20 years ago
|
||
Sorry, was going too fast there. This will work. /be
Attachment #168351 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•20 years ago
|
Attachment #168364 -
Flags: review?(jband_mozilla)
|
||
Comment 5•20 years ago
|
||
Comment on attachment 168364 [details] [diff] [review] oops Looks right to me. We'll let you know how our testing goes.
Attachment #168364 -
Flags: review?(jband_mozilla) → review+
|
|
Assignee | |
Comment 6•20 years ago
|
||
Fixed, let me know if this doesn't relieve the dmalloc symptom. /be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
||
Updated•20 years ago
|
Severity: normal → critical
|
||
Updated•19 years ago
|
Flags: testcase-
You need to log in
before you can comment on or make changes to this bug.
Description
•