Closed Bug 331787 Opened 18 years ago Closed 18 years ago

FunctionDef should root fun->obj across call to js_LookupHiddenProperty

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: dbaron, Assigned: brendan)

References

(
URL
)

Details

(Keywords: fixed1.8.1, verified1.8.0.4)

Attachments

(1 file, 1 obsolete file)

with comment moved
3.20 KB, patch
brendan
: review+
brendan
: approval-branch-1.8.1+
dveditz
: approval1.8.0.4+
Details | Diff | Splinter Review 
I crash during compilation with WAY_TOO_MUCH_GC in http://lxr.mozilla.org/mozilla/source/js/tests/js1_5/Regress/regress-310607.js
because FunctionDef doesn't root fun->obj across the call to js_LookupHiddenProperty:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsparse.c&rev=3.163&mark=892,914#892

This can cause deallocation at:
js_GC (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:2148)
js_NewGCThing (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:668)
js_NewObject (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2021)
fun_resolve (/home/dbaron/builds/trunk/mozilla/js/src/jsfun.c:1119)
js_LookupPropertyWithFlags (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2780)
js_LookupHiddenProperty (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2435)
FunctionDef (/home/dbaron/builds/trunk/mozilla/js/src/jsparse.c:914)
Attached patch fix (obsolete) — Splinter Review 
Blake, can you drive this fix in?  I'm empaneled through Wednesday at least.  Thanks,

/be
Attachment #216352 - Flags: review?(mrbkap)
Attachment #216352 - Flags: approval1.8.0.3?
Attachment #216352 - Flags: approval-branch-1.8.1+
mrbkap says r=him.

/be
Assignee: general → brendan
Attachment #216352 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #216805 - Flags: review+
Attachment #216352 - Flags: review?(mrbkap)
Attachment #216352 - Flags: approval1.8.0.3?
Blocks: js1.6rc1
Flags: blocking1.8.1+
Flags: blocking1.8.0.3?
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
Attachment #216805 - Flags: approval1.8.0.3?
Attachment #216805 - Flags: approval-branch-1.8.1+
Fixed on trunk and 1.8 branch.

/be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Dan, were you going to approve the patch too?

/be
Comment on attachment 216805 [details] [diff] [review]
with comment moved

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #216805 - Flags: approval1.8.0.3? → approval1.8.0.3+
Fixed on the 1.8.0 branch.

/be
Keywords: fixed1.8.0.3
1.5.0.4 WAY_TOO_MUCH_GC

windows debug: browser known crash in js_HashString, shell no crash
linux   debug: browser now crash, shell no crash
Keywords: fixed1.8.0.4verified1.8.0.4
Flags: in-testsuite+
verified fixed 1.9 20060807 linux
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.