Closed
Bug 352606
Opened 18 years ago
Closed 18 years ago
Crash [@ js_GetGCThingFlags] involving post-decrement operator
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8.1
People
(Reporter: jruderman, Assigned: brendan)
Details
(4 keywords, Whiteboard: [sg:critical?])
Crash Data
Attachments
(3 files)
|
981 bytes,
patch
|
mrbkap
:
review+
igor
:
review+
dveditz
:
approval1.8.0.8+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
|
2.30 KB,
text/plain
|
Details | |
|
2.19 KB,
patch
|
Details | Diff | Splinter Review |
js> y = ({toString: gc}); new Function("y--;")()
Causes a crash [@ js_GetGCThingFlags] at the line
offsetInArena = pi->offsetInArena
gdb says
thing == 0xdadadad8
pi == (JSGCPageInfo *) 0xdadad800
I can get a similar crash without the "toString: gc" thing if I enable WAY_TOO_MUCH_GC.
|
Assignee | |
Updated•18 years ago
|
Assignee: general → brendan
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1
|
|
Assignee | |
Comment 1•18 years ago
|
||
This is zero-risk. The bug originated in the fix for bug 316885 last fall.
/be
Attachment #238364 -
Flags: review?(mrbkap)
Attachment #238364 -
Flags: approval1.8.1?
|
|
Assignee | |
Comment 2•18 years ago
|
||
Comment on attachment 238364 [details] [diff] [review]
fix
Going for igor r+ in case mrbkap is busy at school, and since igor reviewed 316885.
/be
Attachment #238364 -
Flags: review?(igor.bukanov)
|
|
Assignee | |
Comment 3•18 years ago
|
||
The bug was failure to initialize stack bounded by fp->sp, therefore scanned by the GC -- the vp = sp++ was violating the PUSH macro's tiny level of abstraction. That trick never works!
/be
Status: NEW → ASSIGNED
|
||
Updated•18 years ago
|
Attachment #238364 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 4•18 years ago
|
||
Fixed on trunk.
/be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
||
Comment 5•18 years ago
|
||
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+
|
||
Updated•18 years ago
|
Attachment #238364 -
Flags: review?(igor.bukanov) → review+
|
||
Comment 6•18 years ago
|
||
Comment on attachment 238364 [details] [diff] [review]
fix
a=schrep
Attachment #238364 -
Flags: approval1.8.1? → approval1.8.1+
Flags: blocking1.8.0.8?
|
|
||
Comment 9•18 years ago
|
||
verified fixed 1.8 20060915 windows/mac*/linux
Keywords: fixed1.8.1 → verified1.8.1
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.9? → blocking1.8.0.8?
Whiteboard: [sg:critical?]
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.8? → blocking1.8.0.8+
|
|
||
Comment 11•18 years ago
|
||
Comment on attachment 238364 [details] [diff] [review]
fix
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #238364 -
Flags: approval1.8.0.8+
|
|
Assignee | |
Comment 12•18 years ago
|
||
Fixed on the 1.8.0 branch:
Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c
new revision: 3.181.2.17.2.21; previous revision: 3.181.2.17.2.20
done
/be
Keywords: fixed1.8.0.8
|
|
Assignee | |
Comment 13•18 years ago
|
||
|
|
||
Comment 14•18 years ago
|
||
verified fixed 1.8.0.8 20060927 windows/mac*/linux
Keywords: fixed1.8.0.8 → verified1.8.0.8
|
|
||
Updated•18 years ago
|
Group: security
|
|
||
Comment 15•18 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/GC/regress-352606.js,v <-- regress-352606.js
|
||
Updated•14 years ago
|
Crash Signature: [@ js_GetGCThingFlags]
You need to log in
before you can comment on or make changes to this bug.
Description
•