Closed Bug 352606 Opened 18 years ago Closed 18 years ago

Crash [@ js_GetGCThingFlags] involving post-decrement operator

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: jruderman, Assigned: brendan)

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(3 files)

fix
981 bytes, patch
mrbkap
: review+
igor
: review+
dveditz
: approval1.8.0.8+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
js1_5/GC/regress-352606.js
2.30 KB, text/plain
Details
what i checked into the 1.8.0 branch
2.19 KB, patch
Details | Diff | Splinter Review 
js> y = ({toString: gc}); new Function("y--;")()

Causes a crash [@ js_GetGCThingFlags] at the line 
  offsetInArena = pi->offsetInArena

gdb says
  thing == 0xdadadad8
  pi == (JSGCPageInfo *) 0xdadad800

I can get a similar crash without the "toString: gc" thing if I enable WAY_TOO_MUCH_GC.
Assignee: general → brendan
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1
Attached patch fixSplinter Review 
This is zero-risk.  The bug originated in the fix for bug 316885 last fall.

/be
Attachment #238364 - Flags: review?(mrbkap)
Attachment #238364 - Flags: approval1.8.1?
Comment on attachment 238364 [details] [diff] [review]
fix

Going for igor r+ in case mrbkap is busy at school, and since igor reviewed 316885.

/be
Attachment #238364 - Flags: review?(igor.bukanov)
The bug was failure to initialize stack bounded by fp->sp, therefore scanned by the GC -- the vp = sp++ was violating the PUSH macro's tiny level of abstraction. That trick never works!

/be
Status: NEW → ASSIGNED
Attachment #238364 - Flags: review?(mrbkap) → review+
Fixed on trunk.

/be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Attachment #238364 - Flags: review?(igor.bukanov) → review+
Comment on attachment 238364 [details] [diff] [review]
fix

a=schrep
Attachment #238364 - Flags: approval1.8.1? → approval1.8.1+
Fixed on the 1.8 branch.

/be
Keywords: fixed1.8.1
verified fixed 1.9 20060914 windows/mac*/linux
Status: RESOLVED → VERIFIED
verified fixed 1.8 20060915 windows/mac*/linux
Keywords: fixed1.8.1verified1.8.1
Restoring lost blocking flag
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9? → blocking1.8.0.8?
Whiteboard: [sg:critical?]
Flags: blocking1.8.0.8? → blocking1.8.0.8+
Comment on attachment 238364 [details] [diff] [review]
fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #238364 - Flags: approval1.8.0.8+
Fixed on the 1.8.0 branch:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.17.2.21; previous revision: 3.181.2.17.2.20
done

/be
Keywords: fixed1.8.0.8
verified fixed 1.8.0.8 20060927 windows/mac*/linux
Keywords: fixed1.8.0.8verified1.8.0.8
Group: security
/cvsroot/mozilla/js/tests/js1_5/GC/regress-352606.js,v  <--  regress-352606.js
Crash Signature: [@ js_GetGCThingFlags]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: