Closed Bug 353264 Opened 18 years ago Closed 18 years ago

Crash [@ js_Execute]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: brendan)

Details

(4 keywords, Whiteboard: [sg:nse] null deref)

Crash Data

Attachments

(2 files)

fix
1.07 KB, patch
mrbkap
: review+
dveditz
: approval1.8.0.8+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
js1_5/GetSet/regress-353264.js
2.08 KB, text/plain
Details 
js> this.x getter= function () { }; export x; x;
Illegal instruction

Thread 0 Crashed:
0   <<00000000>> 	0x02805030 0 + 41963568
1   js 	0x000331d4 js_Execute + 484 (crt.c:355)
2   js 	0x00008b68 JS_ExecuteScript + 36 (crt.c:355)
3   js 	0x00002b14 Process + 772 (crt.c:355)
4   js 	0x00005c4c main + 2032 (crt.c:355)
5   js 	0x00002068 _start + 340 (crt.c:272)
6   js 	0x00001f10 start + 60
That was with an opt build.  Here's with a debug build:

#0  0x01805480 in ?? ()
#1  0x000a52bc in js_Interpret (cx=0x600180, pc=0x6032cc ";", result=0xbfffe6f0) at jsinterp.c:4227
#2  0x000919c0 in js_Execute (cx=0x600180, chain=0x1804ec0, script=0x603290, down=0x0, flags=0, result=0xbfffe820) at jsinterp.c:1618
#3  0x00020f58 in JS_ExecuteScript (cx=0x600180, obj=0x1804ec0, script=0x603290, rval=0xbfffe820) at jsapi.c:4256
#4  0x00002a64 in Process (cx=0x600180, obj=0x1804ec0, filename=0x0, forceTTY=0) at js.c:265
#5  0x0000362c in ProcessArgs (cx=0x600180, obj=0x1804ec0, argv=0xbffff9fc, argc=0) at js.c:486
#6  0x00009a1c in main (argc=0, argv=0xbffff9fc, envp=0xbffffa00) at js.c:3092

(gdb) f 1
#1  0x000a52bc in js_Interpret (cx=0x600180, pc=0x6032cc ";", result=0xbfffe6f0) at jsinterp.c:4227
4227                    ok = SPROP_GET(cx, sprop, obj, obj2, &rval);
Attached patch fixSplinter Review 
I do not remember why I cleared JSPROP_GETTER and JSPROP_SETTER, but that's clearly wrong, as a reading of jsscope.c will confirm.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #239126 - Flags: superreview?(shaver)
Attachment #239126 - Flags: review?(mrbkap)
Attachment #239126 - Flags: review?(mrbkap) → review+
Comment on attachment 239126 [details] [diff] [review]
fix

Fixed on trunk.

/be
Attachment #239126 - Flags: superreview?(shaver)
Attachment #239126 - Flags: approval1.8.1?
Attachment #239126 - Flags: approval1.8.0.8?
Fixed:

Checking in jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.288; previous revision: 3.287
done

/be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Brendan, you haven't explicitly said in here, but I'm guessing you would suggest that this blocks Gecko 1.8.1?
Flags: blocking1.8.1+
Whiteboard: [rc ridealong]
(In reply to comment #6)
> Brendan, you haven't explicitly said in here, but I'm guessing you would
> suggest that this blocks Gecko 1.8.1?

Totally.

/be
verified fixed 1.9 20060921 windows/mac*/linux
Status: RESOLVED → VERIFIED
Comment on attachment 239126 [details] [diff] [review]
fix

Approved for RC2
Attachment #239126 - Flags: approval1.8.1? → approval1.8.1+
Whiteboard: [rc ridealong] → [checkin needed (1.8 branch)]
Flags: blocking1.8.0.8?
Fixed on the 1.8 branch:

Checking in jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.208.2.34; previous revision: 3.208.2.33
done

/be
Keywords: fixed1.8.1
Flags: blocking1.8.0.8? → blocking1.8.0.8+
Whiteboard: [checkin needed (1.8 branch)]
Comment on attachment 239126 [details] [diff] [review]
fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #239126 - Flags: approval1.8.0.9? → approval1.8.0.8+
Fixed in the 1.8.0 branch:

Checking in jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.208.2.12.2.15; previous revision: 3.208.2.12.2.14
done

/be
Keywords: fixed1.8.0.8
Checkin comment on the trunk (rev 3.288) incorrectly cites bug 239126 for some reason. If people are likely to try to figure out why you made that change in the future you may want to force a checkin referencing the correct bug number.

The branch check-in comments are correct so there's no worries about confused downstream vendors.
(In reply to comment #13)
> Checkin comment on the trunk (rev 3.288) incorrectly cites bug 239126 for some
> reason.

That's the attachment id, sorry about that.  Easy to get to the bug # from there, once you know what it identifies.

> If people are likely to try to figure out why you made that change in
> the future you may want to force a checkin referencing the correct bug number.

That, or cvs admin on the server.  Anyone do that these days?

/be


verified fixed 1.8.0.8 20060927 windows/mac*/linux
verified fixed 1.8 1.9 20060926 windows/mac*/linux
Keywords: fixed1.8.0.8, fixed1.8.1verified1.8.0.8, verified1.8.1
Whiteboard: [sg:nse] null deref
Group: security
(In reply to comment #14)
> That, or cvs admin on the server.  Anyone do that these days?

I'm aware of at least Myk occasionally filing bugs in mozilla.org:CVS something to get admins to do it, and I think other people will occasionally file such bugs as well.
Dave, see comment 14 and comment 16, and let us know what to do (if anything). Thanks,

/be
RCS file: /cvsroot/mozilla/js/tests/js1_5/GetSet/regress-353264.js,v
done
Checking in regress-353264.js;
/cvsroot/mozilla/js/tests/js1_5/GetSet/regress-353264.js,v  <--  regress-353264.js
initial revision: 1.1
done
Crash Signature: [@ js_Execute]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: