Closed
Bug 355341
Opened 18 years ago
Closed 18 years ago
Crash with watch and setter [@ js_PCToLineNumber] [@ Function]
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: brendan)
References
Details
(Keywords: crash, testcase, verified1.8.1.1)
Crash Data
Attachments
(1 file)
|
959 bytes,
patch
|
igor
:
review+
dveditz
:
approval1.8.1.1+
|
Details | Diff | Splinter Review |
js> this.x setter= Function; this.watch('x', function () { }); x = 3;
Bus error
I'm making this bug security-sensitive for now because the stack in an opt jsshell looks strange:
Thread 0 Crashed:
0 js 0x00013c28 js_PCToLineNumber + 28 (crt.c:355)
1 <<00000000>> 0xbfffe83c 0 + -1073747908
2 js 0x00012b44 Function + 240 (crt.c:355)
3 js 0x00033534 js_Invoke + 1548 (crt.c:355)
4 js 0x00033990 js_InternalInvoke + 204 (crt.c:355)
...
|
||
Updated•18 years ago
|
Assignee: general → igor.bukanov
|
||
Updated•18 years ago
|
Whiteboard: [sg:investigate]
|
Assignee | |
Comment 2•18 years ago
|
||
Often internal APIs do not null-defend, but in case any callers in addition to Function want to pass fp->pc, this will test in one place only and return the invalid line number (0).
/be
Attachment #241515 -
Flags: review?(igor.bukanov)
|
|
||
Updated•18 years ago
|
Attachment #241515 -
Flags: review?(igor.bukanov) → review+
|
|
||
Comment 3•18 years ago
|
||
One more thing about the previous attachment. It changes ToXMLName to use ConvertToString to ensure that String instances with overwritten String.prototype.toString still uses the default ToString conversion. But that required that SanitizeValue skips string converssion for Number, Boolean and String object instances.
|
|
||
Comment 4•18 years ago
|
||
Ignore prev comments, wrong bug.
|
|
Assignee | |
Comment 5•18 years ago
|
||
Comment on attachment 241515 [details] [diff] [review]
fix
Simple null defense in the function that needs it.
/be
Attachment #241515 -
Flags: approval1.8.1.1?
|
|
Assignee | |
Comment 6•18 years ago
|
||
Fixed on trunk:
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v <-- jsscript.c
new revision: 3.117; previous revision: 3.116
done
/be
Assignee: igor.bukanov → brendan
|
|
Assignee | |
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•18 years ago
|
OS: Mac OS X 10.4 → All
Priority: -- → P2
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
|
||
Comment 7•18 years ago
|
||
Checking in regress-355341.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-355341.js,v <-- regress-355341.js
initial revision: 1.1
done
Flags: in-testsuite+
|
|
||
Comment 9•18 years ago
|
||
Comment on attachment 241515 [details] [diff] [review]
fix
approved for 1.8 branch, a=dveditz for drivers
Attachment #241515 -
Flags: approval1.8.1.1? → approval1.8.1.1+
|
|
Assignee | |
Comment 10•18 years ago
|
||
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v <-- jsscript.c
new revision: 3.79.2.18; previous revision: 3.79.2.17
done
/be
Keywords: fixed1.8.1.1
|
|
||
Comment 11•18 years ago
|
||
verified fixed 20061130 1.8.1.1 windows/linux/mac*
Keywords: fixed1.8.1.1 → verified1.8.1.1
|
||
Updated•13 years ago
|
Crash Signature: [@ js_PCToLineNumber]
[@ Function]
You need to log in
before you can comment on or make changes to this bug.
Description
•