Closed Bug 355486 Opened 18 years ago Closed 18 years ago

Crash [@ args_resolve] assigning "y = arguments" in a generator, GCing, etc.

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: brendan)

Details

(Keywords: crash, testcase, verified1.8.1, Whiteboard: [sg:critical] js1.7 feature)

Crash Data

Attachments

(2 files, 2 obsolete files)

fix, with #if fix
6.37 KB, patch
igor
: review+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
diff -w version of last attachment
5.95 KB, patch
Details | Diff | Splinter Review 
To reproduce, give this *as a file* to the js shell (don't paste).

j = eval("(function(){ y = arguments; error; yield;})");
try { for (i in j()) { } } catch(e) { print(e); }
gc();
print(uneval(y));


Result:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x0070005d

Thread 0 Crashed:
0   js 	0x00010b68 args_resolve + 276 (crt.c:355)
1   js 	0x000203c8 js_LookupPropertyWithFlags + 728 (crt.c:355)
2   js 	0x00010cac args_enumerate + 176 (crt.c:355)
3   js 	0x000215a0 js_Enumerate + 132 (crt.c:355)
4   js 	0x0000b46c JS_Enumerate + 76 (crt.c:355)
5   js 	0x0001ec5c MarkSharpObjects + 196 (crt.c:355)
6   js 	0x0001efac js_EnterSharpObject + 232 (crt.c:355)
7   js 	0x0001f1e0 js_obj_toSource + 128 (crt.c:355)
8   js 	0x00033530 js_Invoke + 1548 (crt.c:355)
9   js 	0x0003398c js_InternalInvoke + 204 (crt.c:355)
10  js 	0x0001e564 js_TryMethod + 296 (crt.c:355)
11  js 	0x0005111c js_ValueToSource + 220 (crt.c:355)
12  js 	0x0005116c str_uneval + 28 (crt.c:355)
13  js 	0x00033530 js_Invoke + 1548 (crt.c:355)
14  js 	0x0002d7e4 js_Interpret + 29360 (crt.c:355)
15  js 	0x00032e50 js_Execute + 484 (crt.c:355)
16  js 	0x00008f08 JS_ExecuteScript + 36 (crt.c:355)
17  js 	0x00002d2c Process + 380 (crt.c:355)
18  js 	0x00005fec main + 2032 (crt.c:355)
19  js 	0x00002408 _start + 340 (crt.c:272)
20  js 	0x000022b0 start + 60

Or in a debug build, "Assertion failure: fp->argsobj, at jsfun.c:421"
Attached patch fix (obsolete) — Splinter Review 
diff -w version next.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #241295 - Flags: review?(igor.bukanov)

    
  
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha

    
    

    
  


  

        Attachment #241295 -
        Attachment is obsolete: true

        Attachment #241297 -
        Flags: review?(igor.bukanov)

        Attachment #241295 -
        Flags: review?(igor.bukanov)

    
    

    
  


  

        Attachment #241296 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 241295 [details] [diff] [review]
fix

Right, Call reference to the generator frame can only be the single reference.

        Attachment #241295 -
        Flags: review+

    
    

    
  
Comment on attachment 241297 [details] [diff] [review]
fix, with #if fix

HAS_GENERATORS can be false indeed.

        Attachment #241297 -
        Flags: review?(igor.bukanov) → review+

    
  
Whiteboard: [sg:critical]

    
    

    
  
Comment on attachment 241297 [details] [diff] [review]
fix, with #if fix

I think we should fix the trunk-patched post-rc2 criticals in 1.8.1.

/be

        Attachment #241297 -
        Flags: approval1.8.1?

        Attachment #241297 -
        Flags: approval1.8.1.1?

    
    

    
  
Fixed on the trunk:

Checking in jsfun.c;
/cvsroot/mozilla/js/src/jsfun.c,v  <--  jsfun.c
new revision: 3.166; previous revision: 3.165
done
Checking in jsinterp.h;
/cvsroot/mozilla/js/src/jsinterp.h,v  <--  jsinterp.h
new revision: 3.52; previous revision: 3.51
done
Checking in jsiter.c;
/cvsroot/mozilla/js/src/jsiter.c,v  <--  jsiter.c
new revision: 3.52; previous revision: 3.51
done

/be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
not reproducible in the test framework.
Flags: in-testsuite-

    
  
Flags: blocking1.8.1?
Flags: blocking1.8.1.1?

    
    

    
  
Blocking for Fx2 RC3
Flags: blocking1.8.1? → blocking1.8.1+

    
    

    
  
Comment on attachment 241297 [details] [diff] [review]
fix, with #if fix

 Approved for RC3.

        Attachment #241297 -
        Flags: approval1.8.1? → approval1.8.1+

    
    

    
  
Fixed on the 1.8 branch:

Checking in jsfun.c;
/cvsroot/mozilla/js/src/jsfun.c,v  <--  jsfun.c
new revision: 3.117.2.24; previous revision: 3.117.2.23
done
?Checking in jsinterp.h;
/cvsroot/mozilla/js/src/jsinterp.h,v  <--  jsinterp.h
& renew revision: 3.43.4.5; previous revision: 3.43.4.4
done
Checking in jsiter.c;
/cvsroot/mozilla/js/src/jsiter.c,v  <--  jsiter.c
new revision: 3.17.2.22; previous revision: 3.17.2.21
done

/be
Keywords: fixed1.8.1
Whiteboard: [sg:critical] → [sg:critical] js1.7 feature

    
    

    
  
verified using the testcase in 20061011 1.8 debug shell windows/linux
Keywords: fixed1.8.1verified1.8.1

    
    

    
  
Clearing nomination and security flags for already fixed bug.
Group: security
Flags: blocking1.8.1.1?

        Attachment #241297 -
        Flags: approval1.8.1.1?
Crash Signature: [@ args_resolve]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: