355486 - Crash [@ args_resolve] assigning "y = arguments" in a generator, GCing, etc.

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Jesse Ruderman]

To reproduce, give this *as a file* to the js shell (don't paste).

j = eval("(function(){ y = arguments; error; yield;})");
try { for (i in j()) { } } catch(e) { print(e); }
gc();
print(uneval(y));


Result:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x0070005d

Thread 0 Crashed:
0   js 	0x00010b68 args_resolve + 276 (crt.c:355)
1   js 	0x000203c8 js_LookupPropertyWithFlags + 728 (crt.c:355)
2   js 	0x00010cac args_enumerate + 176 (crt.c:355)
3   js 	0x000215a0 js_Enumerate + 132 (crt.c:355)
4   js 	0x0000b46c JS_Enumerate + 76 (crt.c:355)
5   js 	0x0001ec5c MarkSharpObjects + 196 (crt.c:355)
6   js 	0x0001efac js_EnterSharpObject + 232 (crt.c:355)
7   js 	0x0001f1e0 js_obj_toSource + 128 (crt.c:355)
8   js 	0x00033530 js_Invoke + 1548 (crt.c:355)
9   js 	0x0003398c js_InternalInvoke + 204 (crt.c:355)
10  js 	0x0001e564 js_TryMethod + 296 (crt.c:355)
11  js 	0x0005111c js_ValueToSource + 220 (crt.c:355)
12  js 	0x0005116c str_uneval + 28 (crt.c:355)
13  js 	0x00033530 js_Invoke + 1548 (crt.c:355)
14  js 	0x0002d7e4 js_Interpret + 29360 (crt.c:355)
15  js 	0x00032e50 js_Execute + 484 (crt.c:355)
16  js 	0x00008f08 JS_ExecuteScript + 36 (crt.c:355)
17  js 	0x00002d2c Process + 380 (crt.c:355)
18  js 	0x00005fec main + 2032 (crt.c:355)
19  js 	0x00002408 _start + 340 (crt.c:272)
20  js 	0x000022b0 start + 60

Or in a debug build, "Assertion failure: fp->argsobj, at jsfun.c:421"

Comment 1

[Brendan Eich [:brendan]]

Attachment: fix

diff -w version next.

/be

Comment 2

[Brendan Eich [:brendan]]

Attachment: diff -w version of last attachment

Comment 3

[Brendan Eich [:brendan]]

Attachment: fix, with #if fix

Comment 4

[Brendan Eich [:brendan]]

Attachment: diff -w version of last attachment

Comment 5

[Igor Bukanov]

Comment on attachment 241295 [details] [diff] [review]
fix

Right, Call reference to the generator frame can only be the single reference.

Comment 6

[Igor Bukanov]

Comment on attachment 241297 [details] [diff] [review]
fix, with #if fix

HAS_GENERATORS can be false indeed.

Comment 7

[Brendan Eich [:brendan]]

Comment on attachment 241297 [details] [diff] [review]
fix, with #if fix

I think we should fix the trunk-patched post-rc2 criticals in 1.8.1.

/be

Comment 8

[Brendan Eich [:brendan]]

Fixed on the trunk:

Checking in jsfun.c;
/cvsroot/mozilla/js/src/jsfun.c,v  <--  jsfun.c
new revision: 3.166; previous revision: 3.165
done
Checking in jsinterp.h;
/cvsroot/mozilla/js/src/jsinterp.h,v  <--  jsinterp.h
new revision: 3.52; previous revision: 3.51
done
Checking in jsiter.c;
/cvsroot/mozilla/js/src/jsiter.c,v  <--  jsiter.c
new revision: 3.52; previous revision: 3.51
done

/be

Comment 9

[Bob Clary [:bc] (inactive)]

not reproducible in the test framework.

Comment 10

[Mike Beltzner [:beltzner, not reading bugmail]]

Blocking for Fx2 RC3

Comment 11

[Mike Schroepfer]

Comment on attachment 241297 [details] [diff] [review]
fix, with #if fix

 Approved for RC3.

Comment 12

[Brendan Eich [:brendan]]

Fixed on the 1.8 branch:

Checking in jsfun.c;
/cvsroot/mozilla/js/src/jsfun.c,v  <--  jsfun.c
new revision: 3.117.2.24; previous revision: 3.117.2.23
done
?Checking in jsinterp.h;
/cvsroot/mozilla/js/src/jsinterp.h,v  <--  jsinterp.h
& renew revision: 3.43.4.5; previous revision: 3.43.4.4
done
Checking in jsiter.c;
/cvsroot/mozilla/js/src/jsiter.c,v  <--  jsiter.c
new revision: 3.17.2.22; previous revision: 3.17.2.21
done

/be

Comment 13

[Bob Clary [:bc] (inactive)]

verified using the testcase in 20061011 1.8 debug shell windows/linux

Comment 14

[Daniel Veditz [:dveditz]]

Clearing nomination and security flags for already fixed bug.