Closed
Bug 355486
Opened 18 years ago
Closed 18 years ago
Crash [@ args_resolve] assigning "y = arguments" in a generator, GCing, etc.
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: crash, testcase, verified1.8.1, Whiteboard: [sg:critical] js1.7 feature)
Crash Data
Attachments
(2 files, 2 obsolete files)
6.37 KB,
patch
|
igor
:
review+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
5.95 KB,
patch
|
Details | Diff | Splinter Review |
To reproduce, give this *as a file* to the js shell (don't paste). j = eval("(function(){ y = arguments; error; yield;})"); try { for (i in j()) { } } catch(e) { print(e); } gc(); print(uneval(y)); Result: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x0070005d Thread 0 Crashed: 0 js 0x00010b68 args_resolve + 276 (crt.c:355) 1 js 0x000203c8 js_LookupPropertyWithFlags + 728 (crt.c:355) 2 js 0x00010cac args_enumerate + 176 (crt.c:355) 3 js 0x000215a0 js_Enumerate + 132 (crt.c:355) 4 js 0x0000b46c JS_Enumerate + 76 (crt.c:355) 5 js 0x0001ec5c MarkSharpObjects + 196 (crt.c:355) 6 js 0x0001efac js_EnterSharpObject + 232 (crt.c:355) 7 js 0x0001f1e0 js_obj_toSource + 128 (crt.c:355) 8 js 0x00033530 js_Invoke + 1548 (crt.c:355) 9 js 0x0003398c js_InternalInvoke + 204 (crt.c:355) 10 js 0x0001e564 js_TryMethod + 296 (crt.c:355) 11 js 0x0005111c js_ValueToSource + 220 (crt.c:355) 12 js 0x0005116c str_uneval + 28 (crt.c:355) 13 js 0x00033530 js_Invoke + 1548 (crt.c:355) 14 js 0x0002d7e4 js_Interpret + 29360 (crt.c:355) 15 js 0x00032e50 js_Execute + 484 (crt.c:355) 16 js 0x00008f08 JS_ExecuteScript + 36 (crt.c:355) 17 js 0x00002d2c Process + 380 (crt.c:355) 18 js 0x00005fec main + 2032 (crt.c:355) 19 js 0x00002408 _start + 340 (crt.c:272) 20 js 0x000022b0 start + 60 Or in a debug build, "Assertion failure: fp->argsobj, at jsfun.c:421"
Assignee | ||
Comment 1•18 years ago
|
||
diff -w version next. /be
Assignee | ||
Comment 2•18 years ago
|
||
Assignee | ||
Updated•18 years ago
|
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Assignee | ||
Comment 3•18 years ago
|
||
Attachment #241295 -
Attachment is obsolete: true
Attachment #241297 -
Flags: review?(igor.bukanov)
Attachment #241295 -
Flags: review?(igor.bukanov)
Assignee | ||
Comment 4•18 years ago
|
||
Attachment #241296 -
Attachment is obsolete: true
Comment 5•18 years ago
|
||
Comment on attachment 241295 [details] [diff] [review] fix Right, Call reference to the generator frame can only be the single reference.
Attachment #241295 -
Flags: review+
Comment 6•18 years ago
|
||
Comment on attachment 241297 [details] [diff] [review] fix, with #if fix HAS_GENERATORS can be false indeed.
Attachment #241297 -
Flags: review?(igor.bukanov) → review+
Reporter | ||
Updated•18 years ago
|
Whiteboard: [sg:critical]
Assignee | ||
Comment 7•18 years ago
|
||
Comment on attachment 241297 [details] [diff] [review] fix, with #if fix I think we should fix the trunk-patched post-rc2 criticals in 1.8.1. /be
Attachment #241297 -
Flags: approval1.8.1?
Attachment #241297 -
Flags: approval1.8.1.1?
Assignee | ||
Comment 8•18 years ago
|
||
Fixed on the trunk: Checking in jsfun.c; /cvsroot/mozilla/js/src/jsfun.c,v <-- jsfun.c new revision: 3.166; previous revision: 3.165 done Checking in jsinterp.h; /cvsroot/mozilla/js/src/jsinterp.h,v <-- jsinterp.h new revision: 3.52; previous revision: 3.51 done Checking in jsiter.c; /cvsroot/mozilla/js/src/jsiter.c,v <-- jsiter.c new revision: 3.52; previous revision: 3.51 done /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•18 years ago
|
Flags: blocking1.8.1?
Flags: blocking1.8.1.1?
Comment 11•18 years ago
|
||
Comment on attachment 241297 [details] [diff] [review] fix, with #if fix Approved for RC3.
Attachment #241297 -
Flags: approval1.8.1? → approval1.8.1+
Assignee | ||
Comment 12•18 years ago
|
||
Fixed on the 1.8 branch: Checking in jsfun.c; /cvsroot/mozilla/js/src/jsfun.c,v <-- jsfun.c new revision: 3.117.2.24; previous revision: 3.117.2.23 done ?Checking in jsinterp.h; /cvsroot/mozilla/js/src/jsinterp.h,v <-- jsinterp.h & renew revision: 3.43.4.5; previous revision: 3.43.4.4 done Checking in jsiter.c; /cvsroot/mozilla/js/src/jsiter.c,v <-- jsiter.c new revision: 3.17.2.22; previous revision: 3.17.2.21 done /be
Keywords: fixed1.8.1
Updated•18 years ago
|
Whiteboard: [sg:critical] → [sg:critical] js1.7 feature
Comment 13•18 years ago
|
||
verified using the testcase in 20061011 1.8 debug shell windows/linux
Keywords: fixed1.8.1 → verified1.8.1
Comment 14•18 years ago
|
||
Clearing nomination and security flags for already fixed bug.
Group: security
Flags: blocking1.8.1.1?
Updated•18 years ago
|
Attachment #241297 -
Flags: approval1.8.1.1?
Updated•13 years ago
|
Crash Signature: [@ args_resolve]
You need to log in
before you can comment on or make changes to this bug.
Description
•