Closed Bug 361346 Opened 18 years ago Closed 18 years ago

Crash with setter, watch, and GC

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Attachments

(2 files, 1 obsolete file)

With that fixed
2.64 KB, patch
brendan
: review+
jay
: approval1.8.0.9+
jay
: approval1.8.1.1+
Details | Diff | Splinter Review
js1_5/Regress/regress-361346.js
2.12 KB, text/plain
Details
js> this.x setter= new Function; this.watch('x', function(){}); gc(); x = {}; before 9232, after 9232, break 01205000 Bus error I saw this jump to a bogus address a few times, so I'm marking the bug security-sensitive.
Whiteboard: [sg:critical?]
Attached patch Potential fix (obsolete) — Splinter Review
I think the problem here is that we replace the sprop that contains the setter as its setter on the object, and then fail to mark it ever again (since it's stored in the watchpoint's setter field, and to this point, nobody marks it). This patch fixes the bug for me.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #246122 - Flags: review?(brendan)
Comment on attachment 246122 [details] [diff] [review] Potential fix >+ JS_MarkGCThing(cx, wp->setter, "wp->setter", NULL); Only if (wp->sprop->attrs & JSPROP_SETTER), right? Otherwise, it's a JSPropertyOp and we shouldn't try to mark it. /be
Attached patch With that fixedSplinter Review
Attachment #246122 - Attachment is obsolete: true
Attachment #246125 - Flags: review?(brendan)
Attachment #246122 - Flags: review?(brendan)
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All
Comment on attachment 246125 [details] [diff] [review] With that fixed Looks good, please nominate the bug too. /be
Attachment #246125 - Flags: review?(brendan)
Attachment #246125 - Flags: review+
Attachment #246125 - Flags: approval1.8.1.1?
Attachment #246125 - Flags: approval1.8.0.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Comment on attachment 246125 [details] [diff] [review] With that fixed Approved for both branches. a=jay for drivers, please land asap.
Attachment #246125 - Flags: approval1.8.1.1?
Attachment #246125 - Flags: approval1.8.1.1+
Attachment #246125 - Flags: approval1.8.0.9?
Attachment #246125 - Flags: approval1.8.0.9+
Blocks: 361467
This has yet to be landed anywhere -- mrbkap, can you do the checkins? /be
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Priority: -- → P1
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8.1
Fixed on the 1.8 branch now too.
Keywords: fixed1.8.1.1
...And the 1.8.0 branch too...
Keywords: fixed1.8.0.9
crashes on shutdown before fixes.
Flags: in-testsuite+
verified fixed 20061125 1.8.0.9 windows/linux/mac*, 1.8.1.1 windows/linux/mac*, 1.9 windows/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.9, fixed1.8.1.1verified1.8.0.9, verified1.8.1.1
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-361346.js,v <-- regress-361346.js
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: