Closed Bug 361346 Opened 18 years ago Closed 18 years ago

Crash with setter, watch, and GC

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Attachments

(2 files, 1 obsolete file)

With that fixed
2.64 KB, patch
brendan
: review+
jay
: approval1.8.0.9+
jay
: approval1.8.1.1+
Details | Diff | Splinter Review
js1_5/Regress/regress-361346.js
2.12 KB, text/plain
Details 
js> this.x setter= new Function; this.watch('x', function(){}); gc(); x = {};
before 9232, after 9232, break 01205000
Bus error

I saw this jump to a bogus address a few times, so I'm marking the bug security-sensitive.
Whiteboard: [sg:critical?]
Attached patch Potential fix (obsolete) — Splinter Review 
I think the problem here is that we replace the sprop that contains the setter as its setter on the object, and then fail to mark it ever again (since it's stored in the watchpoint's setter field, and to this point, nobody marks it). This patch fixes the bug for me.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #246122 - Flags: review?(brendan)
Comment on attachment 246122 [details] [diff] [review]
Potential fix

>+        JS_MarkGCThing(cx, wp->setter, "wp->setter", NULL);

Only if (wp->sprop->attrs & JSPROP_SETTER), right?  Otherwise, it's a JSPropertyOp and we shouldn't try to mark it.

/be
Attached patch With that fixedSplinter Review 

        Attachment #246122 -
        Attachment is obsolete: true

        Attachment #246125 -
        Flags: review?(brendan)

        Attachment #246122 -
        Flags: review?(brendan)
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All

    
    

    
  
Comment on attachment 246125 [details] [diff] [review]
With that fixed

Looks good, please nominate the bug too.

/be

        Attachment #246125 -
        Flags: review?(brendan)

        Attachment #246125 -
        Flags: review+

        Attachment #246125 -
        Flags: approval1.8.1.1?

        Attachment #246125 -
        Flags: approval1.8.0.9?

    
  
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?

    
  
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+

    
    

    
  
Comment on attachment 246125 [details] [diff] [review]
With that fixed

Approved for both branches.  a=jay for drivers, please land asap.

        Attachment #246125 -
        Flags: approval1.8.1.1?

        Attachment #246125 -
        Flags: approval1.8.1.1+

        Attachment #246125 -
        Flags: approval1.8.0.9?

        Attachment #246125 -
        Flags: approval1.8.0.9+
Blocks: 361467

    
    

    
  
This has yet to be landed anywhere -- mrbkap, can you do the checkins?

/be

    
    

    
  
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Priority: -- → P1
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8.1

    
    

    
  
Fixed on the 1.8 branch now too.
Keywords: fixed1.8.1.1

    
    

    
  
...And the 1.8.0 branch too...
Keywords: fixed1.8.0.9

    
    

    
  


  
crashes on shutdown before fixes.
Flags: in-testsuite+

    
    

    
  
verified fixed 20061125 1.8.0.9 windows/linux/mac*, 1.8.1.1 windows/linux/mac*, 1.9 windows/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.9, 
          
            fixed1.8.1.1verified1.8.0.9, 
          
            verified1.8.1.1
Group: security

    
    

    
  
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-361346.js,v  <--  regress-361346.js


          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: