Closed Bug 361451 Opened 19 years ago Closed 19 years ago

GC crash [@ js_SearchScope] with E4X, watch, import

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: brendan)

Details

(Keywords: crash, testcase, verified1.8.1.1)

Crash Data

Attachments

(1 file)

fix
1.59 KB, patch
mrbkap
: review+
dveditz
: approval1.8.1.1+
Details | Diff | Splinter Review
Pasting this into the JavaScript shell or giving it to the shell as a file causes a crash: var obj = <z><yyy/></z>; obj.watch('x', print); try { import obj.yyy; } catch(e) { } obj = undefined; gc(); The crash happens both with and without the patch for bug 361346. The crash looks like a null deref. Here's a debug stack trace: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000014 Thread 0 Crashed: 0 js 0x00070b90 js_SearchScope + 220 (jsscope.c:265) 1 js 0x000708e0 CreateScopeTable + 416 (jsscope.c:132) 2 js 0x00072644 js_AddScopeProperty + 1020 (jsscope.c:981) 3 js 0x000731b4 js_ChangeScopePropertyAttrs + 840 (jsscope.c:1284) 4 js 0x00048b34 js_ChangeNativePropertyAttrs + 124 (jsobj.c:2906) 5 js 0x00023cb4 DropWatchPoint + 232 (jsdbgapi.c:269) 6 js 0x000251bc JS_ClearWatchPointsForObject + 100 (jsdbgapi.c:608) 7 js 0x00047fd0 js_FinalizeObject + 184 (jsobj.c:2700) 8 js 0x000922fc js_GC + 2888 (jsgc.c:3016) ...
Attached patch fixSplinter Review
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #246243 - Flags: review?(igor.bukanov)
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 246243 [details] [diff] [review] fix I was going to write exactly this patch, but didn't get a chance to ;-).
Attachment #246243 - Flags: review+
Comment on attachment 246243 [details] [diff] [review] fix Igor, you're welcome to review too. I'm checking into the trunk with r=mrbkap to get this lined up for 1.8.1.1. /be
Attachment #246243 - Flags: review?(igor.bukanov) → approval1.8.1.1?
Checking in jsgc.c; /cvsroot/mozilla/js/src/jsgc.c,v <-- jsgc.c new revision: 3.181; previous revision: 3.180 done /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
RCS file: /cvsroot/mozilla/js/tests/e4x/Regress/regress-361451.js,v done Checking in regress-361451.js; /cvsroot/mozilla/js/tests/e4x/Regress/regress-361451.js,v <-- regress-361451.js initial revision: 1.1 done note this did crash 11/21's morning trunk debug shell on windows but not the 1.8.1.1 shell and didn't crash either on Linux.
Flags: in-testsuite+
verified fixed 20061122 1.9 windows/linux
Status: RESOLVED → VERIFIED
Comment on attachment 246243 [details] [diff] [review] fix approved for 1.8 branch, a=dveditz for drivers
Attachment #246243 - Flags: approval1.8.1.1? → approval1.8.1.1+
This landed as part of the patch for bug 347306 and bug 360612. /be
Keywords: fixed1.8.1.1
verified fixed 20061130 1.8.1.1 window/linux/mac*
Keywords: fixed1.8.1.1verified1.8.1.1
Crash Signature: [@ js_SearchScope]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: