Closed Bug 361451 Opened 18 years ago Closed 18 years ago

GC crash [@ js_SearchScope] with E4X, watch, import

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: brendan)

Details

(Keywords: crash, testcase, verified1.8.1.1)

Crash Data

Attachments

(1 file)

fix
1.59 KB, patch
mrbkap
: review+
dveditz
: approval1.8.1.1+
Details | Diff | Splinter Review 
Pasting this into the JavaScript shell or giving it to the shell as a file causes a crash:

var obj = <z><yyy/></z>;
obj.watch('x', print);
try { import obj.yyy; } catch(e) { }
obj = undefined;
gc();

The crash happens both with and without the patch for bug 361346.

The crash looks like a null deref.  Here's a debug stack trace:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000014

Thread 0 Crashed:
0   js 	0x00070b90 js_SearchScope + 220 (jsscope.c:265)
1   js 	0x000708e0 CreateScopeTable + 416 (jsscope.c:132)
2   js 	0x00072644 js_AddScopeProperty + 1020 (jsscope.c:981)
3   js 	0x000731b4 js_ChangeScopePropertyAttrs + 840 (jsscope.c:1284)
4   js 	0x00048b34 js_ChangeNativePropertyAttrs + 124 (jsobj.c:2906)
5   js 	0x00023cb4 DropWatchPoint + 232 (jsdbgapi.c:269)
6   js 	0x000251bc JS_ClearWatchPointsForObject + 100 (jsdbgapi.c:608)
7   js 	0x00047fd0 js_FinalizeObject + 184 (jsobj.c:2700)
8   js 	0x000922fc js_GC + 2888 (jsgc.c:3016)
...
Attached patch fixSplinter Review 
Assignee: general → brendan
Status: NEW → ASSIGNED

        Attachment #246243 -
        Flags: review?(igor.bukanov)

    
  
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha

    
    

    
  
Comment on attachment 246243 [details] [diff] [review]
fix

I was going to write exactly this patch, but didn't get a chance to ;-).

        Attachment #246243 -
        Flags: review+

    
    

    
  
Comment on attachment 246243 [details] [diff] [review]
fix

Igor, you're welcome to review too.  I'm checking into the trunk with r=mrbkap to get this lined up for 1.8.1.1.

/be

        Attachment #246243 -
        Flags: review?(igor.bukanov) → approval1.8.1.1?

    
    

    
  
Checking in jsgc.c;
/cvsroot/mozilla/js/src/jsgc.c,v  <--  jsgc.c
new revision: 3.181; previous revision: 3.180
done

/be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
RCS file: /cvsroot/mozilla/js/tests/e4x/Regress/regress-361451.js,v
done
Checking in regress-361451.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-361451.js,v  <--  regress-361451.js
initial revision: 1.1
done

note this did crash 11/21's morning trunk debug shell on windows but not the 1.8.1.1 shell and didn't crash either on Linux.
Flags: in-testsuite+

    
    

    
  
verified fixed 20061122 1.9 windows/linux
Status: RESOLVED → VERIFIED

    
    

    
  
Comment on attachment 246243 [details] [diff] [review]
fix

approved for 1.8 branch, a=dveditz for drivers

        Attachment #246243 -
        Flags: approval1.8.1.1? → approval1.8.1.1+

    
    

    
  
This landed as part of the patch for bug 347306 and bug 360612.

/be
Keywords: fixed1.8.1.1

    
    

    
  
verified fixed 20061130 1.8.1.1 window/linux/mac*
Keywords: fixed1.8.1.1verified1.8.1.1
Crash Signature: [@ js_SearchScope]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: