Crash [@ js_ValueToSource] [@ js_Invoke] with getter, watch, GC

RESOLVED WORKSFORME

Status

()

--
critical
RESOLVED WORKSFORME
12 years ago
8 years ago

People

(Reporter: jruderman, Assigned: crowderbt)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
PowerPC
Mac OS X
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

(Reporter)

Description

12 years ago
Feeding this to the JavaScript shell as a file or by pasting it causes a crash.

(function() { this.x getter= function(){} })();
this.watch('x', print);
this.x getter= function(){};
gc();
this.unwatch('x');
x;

Sometimes the crash is js_Invoke dereferencing a random address:

0   js 	0x00094424 js_Invoke + 696 (jsinterp.c:1175)
1   js 	0x000955b4 js_InternalInvoke + 444 (jsinterp.c:1490)
2   js 	0x000958ec js_InternalGetOrSet + 552 (jsinterp.c:1550)
3   js 	0x000a8c10 js_Interpret + 72200 (jsinterp.c:4043)
4   js 	0x00095cd0 js_Execute + 960 (jsinterp.c:1643)
5   js 	0x000213a4 JS_ExecuteScript + 64 (jsapi.c:4194)
6   js 	0x00002e8c Process + 528 (js.c:233)
7   js 	0x00003bcc ProcessArgs + 2304 (js.c:490)
8   js 	0x0000a050 main + 640 (js.c:3098)
9   js 	0x00002368 _start + 340 (crt.c:272)
10  js 	0x00002210 start + 60

Sometimes the crash is js_ValueToSource jumping to 0x00000000:

Thread 0 Crashed:
0   <<00000000>> 	0x00000000 0 + 0
1   js 	0x0007e9f8 js_ValueToSource + 404 (jsstr.c:2701)
2   js 	0x0003f7ec js_DecompileValueGenerator + 3876 (jsopcode.c:4774)
3   js 	0x000574c4 js_ReportIsNotFunction + 220 (jsfun.c:2295)
4   js 	0x000953d4 js_Invoke + 4712 (jsinterp.c:1459)
5   js 	0x000955b4 js_InternalInvoke + 444 (jsinterp.c:1490)
6   js 	0x000958ec js_InternalGetOrSet + 552 (jsinterp.c:1550)
7   js 	0x000a8c10 js_Interpret + 72200 (jsinterp.c:4043)
8   js 	0x00095cd0 js_Execute + 960 (jsinterp.c:1643)
9   js 	0x000213a4 JS_ExecuteScript + 64 (jsapi.c:4194)
10  js 	0x00003004 Process + 904 (js.c:268)
11  js 	0x00003bcc ProcessArgs + 2304 (js.c:490)
12  js 	0x0000a050 main + 640 (js.c:3098)
13  js 	0x00002368 _start + 340 (crt.c:272)
14  js 	0x00002210 start + 60

I'm testing with the patches for bug 361552 and bug 361346.
(Reporter)

Updated

12 years ago
Whiteboard: [sg:critical?]
Critical security bugs must have owners. If you can't work on this bug help us find another active owner for it.
Assignee: general → crowder
(Assignee)

Comment 2

12 years ago
I can't reproduce this anymore on the trunk.  Jesse, can you?
(Reporter)

Comment 3

12 years ago
WFM on trunk (tested opt, debug, and way-too-much-gc).
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → WORKSFORME
(Assignee)

Comment 4

12 years ago
How about the branches?  And is this interesting enough to track down the patch that fixed it to push there, if not?
(Reporter)

Comment 5

12 years ago
WFM on gecko 1.8 and 1.8.0 branches (tested debug only).
(Reporter)

Updated

12 years ago
No longer blocks: 349611
(Reporter)

Updated

12 years ago
Blocks: 349611
Group: security

Updated

11 years ago
Flags: in-testsuite?

Comment 6

11 years ago
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-361617.js,v  <--  regress-361617.js
initial revision: 1.1
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ js_ValueToSource] [@ js_Invoke]
You need to log in before you can comment on or make changes to this bug.