Closed Bug 368213 Opened 18 years ago Closed 18 years ago

Crash [@ js_EmitTree] with group assignment and sharp variable definition

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(Keywords: crash, testcase, verified1.8.1.4)

Crash Data

Attachments

(1 file, 1 obsolete file)

fix, v2
4.18 KB, patch
mrbkap
: review+
dveditz
: approval1.8.1.4+
Details | Diff | Splinter Review
js> function() { [] = #1=[] } Bus error Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c Thread 0 Crashed: 0 js 0x0006403c js_EmitTree + 172 (jsemit.c:3926) 1 js 0x0006abac js_EmitTree + 27676 (jsemit.c:6137) 2 js 0x00063090 EmitGroupAssignment + 200 (jsemit.c:3529) 3 js 0x000633cc MaybeEmitGroupAssignment + 260 (jsemit.c:3578) 4 js 0x00067ce0 js_EmitTree + 15696 (jsemit.c:5180) 5 js 0x0006799c js_EmitTree + 14860 (jsemit.c:5119) 6 js 0x00061e14 js_EmitFunctionBytecode + 152 (jsemit.c:3134) 7 js 0x00061f9c js_EmitFunctionBody + 296 (jsemit.c:3158) 8 js 0x000644a0 js_EmitTree + 1296 (jsemit.c:3962) 9 js 0x00067d14 js_EmitTree + 15748 (jsemit.c:5187) 10 js 0x000d6924 Statements + 768 (jsparse.c:1505) 11 js 0x000d3dc8 js_CompileTokenStream + 212 (jsparse.c:501) 12 js 0x0001f15c CompileTokenStream + 224 (jsapi.c:3793) 13 js 0x0001f4b4 JS_CompileUCScriptForPrincipals + 148 (jsapi.c:3888) 14 js 0x0001f404 JS_CompileUCScript + 76 (jsapi.c:3855) 15 js 0x0001f2c0 JS_CompileScript + 128 (jsapi.c:3825) 16 js 0x00002984 Process + 840 (js.c:264) 17 js 0x0000358c ProcessArgs + 2304 (js.c:490) 18 js 0x00009c24 main + 640 (js.c:3169) 19 js 0x00001d28 _start + 340 (crt.c:272) 20 js 0x00001bd0 start + 60
This crash happens with both opt and debug js shell.
Blocks: 368267
Attached patch fix (obsolete) — Splinter Review
The code generation bug is in MaybeEmitGroupAssignment, so a JS1.7 regression. There was a latent sharp-variable decompiler bug that goes back ages. /be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #256701 - Flags: review?(mrbkap)
OS: Mac OS X → All
Hardware: Macintosh → All
Comment on attachment 256701 [details] [diff] [review] fix >+ for (xval = rval; *xval != '[' && *xval != '{'; xval++) >+ continue; A comment explaining what we're skipping here would make the reason for this for loop much clearer.
Attachment #256701 - Flags: review?(mrbkap) → review+
Attached patch fix, v2Splinter Review
Oops, don't want to deoptimize function () {[] = []} to construct on Array. Also added that comment you wanted. /be
Attachment #256701 - Attachment is obsolete: true
Attachment #256741 - Flags: review?(mrbkap)
Attachment #256741 - Flags: review?(mrbkap) → review+
Blocks: js1.7src
Fixed on trunk: js/src/jsemit.c 3.237 js/src/jsopcode.c 3.209 /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment on attachment 256741 [details] [diff] [review] fix, v2 Easy rider for 1.8.1.3. /be
Attachment #256741 - Flags: approval1.8.1.3?
/cvsroot/mozilla/js/tests/js1_7/extensions/regress-368213.js,v <-- regress-368213.js initial revision: 1.1
Flags: in-testsuite+
verified fixed 1.9.0 20070320 win/mac*/linux
Status: RESOLVED → VERIFIED
Comment on attachment 256741 [details] [diff] [review] fix, v2 approved for 1.8.1.4, a=dveditz for release-drivers
Attachment #256741 - Flags: approval1.8.1.4? → approval1.8.1.4+
Fixed on the 1.8 branch: js/src/jsemit.c 3.128.2.67 js/src/jsopcode.c 3.89.2.70 /be
Keywords: fixed1.8.1.4
verified fixed in rc1 firefox 2.0.0.4 windows/linux, and shell windows/linux/mac*
Keywords: fixed1.8.1.4verified1.8.1.4
Blocks: 484769
Crash Signature: [@ js_EmitTree]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: