Last Comment Bug 370101 - getfunns does not call SAVE_SP_AND_PC
: getfunns does not call SAVE_SP_AND_PC
Status: RESOLVED FIXED
[sg:critical?]
: fixed1.8.0.12, fixed1.8.1.4
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Igor Bukanov
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-11 15:28 PST by Igor Bukanov
Modified: 2007-05-30 15:35 PDT (History)
3 users (show)
dveditz: blocking1.8.1.4+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.12+
dveditz: wanted1.8.0.x+
bob: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix v1 (732 bytes, patch)
2007-02-11 15:31 PST, Igor Bukanov
brendan: review+
Details | Diff | Splinter Review
1.8.1 version of fix v (754 bytes, patch)
2007-02-13 09:01 PST, Igor Bukanov
dveditz: approval1.8.1.4+
Details | Diff | Splinter Review
1.8.0 version of fix v (752 bytes, patch)
2007-02-13 09:09 PST, Igor Bukanov
dveditz: approval1.8.0.12+
Details | Diff | Splinter Review

Description Igor Bukanov 2007-02-11 15:28:31 PST
JSOP_GETFUNNS does not call SAVE_SP_AND_PC before calling js_GetFunctionNamespace. The latter on the first initialization of function:: namespace can call JS_InitClass for namespace and qname classes which uses the stack for the constructor call. In that the unsaved portion of the stack will be nuked. I was hit by that while developing fixes for bug 370016, bug 370048 and bug  369740. 

But without a fix for bugs I was not able to come up so far with a test case to show the bug. With code like:
  with(Math)
    print(function::sin)
the function::sin triggers not found function exception. That in turn throws away the damaged portion of the stack. But the bug should be visible in the js debugger.
Comment 1 Igor Bukanov 2007-02-11 15:31:01 PST
Created attachment 254759 [details] [diff] [review]
Fix v1
Comment 2 Brendan Eich [:brendan] 2007-02-11 18:08:01 PST
Comment on attachment 254759 [details] [diff] [review]
Fix v1

r=me, d'oh.

/be
Comment 3 Igor Bukanov 2007-02-11 23:04:08 PST
I committed the patch from comment 1 to the trunk:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.328; previous revision: 3.327
done
Comment 4 Igor Bukanov 2007-02-11 23:06:31 PST
Nominating for branches this very safe fix. 
Comment 5 Igor Bukanov 2007-02-13 09:01:47 PST
Created attachment 254960 [details] [diff] [review]
1.8.1 version of fix v
Comment 6 Igor Bukanov 2007-02-13 09:09:24 PST
Created attachment 254961 [details] [diff] [review]
1.8.0 version of fix v
Comment 7 Daniel Veditz [:dveditz] 2007-03-16 14:33:51 PDT
Comment on attachment 254960 [details] [diff] [review]
1.8.1 version of fix v

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Comment 8 Igor Bukanov 2007-04-04 19:29:46 PDT
I committed the patch from comment 5 to MOZILLA_1_8_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.85; previous revision: 3.181.2.84
done
Comment 9 Igor Bukanov 2007-04-04 19:33:12 PDT
I committed the patch from comment 6 to MOZILLA_1_8_0_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.17.2.30; previous revision: 3.181.2.17.2.29
done

Note You need to log in before you can comment on or make changes to this bug.