Closed Bug 490776 Opened 17 years ago Closed 16 years ago

Crash [@ js_SetBuiltinError]

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: jruderman, Assigned: gal)

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(3 files, 2 obsolete files)

testcase (crashes Firefox when loaded)
1.46 KB, text/html
Details
32-line shell testcase
658 bytes, text/plain
Details
patch
1.66 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
TM branch
Attached patch patch (obsolete) — Splinter Review
- If we already deep-bailed, don't try to set a builtin status. - Don't leak the error cookie. status exit builtins should never use it.
Assignee: general → gal
Attachment #375233 - Flags: review?(jorendorff)
I think this is a rare and fairly safe NULL pointer crash and not exploitable.
Flags: wanted1.9.1?
Priority: -- → P2
Attached patch patch (obsolete) — Splinter Review
Attachment #375233 - Attachment is obsolete: true
Attachment #375233 - Flags: review?(jorendorff)
(This patch is on hold, pending further discussion how to properly solve it.)
I'm quite sure this is a regression - autoBisecting now... Shell testcase also crashes in Ubuntu 9.04.
Flags: in-testsuite?
Flags: blocking1.9.1?
Keywords: regression
OS: Mac OS X → All
Hardware: x86 → All
The testcase first asserts at Assertion failure: cx->builtinStatus == 0, at ../jstracer.cpp here, where it then takes on a variety of other assert messages: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1dd1af3aec3e&tochange=bded4e432e7a Then changed from an assert to a crash in this regression window. http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d9eafbebdd78&tochange=99143ce38e68 Due to the constant morphing of error indications, autoBisect is unable to pin down specific bugs, but nonetheless this bug is a regression.
blocking for now, but feel free to argue
Flags: blocking1.9.1? → blocking1.9.1+
This is back to a crash. Has to be fixed. Investigating.
There was some discussion between jorendorff and me regarding this bug, and for the life of me I can't remember what we agreed on. I will discuss this with Brendan and then post an update.
Attached patch patchSplinter Review
Attachment #375244 - Attachment is obsolete: true
Attachment #376823 - Flags: review?(jorendorff)
Comment on attachment 376823 [details] [diff] [review] patch Conversation on this one ranged far and wide on IRC, so this minimal patch is a huge relief.
Attachment #376823 - Flags: review?(jorendorff) → review+
The attached patch maintains a stack of InterpState structs, which guarantees that cx->interpState is always correct.
http://hg.mozilla.org/tracemonkey/rev/7d76dd86843f
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/7d76dd86843f
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Verified fixed with xpshell test and the following debug builds: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090522 Minefield/3.6a1pre ID:20090522133810 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090522 Shiretoko/3.5pre ID:20090522153422
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Target Milestone: --- → mozilla1.9.2a1
Crash Signature: [@ js_SetBuiltinError]
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: