Closed
Bug 495563
Opened 15 years ago
Closed 15 years ago
TM: Crash with (function() { return this; })()
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: jruderman, Assigned: gal)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
3.30 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
for (var i = 0; i < 3; ++i) {
(function() { return this; })();
}
Causes a null deref within JITted code.
|
||
Comment 1•15 years ago
|
||
does it get branch too?
|
Assignee | |
Updated•15 years ago
|
Assignee: general → gal
|
|
Assignee | |
Comment 3•15 years ago
|
||
Attachment #380562 -
Flags: review?(brendan)
|
||
Comment 4•15 years ago
|
||
autoBisect shows this is probably related to bug 492904 : The first bad revision is: changeset: 28601:dbf1b7adc784 user: Brendan Eich date: Tue May 19 12:59:08 2009 -0700 summary: Bug 492904 - TM: Crash [@ TraceRecorder::test_property_cache] (r=gal).
Blocks: 492904
Keywords: regression
|
|
Assignee | |
Comment 5•15 years ago
|
||
Yeah, I identified the same bug as regressor.
|
|
Assignee | |
Comment 6•15 years ago
|
||
This always reads from 0x00000004, so not exploitable (but crashes of course).
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
||
Comment 7•15 years ago
|
||
Comment on attachment 380562 [details] [diff] [review] argv[-1] is updated by ComputeThisForFrame, so sample it early Comment the load into original by saying that js_ComputeThisForFrame updates argv[-1]. /be
Attachment #380562 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 8•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/6355d89f05dc
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Comment 9•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/7ec985e33884
|
|
Assignee | |
Comment 10•15 years ago
|
||
I had to push out a spot fix.
|
|
||
Comment 11•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6355d89f05dc
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Comment 12•15 years ago
|
||
Please cite the followup fix so sayrer doesn't miss it: http://hg.mozilla.org/tracemonkey/rev/7ec985e33884 /be
|
||
Comment 13•15 years ago
|
||
Re-opening to be super-sure that Rob doesn't miss the follow-up fix which, AFAICT, has not yet been landed on mozilla-central. Apologies if it has; just want to be extra-sure.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 14•15 years ago
|
||
I caught it. http://hg.mozilla.org/mozilla-central/pushloghtml?changeset=7a49095632be
|
|
||
Updated•15 years ago
|
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
|
|
||
Comment 15•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/710ca7757748 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/e5fe9c68d8d3 (hotfix) speaking of hotfixes, shouldn't we have a test case for whatever was broken?
|
|
||
Updated•15 years ago
|
Keywords: fixed1.9.1
|
|
Assignee | |
Comment 16•15 years ago
|
||
This is covered by our unit tests. It lit the tinderboxes up like a Christmas tree.
|
||
Updated•15 years ago
|
Flags: in-testsuite+
|
||
Comment 17•15 years ago
|
||
Verified fixed on trunk (20090604215922) and 1.9.1 (20090604202448) with testcase in comment 0.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
OS: Mac OS X → All
Hardware: x86 → All
Target Milestone: mozilla1.9.1 → mozilla1.9.2a1
You need to log in
before you can comment on or make changes to this bug.
Description
•