Closed
Bug 503679
Opened 15 years ago
Closed 15 years ago
Crash [@ js_PutCallObject]
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
status1.9.1 | --- | .2-fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:dupe 502449])
Crash Data
(function() { this.watch("x", (Function("\ try{[]}catch(x){var i=*::x}\ "))) })() x = x crashes js dbg and opt shell without -j on TM branch. Haven't yet tested on 1.9.1, running autoBisect after sleep. ===== Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 Thread 0 Crashed: 0 js-dbg-tm-intelmac 0x0005f8e2 js_PutCallObject + 464 1 js-dbg-tm-intelmac 0x0003c42d js_watch_set + 1933 2 js-dbg-tm-intelmac 0x000a517d js_SetSprop + 387 3 js-dbg-tm-intelmac 0x000b04ff js_NativeSet + 687 4 js-dbg-tm-intelmac 0x000b20ce js_SetPropertyHelper + 3836 5 js-dbg-tm-intelmac 0x0008460c js_Interpret + 91484 6 js-dbg-tm-intelmac 0x0009a260 js_Execute + 906 7 js-dbg-tm-intelmac 0x0001eb2c JS_ExecuteScript + 54 8 js-dbg-tm-intelmac 0x00008e18 Process(JSContext*, JSObject*, char*, int) + 1402 9 js-dbg-tm-intelmac 0x0000a2a6 ProcessArgs(JSContext*, JSObject*, char**, int) + 2276 10 js-dbg-tm-intelmac 0x0000b750 main + 924 (js.cpp:4752) 11 js-dbg-tm-intelmac 0x000026db _start + 209 12 js-dbg-tm-intelmac 0x00002609 start + 41
Flags: blocking1.9.2?
Reporter | ||
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 501270 : The first bad revision is: changeset: 29674:02eca43038ef user: Blake Kaplan date: Wed Jul 01 11:40:36 2009 -0700 summary: Bug 501270 - Make pseudo-frames have call objects if they're around a heaveyweight function to preserve engine invariants. r=brendan
Reporter | ||
Comment 2•15 years ago
|
||
Security-sensitive because bug 501270 is locked too.
Group: core-security
Comment 3•15 years ago
|
||
Gary, is this not fixed by the patch in bug 502449? My tree with that patch checked in doesn't crash on this testcase.
Reporter | ||
Comment 4•15 years ago
|
||
(In reply to comment #3) > Gary, is this not fixed by the patch in bug 502449? My tree with that patch > checked in doesn't crash on this testcase. Fails with http://hg.mozilla.org/tracemonkey/rev/c8489ee35bb2 - 30032 Works with http://hg.mozilla.org/tracemonkey/rev/9a3e20706425 - 30039 Bug 502449 is indeed in between this window - so I presume you're right. Also, if bug 501270 exists in 1.9.1 / 1.9.0, shouldn't the patch in bug 502449 be backported? However tests in bug 502449 show that 1.9.1/1.9.0 didn't seem to be affected... Feel free to resolve this bug any way...
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P1
Resolution: --- → FIXED
Updated•15 years ago
|
Group: core-security
Whiteboard: [sg:dupe 502449]
Reporter | ||
Updated•15 years ago
|
Flags: in-testsuite?
Comment 5•15 years ago
|
||
Mass change: adding fixed1.9.2 keyword (This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
Updated•15 years ago
|
status1.9.2:
--- → beta1-fixed
Keywords: fixed1.9.2
Updated•15 years ago
|
Flags: wanted1.9.0.x-
Updated•13 years ago
|
status1.9.1:
--- → .2-fixed
Updated•13 years ago
|
Crash Signature: [@ js_PutCallObject]
You need to log in
before you can comment on or make changes to this bug.
Description
•