Closed
Bug 517250
Opened 15 years ago
Closed 15 years ago
Crash [@ js_TraceStackFrame] with for...in, yield
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: mrbkap)
References
Details
(4 keywords, Whiteboard: [sg:nse][ccbr] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
845 bytes,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
for (a in (function () { yield })()) gczeal(2); * crashes near null at js_TraceStackFrame in debug js shell on TM branch without -j. Turning security-sensitive because this involves gczeal. autoBisect shows this is probably related to bug 517041: The first bad revision is: changeset: 32269:5002e220aac1 user: Blake Kaplan date: Wed Sep 16 16:13:41 2009 -0700 summary: Bug 517041 - Instead of giving pseudo frames an sp, protect against null sps during GC. r=brendan === Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000004 Crashed Thread: 0 Thread 0 Crashed: 0 js-dbg-tm-darwin 0x0006a8f1 js_TraceStackFrame + 535 1 js-dbg-tm-darwin 0x0009d79c generator_trace(JSTracer*, JSObject*) + 118 2 js-dbg-tm-darwin 0x000b2d0b js_TraceObject + 363 3 js-dbg-tm-darwin 0x0006a230 JS_TraceChildren + 90 4 js-dbg-tm-darwin 0x0006a18b JS_CallTracer + 1513 5 js-dbg-tm-darwin 0x0006ae5a TraceWeakRoots(JSTracer*, JSWeakRoots*) + 104 6 js-dbg-tm-darwin 0x0006b2e5 js_TraceContext + 837 7 js-dbg-tm-darwin 0x0006b904 js_TraceRuntime + 172 8 js-dbg-tm-darwin 0x0006c2dd js_GC + 905 9 js-dbg-tm-darwin 0x0006e12d JSObject* NewGCThing<JSObject>(JSContext*, unsigned int) + 329 10 js-dbg-tm-darwin 0x0006e49b js_NewGCObject + 17 11 js-dbg-tm-darwin 0x000a82d3 js_NewObjectWithGivenProto + 275 12 js-dbg-tm-darwin 0x001246b4 js_GetAnyName + 144 13 js-dbg-tm-darwin 0x000929fa js_Interpret + 141068 14 js-dbg-tm-darwin 0x000997d7 js_Execute + 1155 15 js-dbg-tm-darwin 0x0001ef82 JS_ExecuteScript + 54 16 js-dbg-tm-darwin 0x000089a8 Process(JSContext*, JSObject*, char*, int) + 1408 17 js-dbg-tm-darwin 0x00009e3a ProcessArgs(JSContext*, JSObject*, char**, int) + 2276 18 js-dbg-tm-darwin 0x0000b493 main + 927 19 js-dbg-tm-darwin 0x000020eb _start + 209 20 js-dbg-tm-darwin 0x00002019 start + 41
Flags: blocking1.9.2?
Reporter | ||
Updated•15 years ago
|
Whiteboard: [ccbr]
Assignee | ||
Comment 1•15 years ago
|
||
This is just a bug in the assertion. It means to say "if there are regs but no sp, then nfixed must be 0."
Assignee | ||
Comment 2•15 years ago
|
||
(and it can say that because the only way for that condition to be true is for a pseudo js_watch_set frame.)
Updated•15 years ago
|
Attachment #401259 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Comment 4•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/14d4bb685d0a
Whiteboard: [ccbr] → [ccbr] fixed-in-tracemonkey
Comment 5•15 years ago
|
||
js1_7/extensions/regress-355512.js crashes this way, so we had test suite coverage.
Flags: in-testsuite+
Updated•15 years ago
|
Group: core-security
Comment 6•15 years ago
|
||
I don't think we should be calling debug-only exit()s due to an assert a "crash" -- that's confusing two different symptoms.
Assignee | ||
Comment 7•15 years ago
|
||
(In reply to comment #6) > I don't think we should be calling debug-only exit()s due to an assert a > "crash" -- that's confusing two different symptoms. This was a crash, though. The assertion condition was crashing before it could even be tested.
Updated•15 years ago
|
Comment 8•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/14d4bb685d0a
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 9•15 years ago
|
||
This is now happening on mozilla-1.9.2 since bug 517041 was checked in there.
Comment 10•15 years ago
|
||
This is also covered by js1_7/extensions/regress-387955-01.js on 1.9.2
Comment 11•15 years ago
|
||
sayrer: ping re comment 9
Comment 12•15 years ago
|
||
what about comment 9?
Comment 13•15 years ago
|
||
This needs to land in 1.9.2, at a guess? Just trying to keep up with my bugmail. /be
Comment 14•15 years ago
|
||
yes. this needs to land on 1.9.2. sorry about not being more specific.
Comment 15•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/dd3304f50c83
status1.9.2:
--- → beta1-fixed
Comment 16•15 years ago
|
||
js1_7/extensions/regress-355512.js js1_7/extensions/regress-387955-01.js v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Updated•13 years ago
|
status1.9.1:
--- → unaffected
Updated•13 years ago
|
Crash Signature: [@ js_TraceStackFrame]
You need to log in
before you can comment on or make changes to this bug.
Description
•