Closed Bug 523530 Opened 15 years ago Closed 15 years ago

Crash [@ 0x001f5422] or [@ 0x002dd7e1]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: mrbkap)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr] fixed-in-tracemonkey)

Crash Data

Attachments

(3 files)

stack trace
2.20 KB, text/plain
Details
the original dbg and opt stacktraces from Crash Reporter.app
3.46 KB, text/plain
Details
Fix
2.49 KB, patch
brendan
: review+
Details | Diff | Splinter Review
try { (function() { [__defineSetter__("x", gc)] })() } catch(e) {} try { (function() { __defineGetter__("x", gc).x })() } catch(e) {} try { (function() { for (var a = 0; a < 8; ++a) { if (a % 3 == 1) { this.watch("x", eval) } } })() } catch(e) {} try { (function() { for (let b = 0; b < 4; ++b) print(x = 3 / 0) })() } catch(e) {} crashes js opt shell without -j at 0x001f5422 and crashes dbg shell without -j at 0x002dd7e1 when passed in as a CLI argument. Setting security-sensitive due to scary addresses. autoBisect coming right up...
Attached file stack trace
Strangely, gdb fails to unwind, but mac os x crash reporter has little trouble.
autoBisect shows this is probably related to bug 495325: The first bad revision is: changeset: 33133:de72243414cd user: Blake Kaplan date: Mon Aug 17 18:08:20 2009 -0700 summary: Bug 495325 - Follow ES about indirect eval being global eval. r=brendan/igor
Blocks: 495325
Whiteboard: [ccbr]
Attached patch FixSplinter Review
When we set aside the scope chain, it isn't marked any more. We need to do that manually. I wanted to use JSAutoTempValueRooter, but couldn't see an easy way to do so.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #407469 - Flags: review?(brendan)
Attachment #407469 - Flags: review?(brendan) → review+
Comment on attachment 407469 [details] [diff] [review] Fix So to use JSAutoTempValueRooters you'd need to get rid of the downward gotos, or else init the atvrs with null and then set their values? /be
http://hg.mozilla.org/tracemonkey/rev/2581d8d91679
Whiteboard: [ccbr] → [ccbr] fixed-in-tracemonkey
Blocks: 531675
This was pushed to mozilla-central some time ago: http://hg.mozilla.org/mozilla-central/rev/2581d8d91679 Apparently in the checkin message a different number, bug 520511 was referenced.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ 0x001f5422] [@ 0x002dd7e1]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: