Closed Bug 523530 Opened 11 years ago Closed 11 years ago

Crash [@ 0x001f5422] or [@ 0x002dd7e1]

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Assigned: mrbkap)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr] fixed-in-tracemonkey)

Crash Data

Attachments

(3 files)

try { (function() {
    [__defineSetter__("x", gc)]
    })()
} catch(e) {}
try { (function() {
        __defineGetter__("x", gc).x
    })()
} catch(e) {}
try { (function() {
        for (var a = 0; a < 8; ++a) {
            if (a % 3 == 1) {
                this.watch("x", eval)
            }
        }
    })()
} catch(e) {}
try { (function() {
        for (let b = 0; b < 4; ++b) print(x = 3 / 0)
    })()
} catch(e) {}


crashes js opt shell without -j at 0x001f5422 and crashes dbg shell without -j at 0x002dd7e1 when passed in as a CLI argument. Setting security-sensitive due to scary addresses. autoBisect coming right up...
Attached file stack trace
Strangely, gdb fails to unwind, but mac os x crash reporter has little trouble.
autoBisect shows this is probably related to bug 495325:

The first bad revision is:
changeset:   33133:de72243414cd
user:        Blake Kaplan
date:        Mon Aug 17 18:08:20 2009 -0700
summary:     Bug 495325 - Follow ES about indirect eval being global eval. r=brendan/igor
Blocks: 495325
Whiteboard: [ccbr]
Attached patch FixSplinter Review
When we set aside the scope chain, it isn't marked any more. We need to do that manually. I wanted to use JSAutoTempValueRooter, but couldn't see an easy way to do so.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #407469 - Flags: review?(brendan)
Attachment #407469 - Flags: review?(brendan) → review+
Comment on attachment 407469 [details] [diff] [review]
Fix

So to use JSAutoTempValueRooters you'd need to get rid of the downward gotos, or else init the atvrs with null and then set their values?

/be
http://hg.mozilla.org/tracemonkey/rev/2581d8d91679
Whiteboard: [ccbr] → [ccbr] fixed-in-tracemonkey
Blocks: 531675
This was pushed to mozilla-central some time ago:

http://hg.mozilla.org/mozilla-central/rev/2581d8d91679

Apparently in the checkin message a different number, bug 520511 was referenced.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Crash Signature: [@ 0x001f5422] [@ 0x002dd7e1]
Group: core-security
You need to log in before you can comment on or make changes to this bug.