Crash [@ obj_eval] with js1_5/Regress/regress-314401.js

RESOLVED FIXED in mozilla1.9.2

Status

()

RESOLVED FIXED
9 years ago
3 years ago

People

(Reporter: bc, Assigned: mrbkap)

Tracking

({crash, regression})

1.9.2 Branch
mozilla1.9.2
x86
All
crash, regression
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(status1.9.2 .4-fixed)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
1. http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_5/Regress/regress-314401.js;language=type;text/javascript

2. crash mac/windows 1.9.2 opt/debug. not 1.9.1/1.9.3

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000018
0x0033ac29 in obj_eval (cx=0x135b800, obj=0x1d539260, argc=3, argv=0x15ad628, rval=0xbfffcc54) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsobj.cpp:1261
1261	    uintN staticLevel = caller->script->staticLevel + 1;
(gdb) bt
#0  0x0033ac29 in obj_eval (cx=0x135b800, obj=0x1d539260, argc=3, argv=0x15ad628, rval=0xbfffcc54) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsobj.cpp:1261
#1  0x00320cf7 in js_Invoke (cx=0x135b800, argc=3, vp=0x15ad620, flags=2) at jsinterp.cpp:1360
#2  0x00320fad in js_InternalInvoke (cx=0x135b800, obj=0x1d590e80, fval=515717480, flags=0, argc=3, argv=0x1ec10bb0, rval=0xbfffcdd8) at jsinterp.cpp:1423
#3  0x0029e9f7 in JS_CallFunctionValue (cx=0x135b800, obj=0x1d590e80, fval=515717480, argc=3, argv=0x1ec10bb0, rval=0xbfffcdd8) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsapi.cpp:5112
#4  0x11fcd77c in nsJSContext::CallEventHandler (this=0x1d6282e0, aTarget=0x1d7ec800, aScope=0x1d590e80, aHandler=0x1ebd3968, aargv=0x1ec08fc4, arv=0xbfffcf34) at /work/mozilla/builds/1.9.2/mozilla/dom/base/nsJSEnvironment.cpp:2134
q
Flags: wanted1.9.2?
D'oh, I should have caught this in review. The old setTimeout(eval, ...) trick!

/be
Blocks: 495325
I'm currently not getting a crash on a fresh 1.9.2 build on OSX. Has this already been fixed or something?
(In reply to comment #2)
> I'm currently not getting a crash on a fresh 1.9.2 build on OSX. Has this
> already been fixed or something?

Sorry. I was running the wrong build. This does crash for me.
Looks like it was probably this:

  http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e3ed50c322a5

It looks like that patch moved the definition of staticLevel up to avoid some kind of GCC warning/error on Linux. But the previous line of code checks if caller is NULL, so clearly that condition has to be guarded against.
Created attachment 420415 [details] [diff] [review]
Proposed fix

This patch makes us follow trunk, which should help any other backporting woes.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #420415 - Flags: review?(dmandelin)
Attachment #420415 - Flags: review?(dmandelin) → review+
Attachment #420415 - Flags: approval1.9.2.1?
Comment on attachment 420415 [details] [diff] [review]
Proposed fix

We missed 1.9.2.2.  Moving approval request forward.
Attachment #420415 - Flags: approval1.9.2.2? → approval1.9.2.3?
Comment on attachment 420415 [details] [diff] [review]
Proposed fix

Approved for 1.9.2.4, a=dveditz for release-drivers
Attachment #420415 - Flags: approval1.9.2.4? → approval1.9.2.4+
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/dae2df344230
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
status1.9.2: --- → .4-fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2

Updated

9 years ago
Duplicate of this bug: 561318
Crash Signature: [@ obj_eval]
(Reporter)

Updated

3 years ago
Flags: wanted1.9.2?
You need to log in before you can comment on or make changes to this bug.