Closed Bug 538159 Opened 15 years ago Closed 15 years ago

Crash [@ obj_eval] with js1_5/Regress/regress-314401.js

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.2 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2
Tracking Flags:
Tracking Status
status1.9.2 --- .4-fixed

People

(Reporter: bc, Assigned: mrbkap)

References

(
URL
)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Proposed fix
4.84 KB, patch
dmandelin
: review+
dveditz
: approval1.9.2.4+
Details | Diff | Splinter Review
1. http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_5/Regress/regress-314401.js;language=type;text/javascript 2. crash mac/windows 1.9.2 opt/debug. not 1.9.1/1.9.3 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000018 0x0033ac29 in obj_eval (cx=0x135b800, obj=0x1d539260, argc=3, argv=0x15ad628, rval=0xbfffcc54) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsobj.cpp:1261 1261 uintN staticLevel = caller->script->staticLevel + 1; (gdb) bt #0 0x0033ac29 in obj_eval (cx=0x135b800, obj=0x1d539260, argc=3, argv=0x15ad628, rval=0xbfffcc54) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsobj.cpp:1261 #1 0x00320cf7 in js_Invoke (cx=0x135b800, argc=3, vp=0x15ad620, flags=2) at jsinterp.cpp:1360 #2 0x00320fad in js_InternalInvoke (cx=0x135b800, obj=0x1d590e80, fval=515717480, flags=0, argc=3, argv=0x1ec10bb0, rval=0xbfffcdd8) at jsinterp.cpp:1423 #3 0x0029e9f7 in JS_CallFunctionValue (cx=0x135b800, obj=0x1d590e80, fval=515717480, argc=3, argv=0x1ec10bb0, rval=0xbfffcdd8) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsapi.cpp:5112 #4 0x11fcd77c in nsJSContext::CallEventHandler (this=0x1d6282e0, aTarget=0x1d7ec800, aScope=0x1d590e80, aHandler=0x1ebd3968, aargv=0x1ec08fc4, arv=0xbfffcf34) at /work/mozilla/builds/1.9.2/mozilla/dom/base/nsJSEnvironment.cpp:2134 q
Flags: wanted1.9.2?
D'oh, I should have caught this in review. The old setTimeout(eval, ...) trick! /be
Blocks: 495325
I'm currently not getting a crash on a fresh 1.9.2 build on OSX. Has this already been fixed or something?
(In reply to comment #2) > I'm currently not getting a crash on a fresh 1.9.2 build on OSX. Has this > already been fixed or something? Sorry. I was running the wrong build. This does crash for me.
Looks like it was probably this: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e3ed50c322a5 It looks like that patch moved the definition of staticLevel up to avoid some kind of GCC warning/error on Linux. But the previous line of code checks if caller is NULL, so clearly that condition has to be guarded against.
Attached patch Proposed fixSplinter Review
This patch makes us follow trunk, which should help any other backporting woes.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #420415 - Flags: review?(dmandelin)
Attachment #420415 - Flags: review?(dmandelin) → review+
Attachment #420415 - Flags: approval1.9.2.1?
Comment on attachment 420415 [details] [diff] [review] Proposed fix We missed 1.9.2.2. Moving approval request forward.
Attachment #420415 - Flags: approval1.9.2.2? → approval1.9.2.3?
Comment on attachment 420415 [details] [diff] [review] Proposed fix Approved for 1.9.2.4, a=dveditz for release-drivers
Attachment #420415 - Flags: approval1.9.2.4? → approval1.9.2.4+
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/dae2df344230
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
status1.9.2: --- → .4-fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2
Crash Signature: [@ obj_eval]
Flags: wanted1.9.2?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: