Closed Bug 546668 Opened 14 years ago Closed 14 years ago

Crash [@ obj_eval] or "Assertion failure: FUN_INTERPRETED(this), at ../../jsfun.h" with defineSetter, watch, eval

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords, Whiteboard: [ccbr] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

fix, add test
1.00 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review 
__defineSetter__("x", function(){});
eval(this.watch("x", eval));
x = 0;

crashes js opt shell without -j on TM tip at obj_eval near null, and asserts js debug shell without -j on TM tip at Assertion failure: FUN_INTERPRETED(this), at ../../jsfun.h:173

autoBisect shows this is probably related to bug 542797:

The first bad revision is:
changeset:   38067:e91417e33a53
user:        Luke Wagner
date:        Tue Feb 16 17:41:39 2010 -0800
summary:     Bug 542797 - change obj_eval from JSNative to JSFastNative (r=mrbkap)

=====

js opt shell crash stack:

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x000000000000002a
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   js-opt-32-tm-darwin           	0x000736a7 obj_eval(JSContext*, unsigned int, long*) + 407
1   js-opt-32-tm-darwin           	0x0005ffe0 js_Invoke + 1744
2   js-opt-32-tm-darwin           	0x0006083c js_InternalInvoke + 140
3   js-opt-32-tm-darwin           	0x00067419 obj_watch_handler(JSContext*, JSObject*, long, long, long*, void*) + 249
4   js-opt-32-tm-darwin           	0x0002964c js_watch_set + 236
5   js-opt-32-tm-darwin           	0x0005fdac js_Invoke + 1180
6   js-opt-32-tm-darwin           	0x0006083c js_InternalInvoke + 140
7   js-opt-32-tm-darwin           	0x00060a73 js_InternalGetOrSet + 115
8   js-opt-32-tm-darwin           	0x00069396 js_NativeSet + 214
9   js-opt-32-tm-darwin           	0x0006ca44 js_SetPropertyHelper + 932
10  js-opt-32-tm-darwin           	0x0004ffe0 js_Interpret + 2624
11  js-opt-32-tm-darwin           	0x0005f5c1 js_Execute + 625
12  js-opt-32-tm-darwin           	0x0000d6fc JS_ExecuteScript + 60
13  js-opt-32-tm-darwin           	0x00004598 Process(JSContext*, JSObject*, char*, int) + 1336
14  js-opt-32-tm-darwin           	0x00008526 main + 1734
15  js-opt-32-tm-darwin           	0x0000243d _start + 208
16  js-opt-32-tm-darwin           	0x0000236c start + 40
Ah, thanks for the simple test case!  When removing the slow native's frame, I assumed the line:

  caller = js_GetScriptedCaller(cx, cx->fp)

was really just doing 'caller = cx->fp->down' (I think I even tested this by adding an assert and running it through), but this is wrong if cx->fp->down->down is not interpreted which, as Gary's testcase demonstrates, is quite possible.
Attached patch fix, add testSplinter Review 
Assignee: general → lw
Status: NEW → ASSIGNED

        Attachment #427363 -
        Flags: review?(mrbkap)

    
    

    
  
Comment on attachment 427363 [details] [diff] [review]
fix, add test

I should have seen this.

        Attachment #427363 -
        Flags: review?(mrbkap) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/5a50a2d0fc0f
Whiteboard: fixed-in-tracemonkey

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/5a50a2d0fc0f
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey → [ccbr] fixed-in-tracemonkey
Crash Signature: [@ obj_eval]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: