Closed
Bug 560277
Opened 15 years ago
Closed 15 years ago
Crash [@ JSObject::getParent] or [@ js_WrapWatchedSetter] or [@ js_GetClassPrototype]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: Waldo)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dos] null dereference, fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
799 bytes,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
watch("x", function () {})
Object.defineProperty(this, "x", ({
set: this.e
}))
crashes js debug shell on TM tip without -j at JSObject::getParent and crashes js opt shell on TM tip without -j at js_WrapWatchedSetter
s-s because I could make this crash an opt nightly Firefox build.
|
Reporter | |
Comment 1•15 years ago
|
||
> s-s because I could make this crash an opt nightly Firefox build.
bp-9241175a-54e4-4911-80b1-91ade2100419
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?]
|
|
Reporter | |
Updated•15 years ago
|
Summary: Crash [@ JSObject::getParent] or [@ js_WrapWatchedSetter] → Crash [@ JSObject::getParent] or [@ js_WrapWatchedSetter] or [@ js_GetClassPrototype]
|
||
Comment 2•15 years ago
|
||
Simpler, replacing the expression |this.e| with its value |undefined|:
watch("x", function () {})
Object.defineProperty(this, "x", ({
set: undefined
}))
|
|
Reporter | |
Comment 3•15 years ago
|
||
autoBisect shows this is probably related to bug 430133:
The first bad revision is:
changeset: 36651:766a6b2e74e7
user: Jeff Walden
date: Fri Jun 05 12:56:45 2009 -0700
summary: Bug 430133 - Implement ES3.1's Object.defineProperty and Object.defineProperties. r=jorendorff
Blocks: 430133
|
Assignee | |
Comment 4•15 years ago
|
||
(Dagnabbit, both of you, stop mid-airing with me! :-P )
Assignee: general → jwalden+bmo
|
|
Assignee | |
Comment 5•15 years ago
|
||
This is just an assumption that JSPROP_SETTER implies !!setter, and the crashes (in different locations due to the unspecified ordering of evaluation of arguments) are all small-fixed-offset-from-null dereferences.
Whiteboard: [sg:critical?] → [sg:dos] null dereference
|
|
Assignee | |
Comment 6•15 years ago
|
||
Attachment #440085 -
Flags: review?(dmandelin)
|
|
||
Updated•15 years ago
|
Attachment #440085 -
Flags: review?(dmandelin) → review+
|
|
||
Comment 7•15 years ago
|
||
Gary asked that I land this.
http://hg.mozilla.org/tracemonkey/rev/d7762651d0d5
Whiteboard: [sg:dos] null dereference → [sg:dos] null dereference, fixed-in-tracemonkey
|
|
Reporter | |
Updated•15 years ago
|
Whiteboard: [sg:dos] null dereference, fixed-in-tracemonkey → [ccbr][sg:dos] null dereference, fixed-in-tracemonkey
|
||
Comment 8•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Comment 9•15 years ago
|
||
(In reply to comment #3)
> The first bad revision is:
> changeset: 36651:766a6b2e74e7
> date: Fri Jun 05 12:56:45 2009 -0700
It would be much less confusing when tracking down which bugs affect which branches to use pushlog dates rather than the changeset dates that come from the developer's tree. June 5 2009 should have impacted 1.9.2, but the actual push of Tue Dec 29 11:01:24 2009 -0800 was well after that branch was cut.
|
|
Assignee | |
Comment 10•15 years ago
|
||
Flags: in-testsuite+
|
||
Updated•14 years ago
|
Crash Signature: [@ JSObject::getParent]
[@ js_WrapWatchedSetter]
[@ js_GetClassPrototype]
|
|
Reporter | |
Comment 11•13 years ago
|
||
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•