Closed Bug 583402 Opened 14 years ago Closed 14 years ago

JM: crashtest crash on dom/base/crashtests/499006-1.html

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dmandelin, Assigned: dmandelin)

References

Details

      No description provided.
Blocks: JaegerBrowser
Summary: TM: → JM: crashtest crash on dom/base/crashtests/499006-1.html
There was a loop in js_ClearScope that uses unsigned in a bad way.

http://hg.mozilla.org/projects/jaegermonkey/rev/fbbb0c6655c9
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Group: core-security
What was n, and what was i's initial value?

/be
I don't remember about i, but n was 0.
Freakshow -- n shouldn't be 0 (yet; bug 558451 will change things; maybe JM has already, but I would like to know how/why).

We use unsigned types even with count down loops so long as boundary conditions allow. An assertion was due here, though, that n != 0. Sorry about that!

/be
(In reply to comment #4)
> Freakshow -- n shouldn't be 0 (yet; bug 558451 will change things; maybe JM has
> already, but I would like to know how/why).

We are currently in sync with a version of TM after parent was made into a member but before that patch was backed out.

> We use unsigned types even with count down loops so long as boundary conditions
> allow. An assertion was due here, though, that n != 0. Sorry about that!

The bug probably got caught more easily this way, since we are heavily focused on crashes right now in JM.
This raises a good point: the patch to make parent a typed member not an fslot should have assertions added to it, probably. Inspection of uint32 type usage for sure.

/be
Group: core-security
You need to log in before you can comment on or make changes to this bug.