Closed
Bug 584453
Opened 14 years ago
Closed 14 years ago
crash [@ JS_GetFunctionArgumentCount]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta4+ |
status1.9.2 | --- | unaffected |
People
(Reporter: kbrosnan, Assigned: luke)
References
()
Details
(Keywords: regression, Whiteboard: [firebug-p1] fixed-in-tracemonkey)
Attachments
(1 file)
826 bytes,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
Install 1.6 alpha of Firebug Open http://www.mozilla.com Enable the console and script tabs Reload the page Click on new watch expression and paste in WebForm_FireDefaultButton press enter. Watch Firefox crash.
Reporter | ||
Updated•14 years ago
|
Comment 1•14 years ago
|
||
Hitting this. I can trigger by typing the following on to the console in latest Minefield nightly: a==NaN See http://crash-stats.mozilla.com/report/index/ba4e3f3a-a702-41e4-a5c5-5c7e62100811 for more info. The Firebug issue I filed is: http://code.google.com/p/fbug/issues/detail?id=3325
Updated•14 years ago
|
Whiteboard: [firebug-p1]
Comment 2•14 years ago
|
||
I did not try to reproduce this, but here is a direct link to Firebug 1.6 for your convenience http://getfirebug.com/releases/firebug/1.6X/firebug-1.6X.0a19.xpi This is related to code Boris added, and he is out until 22AUG10. I don't know who backs him up.
blocking2.0: --- → ?
Comment 3•14 years ago
|
||
JS_GetFunctionArgumentCount just returns fun->nargs. The crash is at 0x30. nargs is the first member of JSFunction, which inherits from JSObject. JSObject is 6 words and 3 js::Values. On a 32-bit system, that's 6*4 + 3*8 = 48 = 0x30 bytes. So in other words, a null |fun| was passed to JS_GetFunctionArgumentCount. And indeed, the code in jsdScript::GetParameterNames looks like this after the checkin for bug 549143: uintN nargs = JS_GetFunctionArgumentCount(cx, fun); if (!fun || !JS_FunctionHasLocalNames(cx, fun) || nargs == 0) { So the null-check comes too late. It used to come before we tried to get nargs... Luke, want to fix?
Blocks: fatvals
Keywords: regression
Assignee | ||
Comment 4•14 years ago
|
||
For shame. Thanks for the diagnosis.
Comment 5•14 years ago
|
||
Regarding my request for blocking, this appears to be a regression from recent commits and the fix only affects users who open jsd and only applications that call the new API boris added, eg only Firebug => the risk is low and crasher is avoided.
status1.9.2:
--- → unaffected
Comment 6•14 years ago
|
||
Comment on attachment 464932 [details] [diff] [review] patch r=me
Attachment #464932 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 7•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/c9eaa3d9ff39
Whiteboard: [firebug-p1] → [firebug-p1] fixed-in-tracemonkey
Comment 8•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/c9eaa3d9ff39
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
blocking2.0: ? → beta4+
Updated•13 years ago
|
Component: JavaScript Debugging/Profiling APIs → JavaScript Engine
You need to log in
before you can comment on or make changes to this bug.
Description
•