Closed Bug 584453 Opened 15 years ago Closed 15 years ago

crash [@ JS_GetFunctionArgumentCount]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta4+
status1.9.2 --- unaffected

People

(Reporter: kbrosnan, Assigned: luke)

References

(
URL
)

Details

(Keywords: regression, Whiteboard: [firebug-p1] fixed-in-tracemonkey)

Attachments

(1 file)

patch
826 bytes, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Install 1.6 alpha of Firebug Open http://www.mozilla.com Enable the console and script tabs Reload the page Click on new watch expression and paste in WebForm_FireDefaultButton press enter. Watch Firefox crash.
Hitting this. I can trigger by typing the following on to the console in latest Minefield nightly: a==NaN See http://crash-stats.mozilla.com/report/index/ba4e3f3a-a702-41e4-a5c5-5c7e62100811 for more info. The Firebug issue I filed is: http://code.google.com/p/fbug/issues/detail?id=3325
Whiteboard: [firebug-p1]
I did not try to reproduce this, but here is a direct link to Firebug 1.6 for your convenience http://getfirebug.com/releases/firebug/1.6X/firebug-1.6X.0a19.xpi This is related to code Boris added, and he is out until 22AUG10. I don't know who backs him up.
blocking2.0: --- → ?
JS_GetFunctionArgumentCount just returns fun->nargs. The crash is at 0x30. nargs is the first member of JSFunction, which inherits from JSObject. JSObject is 6 words and 3 js::Values. On a 32-bit system, that's 6*4 + 3*8 = 48 = 0x30 bytes. So in other words, a null |fun| was passed to JS_GetFunctionArgumentCount. And indeed, the code in jsdScript::GetParameterNames looks like this after the checkin for bug 549143: uintN nargs = JS_GetFunctionArgumentCount(cx, fun); if (!fun || !JS_FunctionHasLocalNames(cx, fun) || nargs == 0) { So the null-check comes too late. It used to come before we tried to get nargs... Luke, want to fix?
Blocks: fatvals
Keywords: regression
Attached patch patchSplinter Review
For shame. Thanks for the diagnosis.
Assignee: nobody → lw
Status: NEW → ASSIGNED
Attachment #464932 - Flags: review?(bzbarsky)
Regarding my request for blocking, this appears to be a regression from recent commits and the fix only affects users who open jsd and only applications that call the new API boris added, eg only Firebug => the risk is low and crasher is avoided.
status1.9.2: --- → unaffected
Comment on attachment 464932 [details] [diff] [review] patch r=me
Attachment #464932 - Flags: review?(bzbarsky) → review+
http://hg.mozilla.org/tracemonkey/rev/c9eaa3d9ff39
Whiteboard: [firebug-p1] → [firebug-p1] fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/c9eaa3d9ff39
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
blocking2.0: ? → beta4+
Component: JavaScript Debugging/Profiling APIs → JavaScript Engine
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: