Closed Bug 758617 Opened 13 years ago Closed 13 years ago

Crash in js::StackIter::settleOnNewState()

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla15

People

(Reporter: past, Assigned: luke)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

fix and test
4.25 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
STR: 1) Visit http://htmlpad.org/debugger/ 2) Open the debugger 3) Click on the 'Click me!' button 4) Edit the value of variable 'a' in the variable pane to asdf (no quotes!) 5) Boom. Full log: http://past.pastebin.mozilla.org/1649938 Top of the stack: js::StackIter::settleOnNewState() + 205 js::StackIter::operator++() + 237 _ZL14InitExnPrivateP9JSContextN2JS6HandleIP8JSObjectEENS2_IP8JSStringEES8_jP13JSErrorReporti + 1265 js_ErrorToException(JSContext*, char const*, JSErrorReport*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*) + 913 _ZL11ReportErrorP9JSContextPKcP13JSErrorReportPFPK19JSErrorFormatStringPvS2_jES8_ + 109 js_ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, int, __va_list_tag*) + 265 + 200 js::NameOperation(JSContext*, unsigned char*, JS::Value*) + 1170 js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) + 4014 js::RunScript(JSContext*, JSScript*, js::StackFrame*) + 957 js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) + 1298 js::EvaluateInEnv(JSContext*, JS::Handle<JSObject*>, js::StackFrame*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*) + 675 _ZL17DebuggerFrameEvalP9JSContextjPN2JS5ValueE16EvalBindingsMode + 1030 js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) + 907
Severity: normal → critical
Ah, this seems to be fallout from allowing eval-in-frame to eval in a frame in a different context. I'll try to whip up a fix.
Attached patch fix and testSplinter Review
Delightfully simple fix. I audited the rest of the uses of prevInContext and they seem to be fine.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #628115 - Flags: review?(jorendorff)
Comment on attachment 628115 [details] [diff] [review] fix and test Review of attachment 628115 [details] [diff] [review]: ----------------------------------------------------------------- r=me. StackIter's comment should point out that it's really just following the prev() chain, and in corner cases like eval-in-frame that can get weird. I think StackIter::settleOnNewState() should have a comment somewhere that tells what it's for. (In general I think API comments, documenting contracts, are very often worth it. We don't do enough of those.) ::: js/src/jit-test/tests/debug/cross-context-3.js @@ +4,5 @@ > +var dbg = new Debugger(g); > +var hits = 0; > +dbg.onDebuggerStatement = function (frame1) { > + dbg.onDebuggerStatement = function (frame2) { > + print(frame1.eval("a").throw); Assert something instead of printing it?
Attachment #628115 - Flags: review?(jorendorff) → review+
(In reply to Jason Orendorff [:jorendorff] from comment #3) > (In general I think API comments, documenting > contracts, are very often worth it. We don't do enough of those.) Madness
https://hg.mozilla.org/mozilla-central/rev/02e49bc6ead9
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: