Closed Bug 942379 Opened 12 years ago Closed 12 years ago

Crash [@ js::BarrieredPtr] with resolver

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla29

People

(Reporter: gkw, Assigned: jorendorff)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:])

Attachments

(2 files)

stack
3.14 KB, text/plain
Details
v1
1.03 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
Attached file stack
resolver([], undefined) crashes js debug shell on m-c changeset f7ad046f783f with --fuzzing-safe at js::BarrieredPtr My configure flags are: CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options> Jason, this is probably an older bug, do you think you might be able to take a look and see what's wrong?
Flags: needinfo?(jorendorff)
Yup. I'll get to it tomorrow.
Assignee: general → jorendorff
Flags: needinfo?(jorendorff)
Attached patch v1Splinter Review
As a matter of personal reflection: it seems I'd rather write CallArgs boilerplate than go look up the JS_ConvertArguments mini-language.
Attachment #8338674 - Flags: review?(jwalden+bmo)
Comment on attachment 8338674 [details] [diff] [review] v1 Review of attachment 8338674 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/shell/js.cpp @@ +2712,5 @@ > > static bool > Resolver(JSContext *cx, unsigned argc, jsval *vp) > { > + CallArgs args = CallArgsFromVp(argc, vp); Change the JS_SET_RVAL at the end of the function to use args.rval().setObject(*result) if you're going to use CallArgs, might as well complete the transition. @@ +2718,3 @@ > RootedObject referent(cx, nullptr); > + if (!JS_ValueToObject(cx, args.get(0), &referent)) > + return false; Maybe if (!args.get(0).isNullOrUndefined() && !JS::ToObject(cx, args[0], &referent)) return false; to get rid of a JS_ValueToObject call (the semantics of which I can never remember, because it's not a standard method like ToObject). @@ +2722,2 @@ > RootedObject proto(cx, nullptr); > + if (args.hasDefined(1) && !args.get(1).isNull()) { |!args.get(1).isNullOrUndefined()| and |JS::ToObject| here as well.
Attachment #8338674 - Flags: review?(jwalden+bmo) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Error: Failed to compile specified revision f7ad046f783f (maybe try another?)
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/e61603f64470 user: Steve Fink date: Fri May 03 13:53:15 2013 -0700 summary: Bug 868302 - Enable rooting LIFO assertions in DEBUG, r=terrence
Blocks: 868302
https://hg.mozilla.org/mozilla-central/rev/6b0aa2368e65
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Keywords: verifyme
Reproduced with the 11/22 mozilla-central JS shell. Verified as fixed with the 03/25 mozilla-beta shell.
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: