SIGSEGV in set_prop_jsval

Bug #797159 reported by Chris Coulson
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gxine (Ubuntu)
Fix Released
High
Chris Coulson
Natty
Invalid
High
Unassigned

Bug Description

Binary package hint: gxine

Thanks to me, gxine is unusable in natty. This is because I'm using the wrong prototype for generic_JSSetProperty() (I'm using JSPropertyOp where I should be using JSStrictPropertyOp).

Here's the difference:
typedef JSBool (* JSPropertyOp)(JSContext *cx, JSObject *obj, jsid id, jsval *vp);
typedef JSBool (* JSStrictPropertyOp)(JSContext *cx, JSObject *obj, jsid id, JSBool strict, jsval *vp);

gxine crashes because vp=NULL, when actually this variable on the stack is *really* strict=FALSE. D'oh.

For the curious, insane or bored:

#0 0x000000000043e2a8 in set_prop_jsval (se=0x85d5a0, o=0xeb2e20, p=0xeb2de0, v=0x0) at script_engine.c:754
No locals.
#1 0x000000000043e709 in generic_JSSetProperty (cx=0x85d610, obj=0x7fffe5a03af8, id=140737332593312, vp=0x0) at script_engine.c:908
        p = 0xeb2de0
        str = 0x7ffff6b742a0
        prop = 0x183ca40 "v"
        n = 0xeb22a0
        id_val = 18445336698670236320
        se = 0x85d5a0
        o = 0xeb2e20
#2 0x00007ffff6717e94 in CallJSPropertyOpSetter (cx=0x85d610, obj=0x7fffe5a03af8, shape=0xed7960, added=true, strict=<value optimised out>, vp=0x7fffffffc710)
    at /build/buildd/xulrunner-2.0-2.0+nobinonly/build-tree/mozilla/js/src/jscntxtinlines.h:761
No locals.
#3 set (cx=0x85d610, obj=0x7fffe5a03af8, shape=0xed7960, added=true, strict=<value optimised out>, vp=0x7fffffffc710) at /build/buildd/xulrunner-2.0-2.0+nobinonly/build-tree/mozilla/js/src/jsscopeinlines.h:282
No locals.
#4 js_NativeSet (cx=0x85d610, obj=0x7fffe5a03af8, shape=0xed7960, added=true, strict=<value optimised out>, vp=0x7fffffffc710) at /build/buildd/xulrunner-2.0-2.0+nobinonly/build-tree/mozilla/js/src/jsobj.cpp:5313
        tvr = {<js::AutoGCRooter> = {down = 0x8bbf78, tag = -2, context = 0x85d610}, shape = 0xed7960}
        slot = <value optimised out>
        sample = 0
#5 0x00007ffff671abeb in js_SetPropertyHelper (cx=0x85d610, obj=<value optimised out>, id=140737332593312, defineHow=1, vp=0x7fffffffc710, strict=0) at /build/buildd/xulrunner-2.0-2.0+nobinonly/build-tree/mozilla/js/src/jsobj.cpp:5791
        pobj = 0x0
        shape = <value optimised out>
        attrs = <value optimised out>
        flags = <value optimised out>
        clasp = 0x66df00
        setter = <value optimised out>
        added = <value optimised out>
        protoIndex = <value optimised out>
        prop = 0x0
        shortid = <value optimised out>
        getter = <value optimised out>
#6 0x00007ffff66e622b in js::Interpret (cx=0x85d610, entryFrame=0x7fffe5bc80d8, inlineCallCount=0, interpMode=JSINTERP_NORMAL) at /build/buildd/xulrunner-2.0-2.0+nobinonly/build-tree/mozilla/js/src/jsinterp.cpp:4493
        defineHow = <value optimised out>
        cache = <value optimised out>
        entry = <value optimised out>
        obj2 = 0x7fffe5a03048
        atom = <value optimised out>
        rval = {data = {asBits = 18444914486360932353, debugView = {payload47 = 1, tag = JSVAL_TAG_BOOLEAN}, s = {payload = {i32 = 1, u32 = 1, why = JS_ARGS_HOLE, word = 18444914486360932353}}, asDouble = -nan(0x9800000000001),
            asPtr = 0xfff9800000000001}}
        lref = <value optimised out>
        obj = 0x7fffe5a03af8
        normalJumpTable = {0x7ffff66e7c92, 0x7ffff66e8311, 0x7ffff66e6c1d, 0x7ffff66e9361, 0x7ffff66e932e, 0x7ffff66e92ff, 0x7ffff66e76a1, 0x7ffff66e8aac, 0x7ffff66e8a05, 0x7ffff66ed0f0, 0x7ffff66e8500, 0x7ffff66e8480, 0x7ffff66e92c2,
          0x7ffff66e927d, 0x7ffff66e9128, 0x7ffff66e8cf2, 0x7ffff66e8da4, 0x7ffff66e8bd1, 0x7ffff66ea279, 0x7ffff66ea187, 0x7ffff66e9e6e, 0x7ffff66e9d25, 0x7ffff66ecfa7, 0x7ffff66ece5e, 0x7ffff66ecda7, 0x7ffff66eccf0, 0x7ffff66ecc2f,
          0x7ffff66ecb09, 0x7ffff66eca28, 0x7ffff66ec947, 0x7ffff66e81bd, 0x7ffff66e80d8, 0x7ffff66e804e, 0x7ffff66e7fc6, 0x7ffff66e7e60, 0x7ffff66e7e1e, 0x7ffff66e7ef3, 0x7ffff66e7d5d, 0x7ffff66e8398, 0x7ffff66e6c6c, 0x7ffff66e940e,
          0x7ffff66e9d19, 0x7ffff66e9573, 0x7ffff66ec3e8, 0x7ffff66e9d14, 0x7ffff66e956e, 0x7ffff66ec3e3, 0x7ffff66e9d1e, 0x7ffff66e60e4, 0x7ffff66e6005, 0x7ffff66e978b, 0x7ffff66e60e4, 0x7ffff66e6005, 0x7ffff66e69e8, 0x7ffff66e6117,
          0x7ffff66ebefb, 0x7ffff66ec19d, 0x7ffff66e627b, 0x7ffff66e7a08, 0x7ffff66e627b, 0x7ffff66ec8dd, 0x7ffff66ed4c2, 0x7ffff66eac66, 0x7ffff66eac23, 0x7ffff66eabe0, 0x7ffff66e949d, 0x7ffff66ed6f8, 0x7ffff66ed6b5, 0x7ffff66e8961,
          0x7ffff66e88ef, 0x7ffff66ed624, 0x7ffff66ed19a, 0x7ffff66ea10b, 0x7ffff66ea08f, 0x7ffff66ec024, 0x7ffff66e8689, 0x7ffff66e85d0, 0x7ffff66e857f, 0x7ffff66e64d8, 0x7ffff66e9243, 0x7ffff66eadb5, 0x7ffff66e82e6, 0x7ffff66ec3ed,
          0x7ffff66ed151, 0x7ffff66e7441, 0x7ffff66ec79c, 0x7ffff66ec747, 0x7ffff66ec690, 0x7ffff66ebea6, 0x7ffff66ebbc7, 0x7ffff66ebb3a, 0x7ffff66eb855, 0x7ffff66eb7df, 0x7ffff66e6ccb, 0x7ffff66e7b25, 0x7ffff66eb708, 0x7ffff66eb623,
          0x7ffff66e9482, 0x7ffff66e7970, 0x7ffff66e9476, 0x7ffff66e9491, 0x7ffff66e9aeb, 0x7ffff66e9446, 0x7ffff66e9562, 0x7ffff66e9afa, 0x7ffff66e8e56, 0x7ffff66e76fb, 0x7ffff66ed374, 0x7ffff66ed302, 0x7ffff66e82a9, 0x7ffff66e8e70,
          0x7ffff66e9a8a, 0x7ffff66eb342, 0x7ffff66e86e9, 0x7ffff66eb14e, 0x7ffff66eb0ce, 0x7ffff66eb53c, 0x7ffff66eb470, 0x7ffff66eb3fe, 0x7ffff66e8376, 0x7ffff66e7c70, 0x7ffff66ea023, 0x7ffff66e7698, 0x7ffff66ec5d8, 0x7ffff66ec4f4,
          0x7ffff66e7879, 0x7ffff66e7879, 0x7ffff66ed73b, 0x7ffff66e722d, 0x7ffff66e722d, 0x7ffff66ed890, 0x7ffff66e7a50, 0x7ffff66eb2ec, 0x7ffff66e91d9, 0x7ffff66e7c4e, 0x7ffff66eb3ca, 0x7ffff66e74a2, 0x7ffff66e74a2, 0x7ffff66ec85f,
          0x7ffff66ec7ef, 0x7ffff66ea36b, 0x7ffff66e6b73, 0x7ffff66e8c83, 0x7ffff66e8b1b, 0x7ffff66e883a, 0x7ffff66e87c8, 0x7ffff66eb4af, 0x7ffff66e9fb7, 0x7ffff66e6b6a, 0x7ffff66ed520, 0x7ffff66ed2f8, 0x7ffff66e70a3, 0x7ffff66e70a3,
          0x7ffff66eb385, 0x7ffff66e6c1d, 0x7ffff66e6455, 0x7ffff66ec01f, 0x7ffff66e9a95, 0x7ffff66e9a85, 0x7ffff66e9a80, 0x7ffff66e5baa, 0x7ffff66e5bb0, 0x7ffff66eaca9, 0x7ffff66eb087, 0x7ffff66eb008, 0x7ffff66eafaa, 0x7ffff66eaf08,
          0x7ffff66ebe19, 0x7ffff66edc22, 0x7ffff66edbbe, 0x7ffff66e6f3f, 0x7ffff66e6f3f, 0x7ffff66edaa0, 0x7ffff66ed9d4, 0x7ffff66e6e7f, 0x7ffff66e6ddc, 0x7ffff66eb801, 0x7ffff66e9c3e, 0x7ffff66e9bd6, 0x7ffff66e9b6e, 0x7ffff66e9b06,
          0x7ffff66eaa2d, 0x7ffff66e6bdc, 0x7ffff66ea9af, 0x7ffff66ea931, 0x7ffff66ea447, 0x7ffff66e6ddc, 0x7ffff66e9790, 0x7ffff66e8354, 0x7ffff66e7be8, 0x7ffff66ec13a, 0x7ffff66ec050, 0x7ffff66e784e, 0x7ffff66e784e, 0x7ffff66e7c2c,
          0x7ffff66e7c0a, 0x7ffff66ec280, 0x7ffff66e6455, 0x7ffff66e69e8, 0x7ffff66e6e7f...}
        argv = 0x0
        interpReturnOK = <value optimised out>
        len = <value optimised out>
        interruptJumpTable = {0x7ffff66e7cb4 <repeats 244 times>}
        useMethodJIT = false

Changed in gxine (Ubuntu Natty):
importance: Undecided → High
Changed in gxine (Ubuntu):
importance: Undecided → High
Changed in gxine (Ubuntu Natty):
status: New → Triaged
Changed in gxine (Ubuntu):
status: New → Triaged
Changed in gxine (Ubuntu Natty):
assignee: nobody → Chris Coulson (chrisccoulson)
Changed in gxine (Ubuntu):
assignee: nobody → Chris Coulson (chrisccoulson)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gxine - 0.5.905-4ubuntu5

---------------
gxine (0.5.905-4ubuntu5) oneiric; urgency=low

  * Fix LP: #797159 - gxine SIGSEGV in set_prop_jsval(). Use the correct
    prototype for generic_JSSetProperty() in script-engine.c
 -- Chris Coulson <email address hidden> Tue, 14 Jun 2011 13:38:46 +0100

Changed in gxine (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Uploaded to natty-proposed too

Revision history for this message
Darren Salt (dsalt) wrote :

Patch → upstream? I don't particularly want to have to diff it myself ☺

Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Hi Darren,

I'm actually in the process of getting the entire Spidermonkey 1.8.5 patch ready to send upstream (unless someone already did that for me), but it's a pretty big patch

Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted gxine into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in gxine (Ubuntu Natty):
status: Triaged → Fix Committed
tags: added: verification-needed
Changed in gxine (Ubuntu Natty):
assignee: Chris Coulson (chrisccoulson) → nobody
Revision history for this message
dino99 (9d9) wrote :
Changed in gxine (Ubuntu Natty):
status: Fix Committed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.