Closed Bug 295052 Opened 18 years ago Closed 18 years ago

Crash when apply method is called on String.prototype.match

Categories

(Core :: JavaScript Engine, defect, P1)

1.0 Branch
defect

Tracking

()

VERIFIED FIXED
mozilla1.8beta2

People

(Reporter: james82+bugzilla, Assigned: brendan)

References

()

Details

(5 keywords)

Attachments

(3 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 (ax)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 (ax)

The following Javascript code will crash both Firefox and Mozilla:
   "".match.apply()

Reproducible: Always

Steps to Reproduce:
Type the following code into a webpage or the Javascript console and execute it:
   "".match.apply()
Actual Results:  
Mozilla / Firefox crashes.

Expected Results:  
It should have executed the match method.

I've tested this with Firefox 1.04 and Mozilla 1.7.1 on Windows XP. 

In Mozilla 1.7.1:
AppName: mozilla.exe	 AppVer: 1.7.20040.5185	 ModName: js3250.dll
ModVer: 4.0.0.0	 Offset: 0003ca05

In Firefox 1.0.4:
Will add crash report in comment.
In Firefox 1.0.4:
AppName: firefox.exe	 AppVer: 1.0.4.0	 ModName: js3250.dll
ModVer: 4.0.0.0	 Offset: 0003dc67
Test Case
Switching to normal priority
Severity: critical → normal
Crashes for me Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8)
Gecko/20050509 Firefox/1.0.4
Crashes for me Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2)
Gecko/20050521 Firefox/1.0+ ID:2005052110
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, testcase
TB6020777W [@ js3250.dll]
Component: Security → JavaScript Engine
Product: Mozilla Application Suite → Core
Version: unspecified → 1.0 Branch
Severity: normal → critical
Attached file Backtrace
I am not certain, but I think that the line in question is
http://lxr.mozilla.org/seamonkey/source/js/src/jsstr.c#1181 where we 
de-reference a pointer to bytecode, cx->fp->down->pc , which is null.
Assignee: dveditz → general
QA Contact: seamonkey → general
Assignee: general → brendan
Flags: blocking1.8b2+
Keywords: js1.5
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta2
Attached patch fixSplinter Review
Attachment #184201 - Flags: review?(shaver)
Attachment #184201 - Flags: approval1.8b2+
Checking in js1_5/Regress/regress-295052.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-295052.js,v  <--  regress-295052.js
initial revision: 1.1
Flags: testcase+
Comment on attachment 184201 [details] [diff] [review]
fix

Approving for branches
Attachment #184201 - Flags: approval1.7.9+
Attachment #184201 - Flags: approval-aviary1.0.5+
Fixed on the trunk.  Will land on branches after tomorrow.

/be
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
brendan: ping
Fixed on AVIARY_1_0_1_20050124_BRANCH and MOZILLA_1_7_BRANCH.

/be
Keywords: fixed1.7fixed1.7.8
verified fixed with 200506170x-1.0.5 firefox builds on linux fc3 and mac os x
10.4.1. neither the test URL nor the attached test case crash the builds.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.