Closed
Bug 295052
Opened 20 years ago
Closed 20 years ago
Crash when apply method is called on String.prototype.match
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.8beta2
People
(Reporter: james82+bugzilla, Assigned: brendan)
References
()
Details
(5 keywords)
Attachments
(3 files)
414 bytes,
text/html
|
Details | |
7.41 KB,
text/plain
|
Details | |
2.01 KB,
patch
|
shaver
:
review+
dveditz
:
approval-aviary1.0.5+
dveditz
:
approval1.7.9+
brendan
:
approval1.8b2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 (ax)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 (ax)
The following Javascript code will crash both Firefox and Mozilla:
"".match.apply()
Reproducible: Always
Steps to Reproduce:
Type the following code into a webpage or the Javascript console and execute it:
"".match.apply()
Actual Results:
Mozilla / Firefox crashes.
Expected Results:
It should have executed the match method.
I've tested this with Firefox 1.04 and Mozilla 1.7.1 on Windows XP.
In Mozilla 1.7.1:
AppName: mozilla.exe AppVer: 1.7.20040.5185 ModName: js3250.dll
ModVer: 4.0.0.0 Offset: 0003ca05
In Firefox 1.0.4:
Will add crash report in comment.
Reporter | ||
Comment 1•20 years ago
|
||
In Firefox 1.0.4:
AppName: firefox.exe AppVer: 1.0.4.0 ModName: js3250.dll
ModVer: 4.0.0.0 Offset: 0003dc67
Reporter | ||
Comment 2•20 years ago
|
||
Test Case
Comment 4•20 years ago
|
||
Crashes for me Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8)
Gecko/20050509 Firefox/1.0.4
Crashes for me Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2)
Gecko/20050521 Firefox/1.0+ ID:2005052110
Comment 5•20 years ago
|
||
TB6020777W [@ js3250.dll]
Component: Security → JavaScript Engine
Product: Mozilla Application Suite → Core
Version: unspecified → 1.0 Branch
Updated•20 years ago
|
Severity: normal → critical
Comment 6•20 years ago
|
||
I am not certain, but I think that the line in question is
http://lxr.mozilla.org/seamonkey/source/js/src/jsstr.c#1181 where we
de-reference a pointer to bytecode, cx->fp->down->pc , which is null.
Updated•20 years ago
|
Assignee: dveditz → general
QA Contact: seamonkey → general
Assignee | ||
Updated•20 years ago
|
Assignee: general → brendan
Flags: blocking1.8b2+
Keywords: js1.5
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta2
Assignee | ||
Comment 7•20 years ago
|
||
Attachment #184201 -
Flags: review?(shaver)
Attachment #184201 -
Flags: approval1.8b2+
Comment 8•20 years ago
|
||
Checking in js1_5/Regress/regress-295052.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-295052.js,v <-- regress-295052.js
initial revision: 1.1
Flags: testcase+
Comment 9•20 years ago
|
||
Comment on attachment 184201 [details] [diff] [review]
fix
r=shaver
Attachment #184201 -
Flags: review?(shaver) → review+
Comment 10•20 years ago
|
||
Comment on attachment 184201 [details] [diff] [review]
fix
Approving for branches
Attachment #184201 -
Flags: approval1.7.9+
Attachment #184201 -
Flags: approval-aviary1.0.5+
Assignee | ||
Comment 11•20 years ago
|
||
Fixed on the trunk. Will land on branches after tomorrow.
/be
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 12•20 years ago
|
||
brendan: ping
Assignee | ||
Comment 13•20 years ago
|
||
Fixed on AVIARY_1_0_1_20050124_BRANCH and MOZILLA_1_7_BRANCH.
/be
Keywords: fixed-aviary1.0.5,
fixed1.7
Assignee | ||
Updated•20 years ago
|
Keywords: fixed1.7 → fixed1.7.8
Comment 14•19 years ago
|
||
verified fixed with 200506170x-1.0.5 firefox builds on linux fc3 and mac os x
10.4.1. neither the test URL nor the attached test case crash the builds.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•