Closed Bug 295052 Opened 20 years ago Closed 20 years ago

Crash when apply method is called on String.prototype.match

Categories

(Core :: JavaScript Engine, defect, P1)

1.0 Branch
defect

Tracking

()

VERIFIED FIXED
mozilla1.8beta2

People

(Reporter: james82+bugzilla, Assigned: brendan)

References

()

Details

(5 keywords)

Attachments

(3 files)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 (ax) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 (ax) The following Javascript code will crash both Firefox and Mozilla: "".match.apply() Reproducible: Always Steps to Reproduce: Type the following code into a webpage or the Javascript console and execute it: "".match.apply() Actual Results: Mozilla / Firefox crashes. Expected Results: It should have executed the match method. I've tested this with Firefox 1.04 and Mozilla 1.7.1 on Windows XP. In Mozilla 1.7.1: AppName: mozilla.exe AppVer: 1.7.20040.5185 ModName: js3250.dll ModVer: 4.0.0.0 Offset: 0003ca05 In Firefox 1.0.4: Will add crash report in comment.
In Firefox 1.0.4: AppName: firefox.exe AppVer: 1.0.4.0 ModName: js3250.dll ModVer: 4.0.0.0 Offset: 0003dc67
Test Case
Switching to normal priority
Severity: critical → normal
Crashes for me Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050509 Firefox/1.0.4 Crashes for me Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050521 Firefox/1.0+ ID:2005052110
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, testcase
TB6020777W [@ js3250.dll]
Component: Security → JavaScript Engine
Product: Mozilla Application Suite → Core
Version: unspecified → 1.0 Branch
Severity: normal → critical
Attached file Backtrace
I am not certain, but I think that the line in question is http://lxr.mozilla.org/seamonkey/source/js/src/jsstr.c#1181 where we de-reference a pointer to bytecode, cx->fp->down->pc , which is null.
Assignee: dveditz → general
QA Contact: seamonkey → general
Assignee: general → brendan
Flags: blocking1.8b2+
Keywords: js1.5
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta2
Attached patch fixSplinter Review
Attachment #184201 - Flags: review?(shaver)
Attachment #184201 - Flags: approval1.8b2+
Checking in js1_5/Regress/regress-295052.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-295052.js,v <-- regress-295052.js initial revision: 1.1
Flags: testcase+
Comment on attachment 184201 [details] [diff] [review] fix r=shaver
Attachment #184201 - Flags: review?(shaver) → review+
Comment on attachment 184201 [details] [diff] [review] fix Approving for branches
Attachment #184201 - Flags: approval1.7.9+
Attachment #184201 - Flags: approval-aviary1.0.5+
Fixed on the trunk. Will land on branches after tomorrow. /be
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
brendan: ping
Fixed on AVIARY_1_0_1_20050124_BRANCH and MOZILLA_1_7_BRANCH. /be
Keywords: fixed1.7fixed1.7.8
verified fixed with 200506170x-1.0.5 firefox builds on linux fc3 and mac os x 10.4.1. neither the test URL nor the attached test case crash the builds.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: