Closed Bug 301545 Opened 19 years ago Closed 19 years ago

[E4X] crash when attribute-op name collides with local var

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: axel, Assigned: shaver)

Details

(Keywords: crash)

Attachments

(3 files)

js file that crashes, text/plain so that you can actually look.
62 bytes, text/plain
Details
stacktrace
2.88 KB, text/plain
Details
early out from LookupArgOrVar for QNAMEPART
723 bytes, patch
brendan
: review+
brendan
: approval1.8b4+
Details | Diff | Splinter Review 
Using the E4X attribute syntax, I get a crash.

function TOCParser(aElement) {
  var href = aElement.@href;
}

crashes on parsing, the same code with @href2 is fine. Sample js and stacktrace
coming up.

Just 
./run-mozilla.sh ./xpcshell -x -f /tmp/e4x-crash.js
does the trick for me, CVS build from yesterday.
Attached file stacktrace 
Stack trace. The offending part is a 

default: JS_ASSERT(0);

in LookupArgOrVar, the 

getter == js_GetLocalVariable || getter == js_GetCallVariable

part.
Updating summary a bit; I'm working this now.
Summary: [E4X] aElement.@href crashes on parsing → [E4X] crash when attribute-op name collides with argument
Summary: [E4X] crash when attribute-op name collides with argument → [E4X] crash when attribute-op name collides with local var
Worked around the first crasher successfully, now the following line in my code
bails at the same place:

var linkURI = gIOS.newURI(linkNode.@toc, null, this.mPluginURI);
I'm not sure if we need to do JSOP_QNAMECONST here as well, I'm not yet E4Xy
enough to be confident in how to trigger its generation.  I'll look at that
more today, if Brendan can't just jump in and say!
Assignee: general → shaver
Status: NEW → ASSIGNED
Attachment #190012 - Flags: review?(brendan)
Comment on attachment 190012 [details] [diff] [review]
early out from LookupArgOrVar for QNAMEPART

Great, thanks!

/be
Attachment #190012 - Flags: review?(brendan)
Attachment #190012 - Flags: review+
Attachment #190012 - Flags: approval1.8b4+
Not to worry about JSOP_QNAMECONST -- it's pn_op only in a node whose pn_type is
TOK_DBLCOLON and pn_arity is PN_NAME.  See QualifiedSuffix in jsparse.c.

/be
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: testcase?
Resolution: --- → FIXED
verified, my CVS build eats dogfood nicely now.
Status: RESOLVED → VERIFIED
Checking in regress-301545.js;
/cvsroot/mozilla/js/tests/e4x/Expressions/regress-301545.js,v  <-- 
regress-301545.js
initial revision: 1.1

I couldn't get this to crash on Windows. I would appreciate a Linux friend to
pull by date and check that this testcase really does crash.
Flags: testcase? → testcase+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: