Closed Bug 306591 Opened 19 years ago Closed 19 years ago

String static methods call with primitive value causes crash

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: nanto, Assigned: shaver)

Details

(Keywords: verified1.8)

Attachments

(1 file, 1 obsolete file)

make sure this is an object
1.58 KB, patch
brendan
: review+
shaver
: superreview+
shaver
: approval1.8b4+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7.10) Gecko/20050717 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050830 Firefox/1.0+

Calling String static methods, introduced in bug 304828, with primitive value as
first argument cause Firefox crash.


Reproducible: Always

Steps to Reproduce:
1. Open JavaScript Console
2. Evaluate the script: String.toUpperCase("abc");

Actual Results:  
Firefox crashed

Expected Results:  
"ABC"

OK:
String.split(new String("abc"), "");     // ["a", "b", "c"]
String.substring(new Number(123), 1, 2); // "2"
String.toUpperCase(new Boolean(true));   // "TRUE"
String.indexOf(null, "l");               // 2

Crash:
String.split("abc", "");
String.substring(123, 1, 2);
String.toUpperCase(true);
String.indexOf(undefined, "d");

Talkback crashID: TB8899225E
String, at least, calls JSVAL_TO_OBJECT on the object passed into its
functions, assuming that they are, in fact, objects (as opposed to primitives).
This patch ensures that that assumption isn't violated.
Assignee: general → mrbkap
Status: UNCONFIRMED → ASSIGNED
Attachment #194442 - Flags: review?(brendan)
All better, I do believe.
Assignee: mrbkap → shaver
Attachment #194443 - Flags: superreview?(brendan)
Attachment #194443 - Flags: review?(brendan)
Attachment #194443 - Flags: approval1.8b4+
Comment on attachment 194442 [details] [diff] [review]
make sure this is an object

This is better, especially because it doesn't leave the null crash. sr=shaver
Attachment #194442 - Flags: superreview+
Attachment #194442 - Flags: approval1.8b4+
Comment on attachment 194443 [details] [diff] [review]
Make sure that we have an object for |this|.

I am slain.
Attachment #194443 - Attachment is obsolete: true
Attachment #194443 - Flags: superreview?(brendan)
Attachment #194443 - Flags: review?(brendan)
Attachment #194443 - Flags: approval1.8b4+
Comment on attachment 194442 [details] [diff] [review]
make sure this is an object

Duh, and stuff.

/be
Attachment #194442 - Flags: review?(brendan) → review+
Thanks, you guys.

/be
Fix checked into MOZILLA_1_8_BRANCH and trunk. Thanks for the heads up.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Checking in regress-306591.js;
/cvsroot/mozilla/js/tests/js1_6/String/regress-306591.js,v  <--  regress-306591.js
initial revision: 1.1
done

String.indexOf(arg, pattern) should do a conversion to String on arg, but it
fails to do so if arg is undefined or null. I'll file a separate bug.
Flags: testcase+
That would be bug 312385 -- but it may be INVALID if we all agree on the
rationale for the current generic method dispatcher design.

/be
verified fixed 1.8.x and trunk (no crash). Tests still (erroneously?) fail due to bug 312385.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8verified1.8
Checking in js1_6/String/regress-306591.js;
/cvsroot/mozilla/js/tests/js1_6/String/regress-306591.js,v  <--  regress-306591.js
new revision: 1.2; previous revision: 1.1
done
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: