Crash [@ js_GetStringBytes] involving apply, __proto__, E4X

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
JavaScript Engine
P1
critical
VERIFIED FIXED
12 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: mrbkap)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.9alpha1
crash, testcase, verified1.8.0.2, verified1.8.1
Points:
---
Bug Flags:
blocking1.8.0.2 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [patch][rft-dl], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

12 years ago
 
(Reporter)

Comment 1

12 years ago
Created attachment 212454 [details]
testcase

Comment 2

12 years ago
Created attachment 212590 [details]
Talkback Record TB15420219 Windows/Win98 

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20060212 SeaMonkey/1.5a
crash Talkback Record TB15420219W Seamonkey Trunk, Win98, so it isn't Mac only.

Updated

12 years ago
Attachment #212590 - Attachment mime type: application/vnd.mozilla.xul+xml → text/html
(Assignee)

Comment 3

12 years ago
This is easily fixed.
OS: MacOS X → All
Priority: -- → P1
Hardware: Macintosh → All
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
(Assignee)

Comment 4

12 years ago
Created attachment 212682 [details] [diff] [review]
Fix

The error message spat out is suboptimal, but close anyway. Chaining fallible functions together in a language without native exceptions is asking for trouble.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #212682 - Flags: review?(brendan)
Comment on attachment 212682 [details] [diff] [review]
Fix

mrbkap: blame fur, I do ;-):

3.9          (fur%nets 14-Oct-98):                              JS_GetStringBytes(JS_ValueToString(cx, fval)));

r=me, good for 1.8.1 at least.

/be
Attachment #212682 - Flags: review?(brendan)
Attachment #212682 - Flags: review+
Attachment #212682 - Flags: approval1.8.0.2?
Attachment #212682 - Flags: approval-branch-1.8.1+
(Assignee)

Comment 6

12 years ago
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Flags: blocking1.8.0.2+
Comment on attachment 212682 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz
Attachment #212682 - Flags: approval1.8.0.2? → approval1.8.0.2+
(Assignee)

Comment 8

12 years ago
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.2, fixed1.8.1

Comment 9

12 years ago
Checking in regress-327897.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-327897.js,v  <--  regress-327897.js
initial revision: 1.1
done
Flags: testcase+
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates) since in-testsuite+ indicates a test case exists in the js test library.
Whiteboard: [patch] → [patch][rft-dl]

Comment 11

12 years ago
v ff 1.8.0.1/1.8/1.9 20060302 win/linux/mac
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.2, fixed1.8.1 → verified1.8.0.2, verified1.8.1
Crash Signature: [@ js_GetStringBytes]
You need to log in before you can comment on or make changes to this bug.