Closed Bug 350288 Opened 18 years ago Closed 18 years ago

Crash decompiling "let" for "has no properties" message

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 346642

People

(Reporter: jruderman, Unassigned)

Details

(Keywords: crash, testcase) 

> javascript:let(x) ({ a : b }) = let (y = 3) null
Error: "let (3 = 3) null has no properties"

This incorrect error message might be a hint as to why the slightly more complicated statement below causes a crash.  "let (3 = 3)" reminds me of bug 349493.


> javascript:let (x=3, y=3) ({ a : b }) = let (y = 3) null
Crash!  Dereferencing 0xddsomething!


Thread 0 Crashed:
0    strlen + 8
1    cvt_s + 92 (jsprf.c:390)
2    dosprintf + 3272 (jsprf.c:1008)
3    JS_vsmprintf + 92 (jsprf.c:1156)
4    Sprint + 76 (jsopcode.c:421)
5    Decompile + 19268 (jsopcode.c:2000)
6    js_DecompileCode + 440 (jsopcode.c:3107)
7    js_DecompileValueGenerator + 2044 (jsopcode.c:3459)
8    js_ValueToNonNullObject + 112 (jsobj.c:4478)
9    js_Interpret + 64260 (jsinterp.c:3782)


5    Decompile + 19268 (jsopcode.c:2000)
2000                        todo = Sprint(&ss->sprinter, "%s%s = %s",
2001                                      VarPrefix(sn), lval, rval);

(gdb) p lval
$1 = 0xddb69b0a <Address 0xddb69b0a out of bounds>
(gdb) p rval
$2 = 0x2dbc037 "3"
(gdb) p VarPrefix(sn)
$3 = 0x1130ecc ""
(gdb) p sn
$4 = (jssrcnote *) 0x0
Beware of dup'ing bug 346642 (which I will fix shortly).  Destructuring forms do not decompile, you get crashes and other malfunctions.

/be

*** This bug has been marked as a duplicate of 346642 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Group: security
A testcase for this bug was already added in the original bug (bug 346642).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.