Closed
Bug 353249
Opened 18 years ago
Closed 18 years ago
Crash [@ NewNativeIterator]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: crash, testcase, verified1.8.1, Whiteboard: [sg:critical?] js1.7 feature)
Crash Data
Attachments
(2 files)
721 bytes,
patch
|
igor
:
review+
mrbkap
:
review+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
2.49 KB,
text/plain
|
Details |
js> f = (function () { let (x) <x/>.(1) < let (z) eval('3'); for (x in this) { } }); f() Segmentation fault Stack trace from an opt build: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x00660000 Thread 0 Crashed: 0 js 0x0007996c js_NewNativeIterator + 204 (crt.c:355) 1 js 0x00027724 js_Interpret + 5348 (crt.c:355) 2 js 0x000331d4 js_Execute + 484 (crt.c:355) 3 js 0x00008b68 JS_ExecuteScript + 36 (crt.c:355) 4 js 0x00002b14 Process + 772 (crt.c:355) 5 js 0x00005c4c main + 2032 (crt.c:355) 6 js 0x00002068 _start + 340 (crt.c:272) 7 js 0x00001f10 start + 60
Reporter | ||
Updated•18 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Comment 1•18 years ago
|
||
This is yet another reason XML filtering should be done in the same activation of the interpreter as its continuation. /be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #240743 -
Flags: review?(igor.bukanov)
Attachment #240743 -
Flags: approval1.8.1?
Assignee | ||
Updated•18 years ago
|
Attachment #240743 -
Flags: review?(mrbkap)
Comment 2•18 years ago
|
||
Comment on attachment 240743 [details] [diff] [review] fix JSFRAME_POP_BLOCKS is sticky.
Attachment #240743 -
Flags: review?(igor.bukanov) → review+
Assignee | ||
Comment 3•18 years ago
|
||
This is a safe one-line fix for 1.8.1, for a regression due to the new-in-js1.7 block scope (let) feature, which is an sg:critical? bug. Recommend we take it. /be
Flags: blocking1.8.1?
Flags: blocking1.8.1.1?
Assignee | ||
Comment 4•18 years ago
|
||
Fixed on trunk: Checking in jsxml.c; /cvsroot/mozilla/js/src/jsxml.c,v <-- jsxml.c new revision: 3.128; previous revision: 3.127 done /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Attachment #240743 -
Flags: review?(mrbkap) → review+
Comment 5•18 years ago
|
||
Comment on attachment 240743 [details] [diff] [review] fix Approved for RC2.
Attachment #240743 -
Flags: approval1.8.1? → approval1.8.1+
Assignee | ||
Comment 6•18 years ago
|
||
Merged patch landed: Checking in jsxml.c; /cvsroot/mozilla/js/src/jsxml.c,v <-- jsxml.c new revision: 3.50.2.47; previous revision: 3.50.2.46 done The merge required the fix for bug 352605. /be
Keywords: fixed1.8.1
Updated•18 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] js1.7 feature
Comment 7•18 years ago
|
||
Updated•18 years ago
|
Flags: in-testsuite+
Comment 8•18 years ago
|
||
verified fixed 1.8, 1.9 20061002 windows/linux, 1.8 macppc
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
Updated•18 years ago
|
Group: security
Flags: blocking1.8.1?
Flags: blocking1.8.1.1?
Comment 9•18 years ago
|
||
/cvsroot/mozilla/js/tests/js1_7/extensions/regress-353249.js,v <-- regress-353249.js
Updated•13 years ago
|
Crash Signature: [@ NewNativeIterator]
You need to log in
before you can comment on or make changes to this bug.
Description
•