Closed Bug 374160 Opened 18 years ago Closed 18 years ago

Crash [@ JS_InstanceOf] with E4X..@c[0] = 3

Tracking

()

Status:

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: igor)

Details

(4 keywords)

Crash Data

Attachments

(2 files, 1 obsolete file)

Fix v1 18 years ago Igor Bukanov 955 bytes, patch	brendan : review+	Details \| Diff \| Splinter Review
Fix v1b 18 years ago Igor Bukanov 955 bytes, patch	igor : review+	Details \| Diff \| Splinter Review
1.8.1 version of v1b 18 years ago Igor Bukanov 1.65 KB, patch	igor : review+ dveditz : approval1.8.1.4+ dveditz : approval1.8.0.12+	Details \| Diff \| Splinter Review

Jesse Ruderman

Reporter

Description

•

18 years ago

js> <a></a>..@c[0] = 3; Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c Thread 0 Crashed: 0 js 0x00015b59 JS_InstanceOf + 16 (jsapi.c:2292) 1 js 0x00015d46 JS_GetInstancePrivate + 38 (jsapi.c:2336) 2 js 0x000d5026 PutProperty + 53 (jsxml.c:4208) 3 js 0x000d5809 PutProperty + 2072 (jsxml.c:4405) 4 js 0x000d768a xml_setProperty + 93 (jsxml.c:5131) 5 js 0x00067853 js_Interpret + 57921 (jsinterp.c:3827) 6 js 0x000587a2 js_Execute + 715 (jsinterp.c:1612) 7 js 0x0001a108 JS_ExecuteScript + 54 (jsapi.c:4212) 8 js 0x00002992 Process + 912 (js.c:268) 9 js 0x00003314 ProcessArgs + 1910 (js.c:494) 10 js 0x00007ed9 main + 612 (js.c:3159) 11 js 0x000024a6 _start + 216 12 js 0x000023cd start + 41

Igor Bukanov

Assignee

Updated

•

18 years ago

Assignee: general → igor

Igor Bukanov

Assignee

Comment 1

•

18 years ago

Attached patch Fix v1 (obsolete) — Details — Splinter Review

The reason for the bug is that after <a></a>..@c[0] = 3; one gets a list with attribute elements with parents not yet dressed with objects. Hence the code must use GetXMLObject.

Attachment #259354 - Flags: review?(brendan)

Brendan Eich [:brendan]

Comment 2

•

18 years ago

Comment on attachment 259354 [details] [diff] [review] Fix v1 Sorry I missed this request! /be

Attachment #259354 - Flags: review?(brendan) → review+

Igor Bukanov

Assignee

Comment 3

•

18 years ago

Attached patch Fix v1b — Details — Splinter Review

Patch to commit synced with CVS head.

Attachment #259354 - Attachment is obsolete: true

Attachment #260048 - Flags: review+

Igor Bukanov

Assignee

Comment 4

•

18 years ago

I committed the patch from comment 3 to the trunk: Checking in jsxml.c; /cvsroot/mozilla/js/src/jsxml.c,v <-- jsxml.c new revision: 3.152; previous revision: 3.151 done

Status: NEW → RESOLVED

Closed: 18 years ago

Resolution: --- → FIXED

Igor Bukanov

Assignee

Comment 5

•

18 years ago

This is a safe fix for null pointer segfault.

Flags: blocking1.8.1.4?

Flags: blocking1.8.0.12?

Daniel Veditz [:dveditz]

Comment 6

•

18 years ago

Not really a "blocker", but we'll approve the patch.

Flags: blocking1.8.1.4?

Flags: blocking1.8.0.12?

Daniel Veditz [:dveditz]

Updated

•

18 years ago

Attachment #260048 - Flags: approval1.8.1.4+

Attachment #260048 - Flags: approval1.8.0.12+

Bob Clary [:bc] (inactive)

Comment 7

•

18 years ago

/cvsroot/mozilla/js/tests/e4x/Regress/regress-374160.js,v <-- regress-374160.js initial revision: 1.1

Flags: in-testsuite+

Igor Bukanov

Assignee

Comment 8

•

18 years ago

Attached patch 1.8.1 version of v1b — Details — Splinter Review

The patch is the result of a trivial merger into 1.8.1 branch.

Attachment #260672 - Flags: review+

Attachment #260672 - Flags: approval1.8.1.4?

Igor Bukanov

Assignee

Comment 9

•

18 years ago

Comment on attachment 260672 [details] [diff] [review] 1.8.1 version of v1b The patch applies to 1.8.0 except in the hunk that removes a trailing whitespace: that blank does not exist in 1.8.0.

Attachment #260672 - Flags: approval1.8.0.12?

Igor Bukanov

Assignee

Comment 10

•

18 years ago

Comment on attachment 260048 [details] [diff] [review] Fix v1b The branches require a separated patch.

Attachment #260048 - Flags: approval1.8.1.4+

Attachment #260048 - Flags: approval1.8.0.12+

Bob Clary [:bc] (inactive)

Comment 11

•

18 years ago

verified fixed linux, windows, mac* shell 20070406

Status: RESOLVED → VERIFIED

Daniel Veditz [:dveditz]

Comment 12

•

18 years ago

Comment on attachment 260672 [details] [diff] [review] 1.8.1 version of v1b approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers

Attachment #260672 - Flags: approval1.8.1.4?

Attachment #260672 - Flags: approval1.8.1.4+

Attachment #260672 - Flags: approval1.8.0.12?

Attachment #260672 - Flags: approval1.8.0.12+

Igor Bukanov

Assignee

Comment 13

•

18 years ago

I committed the patch from comment 8 to MOZILLA_1_8_BRANCH: Checking in jsxml.c; /cvsroot/mozilla/js/src/jsxml.c,v <-- jsxml.c new revision: 3.50.2.64; previous revision: 3.50.2.63 done

Keywords: fixed1.8.1.4

Igor Bukanov

Assignee

Comment 14

•

18 years ago

I committed the patch from comment 8 to MOZILLA_1_8_0_BRANCH: Checking in jsxml.c; /cvsroot/mozilla/js/src/jsxml.c,v <-- jsxml.c new revision: 3.50.2.15.2.34; previous revision: 3.50.2.15.2.33 done

Keywords: fixed1.8.0.12

Bob Clary [:bc] (inactive)

Comment 15

•

18 years ago

verified fixed 1.8.0, 1.8.1, windows, mac*, linux 2007-04-08

Keywords: fixed1.8.0.12, fixed1.8.1.4 → verified1.8.0.12, verified1.8.1.4

Nobody; OK to take it and work on it

Updated

•

14 years ago

Crash Signature: [@ JS_InstanceOf]

You need to log in before you can comment on or make changes to this bug.