Closed Bug 374160 Opened 15 years ago Closed 15 years ago

Crash [@ JS_InstanceOf] with E4X..@c[0] = 3

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: igor)

Details

(4 keywords)

Crash Data

Attachments

(2 files, 1 obsolete file)

js> <a><b c="1"></b><b c="2"></b></a>..@c[0] = 3;

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c

Thread 0 Crashed:
0   js 	0x00015b59 JS_InstanceOf + 16 (jsapi.c:2292)
1   js 	0x00015d46 JS_GetInstancePrivate + 38 (jsapi.c:2336)
2   js 	0x000d5026 PutProperty + 53 (jsxml.c:4208)
3   js 	0x000d5809 PutProperty + 2072 (jsxml.c:4405)
4   js 	0x000d768a xml_setProperty + 93 (jsxml.c:5131)
5   js 	0x00067853 js_Interpret + 57921 (jsinterp.c:3827)
6   js 	0x000587a2 js_Execute + 715 (jsinterp.c:1612)
7   js 	0x0001a108 JS_ExecuteScript + 54 (jsapi.c:4212)
8   js 	0x00002992 Process + 912 (js.c:268)
9   js 	0x00003314 ProcessArgs + 1910 (js.c:494)
10  js 	0x00007ed9 main + 612 (js.c:3159)
11  js 	0x000024a6 _start + 216
12  js 	0x000023cd start + 41
Assignee: general → igor
Attached patch Fix v1 (obsolete) — Splinter Review
The reason for the bug is that after <a><b c="1"></b><b c="2"></b></a>..@c[0] = 3; one gets a list with attribute elements with parents not yet dressed with objects.     Hence the code must use GetXMLObject.
Attachment #259354 - Flags: review?(brendan)
Comment on attachment 259354 [details] [diff] [review]
Fix v1

Sorry I missed this request!

/be
Attachment #259354 - Flags: review?(brendan) → review+
Attached patch Fix v1bSplinter Review
Patch to commit synced with CVS head.
Attachment #259354 - Attachment is obsolete: true
Attachment #260048 - Flags: review+
I committed the patch from comment 3 to the trunk:

Checking in jsxml.c;
/cvsroot/mozilla/js/src/jsxml.c,v  <--  jsxml.c
new revision: 3.152; previous revision: 3.151
done

Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
This is a safe fix for null pointer segfault.
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Not really a "blocker", but we'll approve the patch.
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Attachment #260048 - Flags: approval1.8.1.4+
Attachment #260048 - Flags: approval1.8.0.12+
/cvsroot/mozilla/js/tests/e4x/Regress/regress-374160.js,v  <--  regress-374160.js
initial revision: 1.1
Flags: in-testsuite+
The patch is the result of a trivial merger into 1.8.1 branch.
Attachment #260672 - Flags: review+
Attachment #260672 - Flags: approval1.8.1.4?
Comment on attachment 260672 [details] [diff] [review]
1.8.1 version of v1b

The patch applies to 1.8.0 except in the hunk that removes a trailing whitespace: that blank does not exist in 1.8.0.
Attachment #260672 - Flags: approval1.8.0.12?
Comment on attachment 260048 [details] [diff] [review]
Fix v1b

The branches require a separated patch.
Attachment #260048 - Flags: approval1.8.1.4+
Attachment #260048 - Flags: approval1.8.0.12+
verified fixed linux, windows, mac* shell 20070406
Status: RESOLVED → VERIFIED
Comment on attachment 260672 [details] [diff] [review]
1.8.1 version of v1b

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #260672 - Flags: approval1.8.1.4?
Attachment #260672 - Flags: approval1.8.1.4+
Attachment #260672 - Flags: approval1.8.0.12?
Attachment #260672 - Flags: approval1.8.0.12+
I committed the patch from comment 8 to MOZILLA_1_8_BRANCH:

Checking in jsxml.c;
/cvsroot/mozilla/js/src/jsxml.c,v  <--  jsxml.c
new revision: 3.50.2.64; previous revision: 3.50.2.63
done
Keywords: fixed1.8.1.4
I committed the patch from comment 8 to MOZILLA_1_8_0_BRANCH:

Checking in jsxml.c;
/cvsroot/mozilla/js/src/jsxml.c,v  <--  jsxml.c
new revision: 3.50.2.15.2.34; previous revision: 3.50.2.15.2.33
done
Keywords: fixed1.8.0.12
verified fixed 1.8.0, 1.8.1, windows, mac*, linux 2007-04-08
Crash Signature: [@ JS_InstanceOf]
You need to log in before you can comment on or make changes to this bug.