Last Comment Bug 452295 - segfault: echo 'eval("1")' | ./js
: segfault: echo 'eval("1")' | ./js
Status: VERIFIED FIXED
: crash, regression, testcase, verified1.8.1.18, verified1.9.0.4
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
: 454040 457788 (view as bug list)
Depends on:
Blocks: 419848
  Show dependency treegraph
 
Reported: 2008-08-26 13:09 PDT by Sam Ruby
Modified: 2008-10-23 12:56 PDT (History)
6 users (show)
dveditz: blocking1.9.0.4+
dveditz: wanted1.9.0.x+
dveditz: blocking1.8.1.18+
dveditz: wanted1.8.1.x+
bob: in‑testsuite+
bob: in‑litmus-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (600 bytes, patch)
2008-08-26 13:27 PDT, Blake Kaplan (:mrbkap)
brendan: review+
Details | Diff | Splinter Review
js.cpp patch I used to find the culprit (1.44 KB, patch)
2008-08-26 21:46 PDT, Brendan Eich [:brendan]
no flags Details | Diff | Splinter Review
Patch for the 1.9 branch (977 bytes, patch)
2008-10-10 12:41 PDT, Blake Kaplan (:mrbkap)
mrbkap: review+
dveditz: approval1.9.0.4+
Details | Diff | Splinter Review
Patch for the 1.8 branch (898 bytes, patch)
2008-10-10 12:42 PDT, Blake Kaplan (:mrbkap)
mrbkap: review+
dveditz: approval1.8.1.18+
Details | Diff | Splinter Review

Description Sam Ruby 2008-08-26 13:09:19 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: 

With a current checkout of mozilla-central, built with "cd js/src; make -f Makefile.ref"

The following causes a segfault

echo 'eval("1")' | ./js

Neither of the following do:

echo 'eval("1")' | ./js -i
echo 'print(eval(1))' | ./js

Reproducible: Always

Steps to Reproduce:
1. echo 'eval("1")' | ./js

Actual Results:  
Segmentation fault (core dumped)

Expected Results:  
No output
Comment 1 Blake Kaplan (:mrbkap) 2008-08-26 13:27:47 PDT
Created attachment 335579 [details] [diff] [review]
Fix

I'm not sure if this is the right place for the assertion here...
Comment 2 Brendan Eich [:brendan] 2008-08-26 17:36:22 PDT
Comment on attachment 335579 [details] [diff] [review]
Fix

Testing flags first seems better to me, because of common-case arguments: if the flag is not set more often than principals is null (I bet it is), then you want to bail there -- assuming perf is hyper-critical (which it is probably not, but the principle counts).

/be
Comment 3 Brendan Eich [:brendan] 2008-08-26 21:46:16 PDT
Created attachment 335662 [details] [diff] [review]
js.cpp patch I used to find the culprit

For future ref.

/be
Comment 5 Blake Kaplan (:mrbkap) 2008-09-07 11:54:35 PDT
*** Bug 454040 has been marked as a duplicate of this bug. ***
Comment 6 Gary Kwong [:gkw] [:nth10sd] 2008-09-07 15:28:40 PDT
per previous duped bug, this occurs in 1.9.0.x and 1.8.1.x branches as well.
Comment 7 Blake Kaplan (:mrbkap) 2008-10-10 12:41:37 PDT
Created attachment 342618 [details] [diff] [review]
Patch for the 1.9 branch
Comment 8 Blake Kaplan (:mrbkap) 2008-10-10 12:42:07 PDT
Created attachment 342619 [details] [diff] [review]
Patch for the 1.8 branch
Comment 9 Blake Kaplan (:mrbkap) 2008-10-10 12:42:39 PDT
FWIW, the merges were trivial.
Comment 10 Blake Kaplan (:mrbkap) 2008-10-10 12:43:20 PDT
*** Bug 457788 has been marked as a duplicate of this bug. ***
Comment 11 David E. Ross 2008-10-11 10:30:26 PDT
The indicated platform is PC/Linux.  However, bug #457788 was closed as a duplicate of this one.  That bug applied to all platforms and operating systems.  It prevented me from installing Mnenhy 0.7.5 under SeaMonkey 1.1.12 (which was not released until after this bug was submitted) on Windows XP.  

I must therefore question whether this bug is indeed fixed for all platforms and whether it is actually a duplicate of bug #457788.
Comment 12 Blake Kaplan (:mrbkap) 2008-10-11 10:40:25 PDT
The fix hasn't landed on the stable branches yet, so you'll still crash with the latest version of Firefox. The bug was reported on PC/Linux and the fix was in cross-platform code. I have a bad habit of not updating the hardware/OS fields.
Comment 13 Daniel Veditz [:dveditz] 2008-10-13 11:22:54 PDT
Comment on attachment 342618 [details] [diff] [review]
Patch for the 1.9 branch

Approved for 1.9.0.4, a=dveditz for release-drivers
Comment 14 Daniel Veditz [:dveditz] 2008-10-13 11:23:06 PDT
Comment on attachment 342619 [details] [diff] [review]
Patch for the 1.8 branch

Approved for 1.8.1.18, a=dveditz for release-drivers
Comment 15 Blake Kaplan (:mrbkap) 2008-10-13 15:39:40 PDT
Checked in on the 1.8 and 1.9 branches.
Comment 16 Bob Clary [:bc:] 2008-10-14 10:49:06 PDT
not possible to test in current framework unless someone can show me how to not have a principal.
Comment 17 Gary Kwong [:gkw] [:nth10sd] 2008-10-14 10:51:11 PDT
(In reply to comment #16)
> not possible to test in current framework unless someone can show me how to not
> have a principal.

See bug 454040 for the branch testcases and comment #6 for the duplication.
Comment 18 Bob Clary [:bc:] 2008-10-14 11:17:48 PDT
I'll do the test in bug 454040.
Comment 19 Bob Clary [:bc:] 2008-10-17 14:47:22 PDT
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-454040.js,v  <-- 
regress-454040.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/f0e9fd501e63
Comment 20 Bob Clary [:bc:] 2008-10-23 12:56:29 PDT
verified 1.9.1, 1.9.0, 1.8.1

Note You need to log in before you can comment on or make changes to this bug.