Closed Bug 452295 Opened 11 years ago Closed 11 years ago

segfault: echo 'eval("1")' | ./js

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

VERIFIED FIXED

People

(Reporter: rubys, Assigned: mrbkap)

References

Details

(5 keywords)

Attachments

(4 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: 

With a current checkout of mozilla-central, built with "cd js/src; make -f Makefile.ref"

The following causes a segfault

echo 'eval("1")' | ./js

Neither of the following do:

echo 'eval("1")' | ./js -i
echo 'print(eval(1))' | ./js

Reproducible: Always

Steps to Reproduce:
1. echo 'eval("1")' | ./js

Actual Results:  
Segmentation fault (core dumped)

Expected Results:  
No output
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached patch FixSplinter Review
I'm not sure if this is the right place for the assertion here...
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #335579 - Flags: review?(brendan)
Comment on attachment 335579 [details] [diff] [review]
Fix

Testing flags first seems better to me, because of common-case arguments: if the flag is not set more often than principals is null (I bet it is), then you want to bail there -- assuming perf is hyper-critical (which it is probably not, but the principle counts).

/be
Attachment #335579 - Flags: review?(brendan) → review+
http://hg.mozilla.org/index.cgi/mozilla-central/rev/b0b7959491f6
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Duplicate of this bug: 454040
per previous duped bug, this occurs in 1.9.0.x and 1.8.1.x branches as well.
Flags: wanted1.9.0.x?
Flags: wanted1.8.1.x?
Keywords: crash
Flags: in-testsuite?
Attachment #342618 - Flags: review+
Attachment #342618 - Flags: approval1.9.0.4?
Attachment #342619 - Flags: review+
Attachment #342619 - Flags: approval1.8.1.18?
FWIW, the merges were trivial.
Duplicate of this bug: 457788
The indicated platform is PC/Linux.  However, bug #457788 was closed as a duplicate of this one.  That bug applied to all platforms and operating systems.  It prevented me from installing Mnenhy 0.7.5 under SeaMonkey 1.1.12 (which was not released until after this bug was submitted) on Windows XP.  

I must therefore question whether this bug is indeed fixed for all platforms and whether it is actually a duplicate of bug #457788.
The fix hasn't landed on the stable branches yet, so you'll still crash with the latest version of Firefox. The bug was reported on PC/Linux and the fix was in cross-platform code. I have a bad habit of not updating the hardware/OS fields.
OS: Linux → All
Hardware: PC → All
Keywords: testcase
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.4+
Flags: blocking1.8.1.18+
Comment on attachment 342618 [details] [diff] [review]
Patch for the 1.9 branch

Approved for 1.9.0.4, a=dveditz for release-drivers
Attachment #342618 - Flags: approval1.9.0.4? → approval1.9.0.4+
Attachment #342619 - Flags: approval1.8.1.18? → approval1.8.1.18+
Comment on attachment 342619 [details] [diff] [review]
Patch for the 1.8 branch

Approved for 1.8.1.18, a=dveditz for release-drivers
Checked in on the 1.8 and 1.9 branches.
not possible to test in current framework unless someone can show me how to not have a principal.
Flags: in-testsuite?
Flags: in-testsuite-
Flags: in-litmus-
(In reply to comment #16)
> not possible to test in current framework unless someone can show me how to not
> have a principal.

See bug 454040 for the branch testcases and comment #6 for the duplication.
I'll do the test in bug 454040.
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-454040.js,v  <-- 
regress-454040.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/f0e9fd501e63
Flags: in-testsuite- → in-testsuite+
verified 1.9.1, 1.9.0, 1.8.1
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.