The default bug view has changed. See this FAQ.

segfault: echo 'eval("1")' | ./js

VERIFIED FIXED

Status

()

Core
JavaScript Engine
VERIFIED FIXED
9 years ago
9 years ago

People

(Reporter: Sam Ruby, Assigned: mrbkap)

Tracking

(5 keywords)

unspecified
crash, regression, testcase, verified1.8.1.18, verified1.9.0.4
Points:
---
Bug Flags:
blocking1.9.0.4 +
wanted1.9.0.x +
blocking1.8.1.18 +
wanted1.8.1.x +
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(4 attachments)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: 

With a current checkout of mozilla-central, built with "cd js/src; make -f Makefile.ref"

The following causes a segfault

echo 'eval("1")' | ./js

Neither of the following do:

echo 'eval("1")' | ./js -i
echo 'print(eval(1))' | ./js

Reproducible: Always

Steps to Reproduce:
1. echo 'eval("1")' | ./js

Actual Results:  
Segmentation fault (core dumped)

Expected Results:  
No output
(Assignee)

Updated

9 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 1

9 years ago
Created attachment 335579 [details] [diff] [review]
Fix

I'm not sure if this is the right place for the assertion here...
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #335579 - Flags: review?(brendan)
Comment on attachment 335579 [details] [diff] [review]
Fix

Testing flags first seems better to me, because of common-case arguments: if the flag is not set more often than principals is null (I bet it is), then you want to bail there -- assuming perf is hyper-critical (which it is probably not, but the principle counts).

/be
Attachment #335579 - Flags: review?(brendan) → review+
Created attachment 335662 [details] [diff] [review]
js.cpp patch I used to find the culprit

For future ref.

/be
(Assignee)

Comment 4

9 years ago
http://hg.mozilla.org/index.cgi/mozilla-central/rev/b0b7959491f6
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Assignee)

Updated

9 years ago
Duplicate of this bug: 454040
per previous duped bug, this occurs in 1.9.0.x and 1.8.1.x branches as well.
Flags: wanted1.9.0.x?
Flags: wanted1.8.1.x?

Updated

9 years ago
Keywords: crash
Flags: in-testsuite?
(Assignee)

Comment 7

9 years ago
Created attachment 342618 [details] [diff] [review]
Patch for the 1.9 branch
Attachment #342618 - Flags: review+
Attachment #342618 - Flags: approval1.9.0.4?
(Assignee)

Comment 8

9 years ago
Created attachment 342619 [details] [diff] [review]
Patch for the 1.8 branch
Attachment #342619 - Flags: review+
Attachment #342619 - Flags: approval1.8.1.18?
(Assignee)

Comment 9

9 years ago
FWIW, the merges were trivial.
(Assignee)

Updated

9 years ago
Duplicate of this bug: 457788

Comment 11

9 years ago
The indicated platform is PC/Linux.  However, bug #457788 was closed as a duplicate of this one.  That bug applied to all platforms and operating systems.  It prevented me from installing Mnenhy 0.7.5 under SeaMonkey 1.1.12 (which was not released until after this bug was submitted) on Windows XP.  

I must therefore question whether this bug is indeed fixed for all platforms and whether it is actually a duplicate of bug #457788.
(Assignee)

Comment 12

9 years ago
The fix hasn't landed on the stable branches yet, so you'll still crash with the latest version of Firefox. The bug was reported on PC/Linux and the fix was in cross-platform code. I have a bad habit of not updating the hardware/OS fields.
OS: Linux → All
Hardware: PC → All

Updated

9 years ago
Keywords: testcase
Blocks: 419848
Keywords: regression
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.4+
Flags: blocking1.8.1.18+
Comment on attachment 342618 [details] [diff] [review]
Patch for the 1.9 branch

Approved for 1.9.0.4, a=dveditz for release-drivers
Attachment #342618 - Flags: approval1.9.0.4? → approval1.9.0.4+
Attachment #342619 - Flags: approval1.8.1.18? → approval1.8.1.18+
Comment on attachment 342619 [details] [diff] [review]
Patch for the 1.8 branch

Approved for 1.8.1.18, a=dveditz for release-drivers
(Assignee)

Comment 15

9 years ago
Checked in on the 1.8 and 1.9 branches.
Keywords: fixed1.8.1.18, fixed1.9.0.4

Comment 16

9 years ago
not possible to test in current framework unless someone can show me how to not have a principal.
Flags: in-testsuite?
Flags: in-testsuite-
Flags: in-litmus-
(In reply to comment #16)
> not possible to test in current framework unless someone can show me how to not
> have a principal.

See bug 454040 for the branch testcases and comment #6 for the duplication.

Comment 18

9 years ago
I'll do the test in bug 454040.

Comment 19

9 years ago
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-454040.js,v  <-- 
regress-454040.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/f0e9fd501e63
Flags: in-testsuite- → in-testsuite+

Comment 20

9 years ago
verified 1.9.1, 1.9.0, 1.8.1
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.18, fixed1.9.0.4 → verified1.8.1.18, verified1.9.0.4
You need to log in before you can comment on or make changes to this bug.