Closed Bug 572774 Opened 15 years ago Closed 15 years ago

NULL deref in ecma/GlobalObject/15.1-2-n.js, browser only

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jorendorff, Assigned: gal)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

patch
2.46 KB, patch
Details | Diff | Splinter Review
This stack has some extra patches applied on top of tip, but the bug is in tip. (gdb) bt #0 0x00cd4728 in JSObject::getClass (this=0x0) at ../../dist/include/jsobj.h:270 #1 0x010e3dcd in XPCWrapper::UnwrapGeneric (cx=0xb2132400, xclasp=0x1fa8f00, wrapper=((JSObject *) NULL)) at /home/jorendorff/dev/tracemonkey/js/src/xpconnect/src/XPCWrapper.h:348 #2 0x010fd271 in GetWrappedObject (cx=0xb2132400, wrapper=((JSObject *) NULL)) at /home/jorendorff/dev/tracemonkey/js/src/xpconnect/src/XPCCrossOriginWrapper.cpp:142 #3 0x010ffd96 in XPC_XOW_Call (cx=0xb2132400, obj=((JSObject *) NULL), argc=0, argv=0xb5efe124, rval=0xb5efe168) at /home/jorendorff/dev/tracemonkey/js/src/xpconnect/src/XPCCrossOriginWrapper.cpp:1086 #4 0x020ca7d6 in js_Call (cx=0xb2132400, obj=((JSObject *) NULL), argc=0, argv=0xb5efe124, rval=0xb5efe168) at /home/jorendorff/dev/tracemonkey/js/src/jsobj.cpp:5614 #5 0x020acb9c in js::callJSNative (cx=0xb2132400, native=0x20ca738 <js_Call>, thisobj=((JSObject *) NULL), argc= 0, argv=0xb5efe124, rval=0xb5efe168) at /home/jorendorff/dev/tracemonkey/js/src/jscntxtinlines.h:321 #6 0x020aa561 in Invoke (cx=0xb2132400, fun=0x0, script=0x0, native=0x20ca738 <js_Call>, args=..., flags=0) at /home/jorendorff/dev/tracemonkey/js/src/jsinterp.cpp:551 #7 0x020aab46 in js_Invoke (cx=0xb2132400, args=..., flags=0) at /home/jorendorff/dev/tracemonkey/js/src/jsinterp.cpp:678 #8 0x02098aac in js_Interpret (cx=0xb2132400) at /home/jorendorff/dev/tracemonkey/js/src/jsops.cpp:2156 #9 0x020ab241 in js_Execute (cx=0xb2132400, chain=0xb0115820, script=0xaf4a5a60, down=0xb5efe024, flags=16, result=0xb5efe0a0) at /home/jorendorff/dev/tracemonkey/js/src/jsinterp.cpp:855 #10 0x020be787 in obj_eval (cx=0xb2132400, argc=1, vp=0xb5efe0a0) at /home/jorendorff/dev/tracemonkey/js/src/jsobj.cpp:1353 #11 0x02098920 in js_Interpret (cx=0xb2132400) at /home/jorendorff/dev/tracemonkey/js/src/jsops.cpp:2146 #12 0x020ab241 in js_Execute (cx=0xb2132400, chain=0xb0115820, script=0xaf0baaa0, down=0x0, flags=0, result=0x0) at /home/jorendorff/dev/tracemonkey/js/src/jsinterp.cpp:855 #13 0x0201b839 in JS_EvaluateUCScriptForPrincipals (cx=0xb2132400, obj=((JSObject *) 0xb0115820) [object Window], principals=0xafe95b04, chars= ((jschar *) 0xaca40008) '/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */\x0a/* ***** BEGIN LICENSE BLOCK *****\x0a * Version: MPL...... (and browser frames after that)
Attached patch patch (obsolete) — Splinter Review
Assignee: general → gal
Attached patch patchSplinter Review
Attachment #451987 - Attachment is obsolete: true
Landed with some style nits picked. http://hg.mozilla.org/tracemonkey/rev/37b09e487d80
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/37b09e487d80
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: