Closed Bug 593557 Opened 14 years ago Closed 14 years ago

Crash [@ JSObject::getClass | regexp_construct] with fragile testcase

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dupe 593611])

Crash Data

function w() {}
w(uneval({u: function () {}}));
(function () {
    try {
        throw 1;
    } catch (e) {}
})()
try {
    let x;
    w(eval("", RegExp()));
} catch (e) {}


The first bad revision is:
  changeset:   52720:66c8ad02543b
  user:        Luke Wagner <lw@mozilla.com>
  date:        Mon Aug 16 12:35:04 2010 -0700
  summary:     Bug 581263 - remove slow natives (r=waldo,mrbkap)
I am having trouble reproducing this.  I've tried debug and opt, x86 and x64, Linux and OS X (though not every combination of these).  I do get a warning:

test.js:10: warning: Support for eval(code, scopeObject) has been removed. Use |with (scopeObject) eval(code);| instead.
I hit this with debug x64 on Ubuntu Linux.
Do you suppose you could see if this is fixed by the patch in bug 593611?  It seems highly likely that this is caused by the same bug.
Yes, the patch in bug 593611 made this stop crashing.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Can we turn this testcase into a checked-in regression test?
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Flags: in-testsuite?
Whiteboard: [sg:dupe 593611]
Group: core-security
Crash Signature: [@ JSObject::getClass | regexp_construct]
You need to log in before you can comment on or make changes to this bug.