672854 - Crash [@ js::TokenStream::TokenBuf::getRawChar]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

Function("for(w in\\")

crashes js debug shell on MI changeset  without any CLI arguments at js::TokenStream::TokenBuf::getRawChar .

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Got sleepy - should be MI changeset 47d8748daa90 !

Comment 2

[Christian Holler (:decoder)]

I got the same crash signature with LangFuzz on mozilla-central revision c9cdc5df55f4.

Comment 3

[Jeff Walden [:Waldo]]

Looks like a missing null-check of an expr() call -- probably from the recent rewrite of this code (did that land?).

Comment 4

[Jeff Walden [:Waldo]]

Attachment: Patch and tests

I'm not sure how many of these tests the patch actually fixes, but based on bug 672888, I'm guessing it's more than a few.  Can't hurt to test more.  :-)

Comment 5

[Jason Orendorff [:jorendorff]]

Comment on attachment 547246 [details] [diff] [review]
Patch and tests

★ Thank you.

Comment 6

[Jeff Walden [:Waldo]]

http://hg.mozilla.org/integration/mozilla-inbound/rev/bc74c08e8996

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   73021:938c1a177114
user:        Jason Orendorff
date:        Tue Jul 19 11:00:43 2011 -0500
summary:     Bug 648175 - Remove JSOP_FOR*. Second second landing, to coin a phrase. r=dvander.

Comment 9

[Jeff Walden [:Waldo]]

To anyone looking at the commit message for this push: yes, I know.  Bug 506949, save me from myself!

Comment 10

[Marco Bonardo [:mak]]

http://hg.mozilla.org/mozilla-central/rev/bc74c08e8996