Last Comment Bug 672854 - Crash [@ js::TokenStream::TokenBuf::getRawChar]
: Crash [@ js::TokenStream::TokenBuf::getRawChar]
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla8
Assigned To: Jeff Walden [:Waldo] (remove +bmo to email)
: Jason Orendorff [:jorendorff]
: 672888 (view as bug list)
Depends on:
Blocks: jsfunfuzz 648175
  Show dependency treegraph
Reported: 2011-07-20 10:42 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2011-07-21 06:16 PDT (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (3.17 KB, text/plain)
2011-07-20 10:42 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
Patch and tests (2.67 KB, patch)
2011-07-20 14:28 PDT, Jeff Walden [:Waldo] (remove +bmo to email)
jorendorff: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2011-07-20 10:42:21 PDT
Created attachment 547141 [details]

Function("for(w in\\")

crashes js debug shell on MI changeset  without any CLI arguments at js::TokenStream::TokenBuf::getRawChar .
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-07-20 11:02:39 PDT
Got sleepy - should be MI changeset 47d8748daa90 !
Comment 2 Christian Holler (:decoder) 2011-07-20 11:59:12 PDT
I got the same crash signature with LangFuzz on mozilla-central revision c9cdc5df55f4.
Comment 3 Jeff Walden [:Waldo] (remove +bmo to email) 2011-07-20 13:58:43 PDT
Looks like a missing null-check of an expr() call -- probably from the recent rewrite of this code (did that land?).
Comment 4 Jeff Walden [:Waldo] (remove +bmo to email) 2011-07-20 14:28:31 PDT
Created attachment 547246 [details] [diff] [review]
Patch and tests

I'm not sure how many of these tests the patch actually fixes, but based on bug 672888, I'm guessing it's more than a few.  Can't hurt to test more.  :-)
Comment 5 Jason Orendorff [:jorendorff] 2011-07-20 14:42:19 PDT
Comment on attachment 547246 [details] [diff] [review]
Patch and tests

★ Thank you.
Comment 6 Jeff Walden [:Waldo] (remove +bmo to email) 2011-07-20 14:54:17 PDT
Comment 7 Jason Orendorff [:jorendorff] 2011-07-20 14:56:37 PDT
*** Bug 672888 has been marked as a duplicate of this bug. ***
Comment 8 Gary Kwong [:gkw] [:nth10sd] 2011-07-20 23:14:43 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   73021:938c1a177114
user:        Jason Orendorff
date:        Tue Jul 19 11:00:43 2011 -0500
summary:     Bug 648175 - Remove JSOP_FOR*. Second second landing, to coin a phrase. r=dvander.
Comment 9 Jeff Walden [:Waldo] (remove +bmo to email) 2011-07-20 23:53:55 PDT
To anyone looking at the commit message for this push: yes, I know.  Bug 506949, save me from myself!
Comment 10 Marco Bonardo [::mak] 2011-07-21 06:16:31 PDT

Note You need to log in before you can comment on or make changes to this bug.