Crash [@ js::TokenStream::TokenBuf::getRawChar]

RESOLVED FIXED in mozilla8

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: gkw, Assigned: Waldo)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla8
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js-triage-done], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 547141 [details]
stack

Function("for(w in\\")

crashes js debug shell on MI changeset  without any CLI arguments at js::TokenStream::TokenBuf::getRawChar .
(Reporter)

Comment 1

6 years ago
Got sleepy - should be MI changeset 47d8748daa90 !
Whiteboard: js-triage-needed
I got the same crash signature with LangFuzz on mozilla-central revision c9cdc5df55f4.
Looks like a missing null-check of an expr() call -- probably from the recent rewrite of this code (did that land?).
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
OS: Mac OS X → All
Hardware: x86 → All
Created attachment 547246 [details] [diff] [review]
Patch and tests

I'm not sure how many of these tests the patch actually fixes, but based on bug 672888, I'm guessing it's more than a few.  Can't hurt to test more.  :-)
Attachment #547246 - Flags: review?(jorendorff)
Comment on attachment 547246 [details] [diff] [review]
Patch and tests

★ Thank you.
Attachment #547246 - Flags: review?(jorendorff) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/bc74c08e8996
Whiteboard: js-triage-needed → [js-triage-done]
Target Milestone: --- → mozilla8
Duplicate of this bug: 672888
(Reporter)

Comment 8

6 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   73021:938c1a177114
user:        Jason Orendorff
date:        Tue Jul 19 11:00:43 2011 -0500
summary:     Bug 648175 - Remove JSOP_FOR*. Second second landing, to coin a phrase. r=dvander.
Blocks: 648175
To anyone looking at the commit message for this push: yes, I know.  Bug 506949, save me from myself!
http://hg.mozilla.org/mozilla-central/rev/bc74c08e8996
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.