714648 - Crash [@ JSString::length] (null deref) ]

Status: RESOLVED DUPLICATE of bug 714645

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test crashes on mozilla-central revision d98fbf3cbd71 (options -m -n -a):


function test(name, fn, val) {
    var ok = {}, bad = {};
    var arr = [ok, ok, ok, ((0x000B)), ok, bad];
    var log = '';
    try {
        for (var i = 0; i < arr.length; i++) {
            log >>=  '.';
        }
    } catch (exc) {    }
    assertEq(log, '.....E');
}
test("x", Function.prototype.call, null);


Backtrace:Program received signal SIGSEGV, Segmentation fault.
0x0000000000411fdc in JSString::length (this=0x0) at ../../vm/String.h:289
289             return d.lengthAndFlags >> LENGTH_SHIFT;
(gdb) bt
#0  0x0000000000411fdc in JSString::length (this=0x0) at ../../vm/String.h:289
#1  0x00000000005184b4 in js::StringToNumberType<double> (cx=0xb475c0, str=0x0, result=0x7fffffffc638) at /srv/repos/mozilla-central/js/src/jsnuminlines.h:66
#2  0x00000000005179fb in js::ToNumberSlow (cx=0xb475c0, v=..., out=0x7fffffffc638) at /srv/repos/mozilla-central/js/src/jsnum.cpp:1242
#3  0x0000000000517b92 in js::ToInt32Slow (cx=0xb475c0, v=..., out=0x7fffffffc69c) at /srv/repos/mozilla-central/js/src/jsnum.cpp:1277
#4  0x0000000000442d8c in js::ToInt32 (cx=0xb475c0, v=..., out=0x7fffffffc69c) at ../jsnum.h:288
#5  0x0000000000767dd5 in js::mjit::stubs::Rsh (f=...) at /srv/repos/mozilla-central/js/src/methodjit/StubCalls.cpp:625
#6  0x00007ffff7f41889 in ?? ()
#7  0x00007ffff7f41ee5 in ?? ()
#8  0x0000000000000001 in ?? ()
#9  0x0000000000000000 in ?? ()


This could be related to bug 714645 as it's also a null-deref going through | js::ToNumberSlow |.

Comment 2

[Christian Holler (:decoder)]

A testcase for this bug was already added in the original bug (bug 714645).