count=8434; tryItOut("(function ([x]) { })(); eval('return 3;')"); Scary crash js> uneval(function() { (function ([x]) { })(); eval('return 3;') }) Null deref crash I don't know why it's a scary crash when it's part of the fuzzer but a null deref outside of the fuzzer. Here's the mac crash reporter info for the scarier crash: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x79393d1c Thread 0 Crashed: 0 libSystem.B.dylib 0x900030e8 strlen + 8 1 js 0x00047b20 SprintCString + 32 (crt.c:355) 2 js 0x000488f0 Decompile + 892 (crt.c:355) 3 js 0x0004e15c js_DecompileCode + 448 (crt.c:355) 4 js 0x0004ecc0 js_DecompileFunction + 760 (crt.c:355) 5 js 0x0000c89c JS_DecompileFunction + 116 (crt.c:355) 6 js 0x00011b10 js_fun_toString + 368 (crt.c:355) 7 js 0x0004ca18 Decompile + 17572 (crt.c:355) 8 js 0x0004e15c js_DecompileCode + 448 (crt.c:355) 9 js 0x0004ecc0 js_DecompileFunction + 760 (crt.c:355) 10 js 0x0000c89c JS_DecompileFunction + 116 (crt.c:355) 11 js 0x00011b10 js_fun_toString + 368 (crt.c:355) 12 js 0x000338b4 js_Invoke + 1548 (crt.c:355) 13 js 0x00033d10 js_InternalInvoke + 204 (crt.c:355) 14 js 0x0001e1e0 js_TryMethod + 284 (crt.c:355) 15 js 0x00050260 js_ValueToSource + 180 (crt.c:355) 16 js 0x000502a8 str_uneval + 28 (crt.c:355) 17 js 0x000338b4 js_Invoke + 1548 (crt.c:355) 18 js 0x0002da98 js_Interpret + 30808 (crt.c:355) 19 js 0x000331d4 js_Execute + 484 (crt.c:355) 20 js 0x00008b68 JS_ExecuteScript + 36 (crt.c:355) 21 js 0x0000298c Process + 380 (crt.c:355) 22 js 0x00005c4c main + 2032 (crt.c:355) 23 js 0x00002068 _start + 340 (crt.c:272) 24 js 0x00001f10 start + 60

Guessing this is the same bug. count=10373; tryItOut("switch(({ get x() { export *; }, set x(/* destructuring:a2 */[/* destructuring:a1 */[y], /* destructuring:a1 */[x] ]) { let x;} })) { case eval(\"[[1]]\", function(id) { return id }): L:for(let x in (((eval).call)(eval(\"yield <x><y/></x>;\", \"\" ))))var x; case (uneval(this)): import x.*; }"); Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x0076045c Thread 0 Crashed: 0 js 0x0006d5a4 js_PushBlockScope + 124 (crt.c:355) 1 js 0x00071750 js_EmitTree + 15808 (crt.c:355) 2 js 0x00073e14 js_EmitFunctionBody + 168 (crt.c:355) 3 js 0x0006dcdc js_EmitTree + 844 (crt.c:355) 4 js 0x00071cc0 js_EmitTree + 17200 (crt.c:355) 5 js 0x00071df4 js_EmitTree + 17508 (crt.c:355) 6 js 0x0006e240 js_EmitTree + 2224 (crt.c:355) 7 js 0x000703d0 js_EmitTree + 10816 (crt.c:355) 8 js 0x0005ab2c FunctionBody + 360 (crt.c:355) 9 js 0x0005f2f4 js_CompileFunctionBody + 260 (crt.c:355) 10 js 0x000132dc Function + 1448 (crt.c:355) 11 js 0x000338b4 js_Invoke + 1548 (crt.c:355) 12 js 0x00033bb4 js_InvokeConstructor + 356 (crt.c:355) 13 js 0x0002b1d0 js_Interpret + 20368 (crt.c:355) 14 js 0x000331d4 js_Execute + 484 (crt.c:355) 15 js 0x00008b68 JS_ExecuteScript + 36 (crt.c:355) 16 js 0x0000298c Process + 380 (crt.c:355) 17 js 0x00005c4c main + 2032 (crt.c:355) 18 js 0x00002068 _start + 340 (crt.c:272) 19 js 0x00001f10 start + 60

All 3 of those no longer crash with desdec.patch-v3. But the third produces an assertion failure. Here's a reduced testcase for the assertion failure: js> function ([x]) { let x; } Assertion failure: body->pn_arity == PN_LIST, at jsparse.c:1323

All good with "destructuring decompilation, v5d" in bug 346642.

verified fixed 1.9 20061002 windows/linux, not a problem in 1.8.

fixed by Bug 346642 verified fixed 20061203 windows/linux/mac*

/cvsroot/mozilla/js/tests/js1_5/extensions/regress-353214.js,v <-- regress-353214.js /cvsroot/mozilla/js/tests/js1_7/extensions/regress-353214-01.js,v <-- regress-353214-01.js /cvsroot/mozilla/js/tests/js1_7/extensions/regress-353214-02.js,v <-- regress-353214-02.js moved to extensions/ due to decompilation

tweak decompilation /cvsroot/mozilla/js/tests/js1_5/extensions/regress-353214.js,v <-- regress-353214.js new revision: 1.3; previous revision: 1.2