Closed Bug 216320 Opened 22 years ago Closed 22 years ago

[ABW]js_FinishTakingSrcNotes is exceeding the notes array

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.5beta

People

(Reporter: dbradley, Assigned: brendan)

Details

(Keywords: crash, js1.5)

Attachments

(5 files)

Stack of array bounds and allocation
1.40 KB, text/plain
Details
testcase, can run in js shell to show bug
20.95 KB, patch
Details | Diff | Splinter Review
proposed fix (apply this)
2.66 KB, patch
Details | Diff | Splinter Review
diff -w of last patch (review this)
2.59 KB, patch
shaver
: review+
asa
: approval1.5+
Details | Diff | Splinter Review
HTML testcase, click here to crash
136 bytes, text/html
Details
The SN_MAKE_TERMINATOR(&notes[totalCount]); line is exceeding the note's array passed in. Probably may some more adjusting like what was done in bug 215878?
Reassigning -
Assignee: rogerl → khanson
dbradley: is this with the fixes for bug 215878 ? Can you give a stack trace, or better yet the script on which this happened? /be
Assignee: khanson → brendan
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.5beta
I was just running the browser under Purify checking for something else, unfortunately I don't remember the specific thing I was doing. I was running the browser under Purify trying to diagnose another crash at the time. I'll look back and see if I figure out what I was doing. I meant to go back anyway and see if I could figure out what was going on, but got distracted. Yes, this occured with the patch(es) in bug 215878.
I've been unable to reproduce the problem since I first reported it. Unfortunately I didn't record what I was doing at the time. I'll keep an eye out and reopen if I come across it.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
Marking Verified for now -
Status: RESOLVED → VERIFIED
bryner found a reproducible case, I think it's essentially this bug, modulo heap sensitivity. This needs to get fixed for 1.5 final. /be
Status: VERIFIED → REOPENED
Resolution: WORKSFORME → ---
Hope this is ok to attach, I didn't see anything confidential in it. /be
Status: REOPENED → ASSIGNED
Patch in a few. /be
Severity: normal → critical
I should write "KEEP CG_COUNT_FINAL_TRYNOTES IN SYNC WITH js_FinishTakingSrcNotes" 100 times on a blackboard. This fixes the bug, valgrind testifies that we're pure. diff -w version in a second for review. /be
Comment on attachment 130794 [details] [diff] [review] diff -w of last patch (review this) I hope shaver's around so this can get r= fast, and go in for 1.5. /be
Attachment #130794 - Flags: review?(shaver)
Sorry for the mecha.mozilla.org link, it's easy to fix if it becomes impermanent. /be
Comment on attachment 130794 [details] [diff] [review] diff -w of last patch (review this) Looks good. sr=test-suite, and away? =)
Attachment #130794 - Flags: review?(shaver) → review+
I'm sure Phil will make a regression test -- he always does ;-). Thanks, shaver. Now for 1.5final approval. This was a regression in 1.5beta. /be
Keywords: crash
Flags: blocking1.5+
Attachment #130794 - Flags: approval1.5?
Comment on attachment 130794 [details] [diff] [review] diff -w of last patch (review this) a=asa (on behalf of drivers) for checkin to Mozilla 1.5
Attachment #130794 - Flags: approval1.5? → approval1.5+
Fixed. /be
Status: ASSIGNED → RESOLVED
Closed: 22 years ago22 years ago
Resolution: --- → FIXED
>I should write "KEEP CG_COUNT_FINAL_TRYNOTES IN SYNC WITH >js_FinishTakingSrcNotes" 100 times on a blackboard. I'll be there with you, writing "Always post a test case"
Testcase added to JS testsuite: mozilla/js/tests/js1_5/Regress/regress-216320.js
Marking Verified FIXED. The above testcase does not crash for me in either the debug or optimized JS shell, on either WinNT or Linux -
Status: RESOLVED → VERIFIED
Keywords: verified1.5
Flags: testcase+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: