Closed Bug 533397 Opened 15 years ago Closed 15 years ago

Debug builds exit when converting "1e-400" to a Number

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a1
Tracking Flags:
Tracking Status
status1.9.2 --- final-fixed

People

(Reporter: bzbarsky, Assigned: reed)

References

(
URL
)

Details

Attachments

(1 file)

patch - v1
398 bytes, patch
gal
: review+
wtc
: review+
Details | Diff | Splinter Review 
Run the testcase in the url field, or this in shell:

  parseFloat("1e-400")

This causes a debug build to print "Zero passed to d2b" and then exit.  This seems to come from dtoa.c, which has:

1271                         Bug("Zero passed to d2b");

with Bug() defined as:

176 #ifdef DEBUG
177 #include "stdio.h"
178 #define Bug(x) {fprintf(stderr, "%s\n", x); exit(1);}
179 #endif

In an opt build I just get 0, as more or less expected.  The original testcase I ran into this on was actually passing this string:

  '{ "very_big_number":1e+400, "very_small_number":1e-400 }'

to JSON.parse to hit this bug.  Note that jsdtoa and prdtoa have the same code; should I file separate bugs on those?
I am going to hide this until we had a chance to analyze whats going on behind the scenes. We can reopen if this is harmless.
Group: core-security
Whiteboard: [sg:dos]
This is the JS equivalent of bug 414772. I don't think it's a security issue. We can just use that same patch.
OS: Mac OS X → All
Hardware: x86 → All
Attached patch patch - v1Splinter Review 
Direct port of the patch from bug 414772.
Assignee: general → reed
Status: NEW → ASSIGNED
Attachment #416532 - Flags: review?(mrbkap)
Looks harmless. Opening up the bug and removing the flags.
Group: core-security
Whiteboard: [sg:dos]
Comment on attachment 416532 [details] [diff] [review]
patch - v1

Stealing. I don't think Blake minds. The code was already reviewed for the other copy of dtoa anyway.
Attachment #416532 - Flags: review?(mrbkap) → review+
Attachment #416532 - Flags: approval1.9.2?
Requesting approval to land this on trunk and 1.9.2, but I think this may be fine to land on trunk based on the patch being "not part of the Firefox or Fennec builds", as it only affects debug builds, which aren't the normal type of build.
Yeah, pretty sure you don't need approval. Just land on trunk and 192. Its NPOTB.
Comment on attachment 416532 [details] [diff] [review]
patch - v1

r=wtc.
Attachment #416532 - Flags: review+
We need to change jsdtoa as well, right?
(In reply to comment #9)
> We need to change jsdtoa as well, right?

Nope, problem doesn't exist there.
http://hg.mozilla.org/mozilla-central/rev/ce80437ab5bb
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/c438ba15483a
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
status1.9.2: --- → final-fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
What about prdtoa.c?  That does seem to have the bug.
bz: prdtoa.c has been fixed in NSPR bug 414772.

Since NSPR and JS are separate products, every dtoa bug is
covered by an NSPR bug and a JS bug.
Ah, I see. It would have been really nice to file the JS bug when that one was fixed, so I didn't have to re-debug it 3 months later.  :(

I assume that the NSPR version that bug 414772 was fixed for hasn't been imported into mozilla-central yet?
The NSPR bug fix is already in mozilla-central, mozilla-1.9.2,
and mozilla-1.9.1.  This bug is not worth backporting to old
release branches, but it piggybacked on the fix for a security
vulnerability in dtoa.
Ah, I see.  I was confused by the other "zero passed to d2b" that's still there.  OK.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: