Closed
Bug 833856
Opened 11 years ago
Closed 11 years ago
Crash in CalculateUTF8Size::write with JavaScript open() function
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
| Tracking | Status | |
|---|---|---|
| firefox20 | --- | unaffected |
| firefox21 | --- | fixed |
People
(Reporter: mozilla, Assigned: bholley)
References
Details
(4 keywords, Whiteboard: [native-crash])
Crash Data
Attachments
(1 file)
|
3.00 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
Starting with today's nightly (20130123), a bookmarklet with the following JS crashes Firefox:
javascript:open('http://www.google.com');Test();
See the following crash reports for info:
Crash ID: bp-05a8ea58-56db-4cfd-a5fe-0e0362130123
Crash ID: bp-0be28121-468a-4e60-b5b8-149ae2130123
Crash ID: bp-1b4401aa-a167-4e70-ae09-9102d2130123
Crash ID: bp-2249ed6b-d64b-4f71-996d-9966d2130123
Crash ID: bp-2a2c2a82-9a49-497d-a5fc-18b592130123
Crash ID: bp-2e043cf8-b18d-44f8-968f-1de742130123
Crash ID: bp-37286f82-7a9c-473c-89e4-8e1702130123
Crash ID: bp-6f4d8059-06a9-4a39-baba-b11ba2130123
Crash ID: bp-71e6bc32-0db6-422d-81bb-a24fd2130123
Crash ID: bp-76a379bd-0d25-4a09-83f3-30f362130123
Crash ID: bp-780fe0f0-46ba-42e4-9f07-5a2f02130123
Crash ID: bp-85b1a3b0-c829-4b6f-9d79-8e5c72130123
Crash ID: bp-9c6e5425-7f7a-42ff-a899-dd33a2130123
Crash ID: bp-aaae0622-aebe-4d7c-a49c-bbd232130123
Crash ID: bp-b6c4c3c4-73db-41eb-ae14-5a2b52130123
Crash ID: bp-d1f4a031-6158-495e-b355-cda3d2130123
Crash ID: bp-d345923f-c6f4-47f7-83fc-fd0e52130123
|
Reporter | |
Comment 1•11 years ago
|
||
Also happens in safe mode.
|
||
Comment 2•11 years ago
|
||
I can also reproduce it. More reports at: https://crash-stats.mozilla.com/report/list?signature=CalculateUTF8Size%3A%3Awrite%28wchar_t+const*%2C+unsigned+int%29
Severity: major → critical
Crash Signature: [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)]
status-firefox21:
--- → affected
Component: Location Bar → DOM
Product: Firefox → Core
Summary: Crash with JavaScript open() function → Crash in CalculateUTF8Size::write with JavaScript open() function
Version: Trunk → 21 Branch
|
||
Comment 3•11 years ago
|
||
Regression window(m-c) Good: http://hg.mozilla.org/mozilla-central/rev/ff2e30afa205 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116123902 Bad: http://hg.mozilla.org/mozilla-central/rev/712eca11a04e Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130117 Firefox/21.0 ID:20130117024251 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ff2e30afa205&tochange=712eca11a04e Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/4d2f27cdef91 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116181650 Bad: http://hg.mozilla.org/integration/mozilla-inbound/rev/3b3c304723cc Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116185154 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4d2f27cdef91&tochange=3b3c304723cc
|
|
||
Comment 4•11 years ago
|
||
I suspect bug 824864 amongst the two DOM bugs.
status-firefox20:
--- → unaffected
|
|
||
Comment 5•11 years ago
|
||
FWIW, using a Debug Build the Console mentions:
JavaScript error: javascript:open('http://www.google.com');Test();, line 1: Test is not defined
Assertion failure: JSVAL_IS_STRING(v), at e:\builds\moz2_slave\m-cen-w32-dbg\build\obj-firefox\dist\include\jsapi.h:2294
|
Assignee | |
Comment 6•11 years ago
|
||
This bug happens when we take the !useSandbox path. Basically, when the code throws, we can end up with garbage in *aRetValue while still returning true from EvaluateString. It looks like the convention is for these kind of eval functions to return success even for invalid code, so lets just make sure we check things a bit better. This crashtest is kind of half-baked in the sense that it doesn't actually crash without the rest of the patch. But the testcase here involves a lot of undefined behavior (what ends up getting left in *aRetValue) during a call to window.open (which spins the event loop, etc). I already sunk about half an hour into trying to make it crash, so I'm just going to go with this for now.
Attachment #705900 -
Flags: review?(bzbarsky)
|
|
||
Comment 7•11 years ago
|
||
Comment on attachment 705900 [details] [diff] [review] Handle errors better in EvaluateString. v1 r=me
Attachment #705900 -
Flags: review?(bzbarsky) → review+
Keywords: regressionwindow-wanted → testcase
|
|
Assignee | |
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/53640f283f68
|
|
||
Updated•11 years ago
|
Crash Signature: [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)] → [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)]
[@ CalculateUTF8Size& copy_string<nsReadingIterator<unsigned short>, CalculateUTF8Size>(nsReadingIterator<unsigned short> const&, nsReadingIterator<unsigned short> const&, CalculateUTF8Size&)]
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [native-crash]
|
||
Comment 9•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/53640f283f68
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
|
|
||
Updated•11 years ago
|
|
||
Updated•11 years ago
|
Assignee: nobody → bobbyholley+bmo
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•