Closed
Bug 833856
Opened 11 years ago
Closed 11 years ago
Crash in CalculateUTF8Size::write with JavaScript open() function
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox20 | --- | unaffected |
firefox21 | --- | fixed |
People
(Reporter: mozilla, Assigned: bholley)
References
Details
(4 keywords, Whiteboard: [native-crash])
Crash Data
Attachments
(1 file)
3.00 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
Starting with today's nightly (20130123), a bookmarklet with the following JS crashes Firefox: javascript:open('http://www.google.com');Test(); See the following crash reports for info: Crash ID: bp-05a8ea58-56db-4cfd-a5fe-0e0362130123 Crash ID: bp-0be28121-468a-4e60-b5b8-149ae2130123 Crash ID: bp-1b4401aa-a167-4e70-ae09-9102d2130123 Crash ID: bp-2249ed6b-d64b-4f71-996d-9966d2130123 Crash ID: bp-2a2c2a82-9a49-497d-a5fc-18b592130123 Crash ID: bp-2e043cf8-b18d-44f8-968f-1de742130123 Crash ID: bp-37286f82-7a9c-473c-89e4-8e1702130123 Crash ID: bp-6f4d8059-06a9-4a39-baba-b11ba2130123 Crash ID: bp-71e6bc32-0db6-422d-81bb-a24fd2130123 Crash ID: bp-76a379bd-0d25-4a09-83f3-30f362130123 Crash ID: bp-780fe0f0-46ba-42e4-9f07-5a2f02130123 Crash ID: bp-85b1a3b0-c829-4b6f-9d79-8e5c72130123 Crash ID: bp-9c6e5425-7f7a-42ff-a899-dd33a2130123 Crash ID: bp-aaae0622-aebe-4d7c-a49c-bbd232130123 Crash ID: bp-b6c4c3c4-73db-41eb-ae14-5a2b52130123 Crash ID: bp-d1f4a031-6158-495e-b355-cda3d2130123 Crash ID: bp-d345923f-c6f4-47f7-83fc-fd0e52130123
Reporter | ||
Comment 1•11 years ago
|
||
Also happens in safe mode.
Comment 2•11 years ago
|
||
I can also reproduce it. More reports at: https://crash-stats.mozilla.com/report/list?signature=CalculateUTF8Size%3A%3Awrite%28wchar_t+const*%2C+unsigned+int%29
Severity: major → critical
Crash Signature: [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)]
status-firefox21:
--- → affected
Component: Location Bar → DOM
Product: Firefox → Core
Summary: Crash with JavaScript open() function → Crash in CalculateUTF8Size::write with JavaScript open() function
Version: Trunk → 21 Branch
Comment 3•11 years ago
|
||
Regression window(m-c) Good: http://hg.mozilla.org/mozilla-central/rev/ff2e30afa205 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116123902 Bad: http://hg.mozilla.org/mozilla-central/rev/712eca11a04e Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130117 Firefox/21.0 ID:20130117024251 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ff2e30afa205&tochange=712eca11a04e Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/4d2f27cdef91 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116181650 Bad: http://hg.mozilla.org/integration/mozilla-inbound/rev/3b3c304723cc Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116185154 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4d2f27cdef91&tochange=3b3c304723cc
Comment 4•11 years ago
|
||
I suspect bug 824864 amongst the two DOM bugs.
status-firefox20:
--- → unaffected
Comment 5•11 years ago
|
||
FWIW, using a Debug Build the Console mentions: JavaScript error: javascript:open('http://www.google.com');Test();, line 1: Test is not defined Assertion failure: JSVAL_IS_STRING(v), at e:\builds\moz2_slave\m-cen-w32-dbg\build\obj-firefox\dist\include\jsapi.h:2294
Assignee | ||
Comment 6•11 years ago
|
||
This bug happens when we take the !useSandbox path. Basically, when the code throws, we can end up with garbage in *aRetValue while still returning true from EvaluateString. It looks like the convention is for these kind of eval functions to return success even for invalid code, so lets just make sure we check things a bit better. This crashtest is kind of half-baked in the sense that it doesn't actually crash without the rest of the patch. But the testcase here involves a lot of undefined behavior (what ends up getting left in *aRetValue) during a call to window.open (which spins the event loop, etc). I already sunk about half an hour into trying to make it crash, so I'm just going to go with this for now.
Attachment #705900 -
Flags: review?(bzbarsky)
Comment 7•11 years ago
|
||
Comment on attachment 705900 [details] [diff] [review] Handle errors better in EvaluateString. v1 r=me
Attachment #705900 -
Flags: review?(bzbarsky) → review+
Keywords: regressionwindow-wanted → testcase
Assignee | ||
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/53640f283f68
Updated•11 years ago
|
Crash Signature: [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)] → [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)]
[@ CalculateUTF8Size& copy_string<nsReadingIterator<unsigned short>, CalculateUTF8Size>(nsReadingIterator<unsigned short> const&, nsReadingIterator<unsigned short> const&, CalculateUTF8Size&)]
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [native-crash]
Comment 9•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/53640f283f68
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Updated•11 years ago
|
Updated•11 years ago
|
Assignee: nobody → bobbyholley+bmo
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•