ConvertJSValueToByteString should use fallible allocation

RESOLVED FIXED in Firefox 46

Status

()

defect
RESOLVED FIXED
3 years ago
2 months ago

People

(Reporter: khuey, Assigned: khuey)

Tracking

unspecified
mozilla48
Points:
---

Firefox Tracking Flags

(firefox46 fixed, firefox47 fixed, firefox48 fixed)

Details

Attachments

(1 attachment)

Posted patch PatchSplinter Review
I found at least one dump on Socorro that crashed here.  There are probably more but stackwalking fails, so I had to grovel around in the minidump to find the return address and pin it on ConvertJSValueToByteString.
Attachment #8731493 - Flags: review?(bzbarsky)
Comment on attachment 8731493 [details] [diff] [review]
Patch

Good catch.  r=me
Attachment #8731493 - Flags: review?(bzbarsky) → review+

Comment 3

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/eb4fb4fef6d4
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Comment on attachment 8731493 [details] [diff] [review]
Patch

Simple OOM fix to use fallible allocation on a content-controlled string.

Approval Request Comment
[Feature/regressing bug #]: N/A
[User impact if declined]: Slightly more OOM crashes
[Describe test coverage new/current, TreeHerder]: This code path is well tested, used by many WebIDL bindings
[Risks and why]: low risk
[String/UUID change made/needed]: N/A
Attachment #8731493 - Flags: approval-mozilla-beta?
Attachment #8731493 - Flags: approval-mozilla-aurora?
Comment on attachment 8731493 [details] [diff] [review]
Patch

Less crashes, taking it
Should be in 46 beta 5
Attachment #8731493 - Flags: approval-mozilla-beta?
Attachment #8731493 - Flags: approval-mozilla-beta+
Attachment #8731493 - Flags: approval-mozilla-aurora?
Attachment #8731493 - Flags: approval-mozilla-aurora+
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.