Open Bug 1458035 Opened 6 years ago Updated 2 years ago

firefox 52 segfault in js

Categories

(Core :: JavaScript: Internationalization API, defect, P3)

Product:
Core
Component:
JavaScript: Internationalization API
Version:
52 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: vitalik.perevertun, Unassigned)

References

Details

Attachments

(1 file)

ff52_segfault.patch
631 bytes, patch
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20180317190926

Steps to reproduce:

<path>/firefox-52.7.2esr/js/src/builtin/Intl.cpp:964
        collation = 0x0
        jscollation = {<js::RootedBase<JSString*>> = {<No data fields>}, stack = 0x7ffffffe9230, prev = 0xfffa000000000009, ptr = 0x7fffc108c850}
        element =

see patch.

possible null access in equal function.

https://hg.mozilla.org/releases/mozilla-esr52/file/tip/js/src/builtin/Intl.cpp#l670
https://hg.mozilla.org/releases/mozilla-esr52/file/tip/js/src/builtin/Intl.cpp#l964

    
    

    
  
Based on the bugs fixed/revisions of the files containing the issue, the bug probably belongs to the Core - JavaScript: internationalization API. I have set the component accordingly. Please set it correctly if it does not belong there.
Component: Untriaged → JavaScript: Internationalization API
Product: Firefox → Core

    
    

    
  
Unless this is a self-built Firefox with system-ICU using ICU58 [1], this could be another issue where ICU doesn't report OOM errors [2,3]. In that case we probably need to handle null-pointer returns from uenum_next() explicitly in js::intl_availableCollations() and js::intl_availableCalendars(). Or we remove the uenum_count() call and instead stop enumeration when the first null-pointer was seen (which then means we either have traversed the complete enumerator or ICU OOM-ed without setting an error status). (We already do the latter in all other cases when we enumerate over ICU enumerators, because uenum_count() is actually documented as potentially being expensive [4], so we avoid it elsewhere...)

[1] http://bugs.icu-project.org/trac/ticket/12827
[2] http://bugs.icu-project.org/trac/ticket/13712
[3] http://bugs.icu-project.org/trac/ticket/13739
[4] http://icu-project.org/apiref/icu4c/uenum_8h.html#a8be6db20419d79ecdd71e717a9521773

    
    

    
  
I have another bug (possible null access) in js.

52 Branch is already closed for bug fix?

Or i can write here about this bug?
Depends on: 1552900
Priority: -- → P2
Severity: normal → S3
Priority: P2 → P3

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: