Closed
Bug 154338
Opened 23 years ago
Closed 23 years ago
garbage string (length 0x40008001) as argv[0] in array_join
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.0.1
People
(Reporter: carsten.j, Assigned: rogerl)
References
()
Details
(Keywords: js1.5, testcase, Whiteboard: Comment #6 has typos; see Comment #8 instead)
Attachments
(2 files)
|
164 bytes,
text/html
|
Details | |
|
490 bytes,
patch
|
khanson
:
review+
jag+mozilla
:
superreview+
brendan
:
approval+
|
Details | Diff | Splinter Review |
Hi Mozilla team,
I did tray to enter the Toyota webpage of Germany http://www.toyota.de
unfortunately with version 1.1a the very left frame with some navigation links
is not displayed. With version 1.0 almost the whole page is not displayed.
Regards
Carsten
|
||
Comment 1•23 years ago
|
||
I can confirm that the navigation column at the left is not displayed in recent
trunk builds (2002062504 on Win2k), but for me it looks exactly the same in 1.0.
And: "very left frame" may sound misleading: I don't think this page uses HTML
frames.
|
|
||
Comment 2•23 years ago
|
||
The page triggers a JSMSG_OUT_OF_MEMORY using code that I have reduced to this
attachment... Both lines 5 and 6 will trigger the error; what the site does is
more like line 6, but line 5 is simpler and shorter (though possibly not
equivalent).
|
|
||
Comment 3•23 years ago
|
||
And to jseng
Assignee: Matti → rogerl
Severity: normal → major
Component: Browser-General → JavaScript Engine
OS: Windows NT → All
QA Contact: imajes-qa → pschwartau
Hardware: PC → All
|
||
Comment 4•23 years ago
|
||
js> ["a","a"].join("H"[0]);
typein:5: out of memory
js> ["a","a"].join("abc".substr(1,1));
typein:10: out of memory
js> var b = "H"[0];
js> ["a","a"].join(b)
typein:15: out of memory
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 5•23 years ago
|
||
This is not a true memory issue (memory is presumably why timeless added me to
the CC list...); I'm getting a garbage string (length 0x40008001) as argv[0] in
array_join, which is why the allocation fails.
My analysis stops there, though.
--scole
Keywords: testcase
Summary: Incomplete presentation of web page → garbage string (length 0x40008001) as argv[0] in array_join
|
|
||
Comment 6•23 years ago
|
||
Reassigning to Brendan. Here is an elaboration of Boris' testcase:
var arr = new Array("a", "b");
var x = "Home"[0];
var y = ("Home".split("H"))[1];
print(x); <--- outputs "H"
print(y); <--- outputs "ome"
print(x === "H"); <--- outputs "true"
print(y === "ome"); <--- outputs "true"
arr.join("H"); <--- outputs "a, b" no problem
arr.join("ome"); <--- outputs "a, b" no problem
arr.join(x); <--- out of memory error
arr.join(y); <--- out of memory error
Assignee: rogerl → brendan
|
|
Assignee | |
Comment 7•23 years ago
|
||
Old style (pre dependent string fix) reference to length field, should have use
JSSTRING_LENGTH macro instead.
|
|
||
Comment 8•23 years ago
|
||
Two typos in Comment #6; sorry. Here is the actual output:
var arr = new Array("a", "b");
var x = "Home"[0];
var y = ("Home".split("H"))[1];
print(x); <--- outputs "H"
print(y); <--- outputs "ome"
print(x === "H"); <--- outputs "true"
print(y === "ome"); <--- outputs "true"
arr.join("H"); <--- outputs "aHb" no problem
arr.join("ome"); <--- outputs "aomeb" no problem
arr.join(x); <--- out of memory error
arr.join(y); <--- out of memory error
Whiteboard: Comment #6 has typos; see Comment #8 instead
|
|
||
Comment 9•23 years ago
|
||
And let me reassign back to rogerl, since he has provided a patch -
Assignee: brendan → rogerl
|
|
||
Comment 10•23 years ago
|
||
Comment on attachment 89291 [details] [diff] [review]
Use JSSTRING_LENGTH instead of ->length
r=khanson
Attachment #89291 -
Flags: review+
|
|
||
Comment 11•23 years ago
|
||
Testcase added to JS testsuite:
mozilla/js/tests/js1_5/Array/regress-154338.js
|
|
||
Comment 12•23 years ago
|
||
Comment on attachment 89291 [details] [diff] [review]
Use JSSTRING_LENGTH instead of ->length
sr=jag
Are there any other places we might've forgotten to patch?
Attachment #89291 -
Flags: superreview+
|
|
Assignee | |
Comment 13•23 years ago
|
||
Well I believe not. When #56940 was checked in we went through the source pretty
carefully, [I thought!] I'm still not sure how this one got by - it's not like
it's new code (per lxr it's from 1998). I just looked again, by changing the
field name and examining the compile errors and I don't see anything.
|
|
Assignee | |
Comment 15•23 years ago
|
||
Fix checked in to trunk.
|
|
||
Comment 16•23 years ago
|
||
Let's get this into the 1.0 branch for 1.0.1.
/be
Target Milestone: --- → mozilla1.0.1
|
|
||
Comment 17•23 years ago
|
||
Comment on attachment 89291 [details] [diff] [review]
Use JSSTRING_LENGTH instead of ->length
Roger, can you check this into the branch today? I'll set mozilla1.0.1+
(forgot to do that last time, sorry for the spam), so change that to fixed1.0.1
when the patch is in the branch. Thanks,
/be
Attachment #89291 -
Flags: approval+
|
|
||
Updated•23 years ago
|
Keywords: mozilla1.0.1 → mozilla1.0.1+
|
|
Assignee | |
Comment 18•23 years ago
|
||
Fixed in branch, too.
Status: NEW → RESOLVED
Closed: 23 years ago
Keywords: mozilla1.0.1+ → fixed1.0.1
Resolution: --- → FIXED
|
|
||
Comment 19•23 years ago
|
||
*** Bug 168073 has been marked as a duplicate of this bug. ***
|
||
Updated•20 years ago
|
Flags: testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•