Closed Bug 216320 Opened 21 years ago Closed 21 years ago

[ABW]js_FinishTakingSrcNotes is exceeding the notes array

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.5beta

People

(Reporter: dbradley, Assigned: brendan)

Details

(Keywords: crash, js1.5)

Attachments

(5 files)

Stack of array bounds and allocation
1.40 KB, text/plain
Details
testcase, can run in js shell to show bug
20.95 KB, patch
Details | Diff | Splinter Review
proposed fix (apply this)
2.66 KB, patch
Details | Diff | Splinter Review
diff -w of last patch (review this)
2.59 KB, patch
shaver
: review+
asa
: approval1.5+
Details | Diff | Splinter Review
HTML testcase, click here to crash
136 bytes, text/html
Details 
The SN_MAKE_TERMINATOR(&notes[totalCount]); line is exceeding the note's array
passed in. Probably may some more adjusting like what was done in bug 215878?
Reassigning -
Assignee: rogerl → khanson
dbradley: is this with the fixes for bug 215878 ?  Can you give a stack trace,
or better yet the script on which this happened?

/be
Assignee: khanson → brendan
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.5beta
I was just running the browser under Purify checking for something else,
unfortunately I don't remember the specific thing I was doing. I was running
the browser under Purify trying to diagnose another crash at the time. I'll
look back and see if I figure out what I was doing. I meant to go back anyway
and see if I could figure out what was going on, but got distracted.

Yes, this occured with the patch(es) in bug 215878.
I've been unable to reproduce the problem since I first reported it.
Unfortunately I didn't record what I was doing at the time. I'll keep an eye out
and reopen if I come across it.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
Marking Verified for now -
Status: RESOLVED → VERIFIED
bryner found a reproducible case, I think it's essentially this bug, modulo heap
sensitivity.  This needs to get fixed for 1.5 final.

/be
Status: VERIFIED → REOPENED
Resolution: WORKSFORME → ---
Hope this is ok to attach, I didn't see anything confidential in it.

/be
Status: REOPENED → ASSIGNED
Patch in a few.

/be
Severity: normal → critical
I should write "KEEP CG_COUNT_FINAL_TRYNOTES IN SYNC WITH
js_FinishTakingSrcNotes" 100 times on a blackboard.

This fixes the bug, valgrind testifies that we're pure.

diff -w version in a second for review.

/be
Comment on attachment 130794 [details] [diff] [review]
diff -w of last patch (review this)

I hope shaver's around so this can get r= fast, and go in for 1.5.

/be
Attachment #130794 - Flags: review?(shaver)
Sorry for the mecha.mozilla.org link, it's easy to fix if it becomes
impermanent.

/be
Comment on attachment 130794 [details] [diff] [review]
diff -w of last patch (review this)

Looks good. sr=test-suite, and away? =)
Attachment #130794 - Flags: review?(shaver) → review+
I'm sure Phil will make a regression test -- he always does ;-).  Thanks, shaver.

Now for 1.5final approval.  This was a regression in 1.5beta.

/be
Keywords: crash
Flags: blocking1.5+
Attachment #130794 - Flags: approval1.5?
Comment on attachment 130794 [details] [diff] [review]
diff -w of last patch (review this)

a=asa (on behalf of drivers) for checkin to Mozilla 1.5
Attachment #130794 - Flags: approval1.5? → approval1.5+
Fixed.

/be
Status: ASSIGNED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → FIXED
>I should write "KEEP CG_COUNT_FINAL_TRYNOTES IN SYNC WITH
>js_FinishTakingSrcNotes" 100 times on a blackboard.

I'll be there with you, writing "Always post a test case"
Testcase added to JS testsuite:

      mozilla/js/tests/js1_5/Regress/regress-216320.js
Marking Verified FIXED.

The above testcase does not crash for me in either the debug
or optimized JS shell, on either WinNT or Linux -
Status: RESOLVED → VERIFIED
Keywords: verified1.5
Flags: testcase+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: