Closed Bug 327170 Opened 19 years ago Closed 19 years ago

Reuse of RegExp in string.replace(rx.compile(...), function() { rx.compile(...); }) causes a crash

Tracking

()

Status:

VERIFIED FIXED

Milestone:

mozilla1.9alpha1

People

(Reporter: mozilla.nospam, Assigned: mrbkap)

References

(
URL
)

Details

(4 keywords, Whiteboard: [sg:moderate] potentially reveals memory [patch][rft-dl])

Attachments

(2 files)

Fix 19 years ago Blake Kaplan (:mrbkap) (inactive) 5.92 KB, patch	brendan : review+ dveditz : approval-aviary1.0.8+ dveditz : approval1.7.13+ brendan : approval-branch-1.8.1+ dveditz : approval1.8.0.2+	Details \| Diff \| Splinter Review
ecma_3/RegExp/regress-327170.js 19 years ago Bob Clary [:bc] (inactive) 2.31 KB, text/plain		Details

Jonas Jonsson

Reporter

Description

•

19 years ago

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 http://www.fatbrain.org/js-bug2.txt for the source-code version. Not much more to say, u fix ;) Reproducible: Always Steps to Reproduce: 1. Create a RegExp object. 2. Run replace function on some string: "teststring".replace(rx.compile("s", "g"), function() { fx.compile("bleh", "g"); }) 3. Crash. Actual Results: Crash

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 1

•

19 years ago

I can reproduce this.

Status: UNCONFIRMED → NEW

Ever confirmed: true

Blake Kaplan (:mrbkap) (inactive)

Assignee

Updated

•

19 years ago

Severity: normal → critical

OS: Windows XP → All

Priority: -- → P1

Hardware: PC → All

Whiteboard: [patch]

Target Milestone: --- → mozilla1.9alpha

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 2

•

19 years ago

Attached patch Fix — Details — Splinter Review

We need to make sure that we hold a reference to the regular expression while we're using it.

Assignee: general → mrbkap

Status: NEW → ASSIGNED

Attachment #211897 - Flags: superreview?(shaver)

Attachment #211897 - Flags: review?(brendan)

Brendan Eich [:brendan]

Comment 3

•

19 years ago

Comment on attachment 211897 [details] [diff] [review] Fix Great, thanks -- r=me. /be

Attachment #211897 - Flags: review?(brendan)

Attachment #211897 - Flags: review+

Attachment #211897 - Flags: approval1.7.13?

Attachment #211897 - Flags: approval-branch-1.8.1+

Attachment #211897 - Flags: approval-aviary1.0.8?

Brendan Eich [:brendan]

Updated

•

19 years ago

Flags: blocking1.8.1+

Flags: blocking1.7.13?

Flags: blocking-aviary1.0.8?

Brendan Eich [:brendan]

Comment 4

•

19 years ago

FMR, not good -- want fixed on branches. /be

Keywords: crash

Daniel Veditz [:dveditz]

Updated

•

19 years ago

Flags: blocking1.7.13?

Flags: blocking1.7.13+

Flags: blocking-aviary1.0.8?

Flags: blocking-aviary1.0.8+

Daniel Veditz [:dveditz]

Updated

•

19 years ago

Group: security

Whiteboard: [patch] → [sg:moderate] potentially leaks memory [patch]

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 5

•

19 years ago

Comment on attachment 211897 [details] [diff] [review] Fix I think we want this on the 1.8.0 branch.

Attachment #211897 - Flags: approval1.8.0.2?

Daniel Veditz [:dveditz]

Updated

•

19 years ago

Flags: blocking1.8.0.2+

Whiteboard: [sg:moderate] potentially leaks memory [patch] → [sg:moderate] potentially reveals memory [patch]

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 6

•

19 years ago

Fix checked into trunk.

Status: ASSIGNED → RESOLVED

Closed: 19 years ago

Resolution: --- → FIXED

Daniel Veditz [:dveditz]

Comment 7

•

19 years ago

Comment on attachment 211897 [details] [diff] [review] Fix approved for old branches, a=dveditz for drivers

Attachment #211897 - Flags: approval1.8.0.2?

Attachment #211897 - Flags: approval1.8.0.2+

Attachment #211897 - Flags: approval1.7.13?

Attachment #211897 - Flags: approval1.7.13+

Attachment #211897 - Flags: approval-aviary1.0.8?

Attachment #211897 - Flags: approval-aviary1.0.8+

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 8

•

19 years ago

Fix checked into the 1.7 branches.

Keywords: fixed-aviary1.0.8, fixed1.7.13

Bob Clary [:bc] (inactive)

Comment 9

•

19 years ago

Attached file ecma_3/RegExp/regress-327170.js — Details

Bob Clary [:bc] (inactive)

Comment 10

•

19 years ago

v with today's ff trunk/mozilla 1.7.13 on winxp. i'll v1.0.8 with the regular test run later.

Status: RESOLVED → VERIFIED

Flags: testcase+

Keywords: fixed1.7.13 → verified1.7.13

Bob Clary [:bc] (inactive)

Comment 11

•

19 years ago

v 1.7.13, 1.9a1 20060217 win/linux/mac, still needs checkin on 1.8.0.1 and 1.8 branches.

Keywords: fixed-aviary1.0.8 → verified-aviary1.0.8

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 12

•

19 years ago

Fix checked into the 1.8 branches.

Keywords: fixed1.8.0.2, fixed1.8.1

Dave Liebreich [:davel]

Updated

•

19 years ago

Whiteboard: [sg:moderate] potentially reveals memory [patch] → [sg:moderate] potentially reveals memory [patch][rft-dl]

Bob Clary [:bc] (inactive)

Comment 13

•

19 years ago

v ff 1.8.0.1/1.8/1.9 20060302 win/linux/mac

Keywords: fixed1.8.0.2, fixed1.8.1 → verified1.8.0.2, verified1.8.1

Daniel Veditz [:dveditz]

Updated

•

19 years ago

Group: security

Bob Clary [:bc] (inactive)

Comment 14

•

19 years ago

Checking in regress-327170.js; /cvsroot/mozilla/js/tests/ecma_3/RegExp/regress-327170.js,v <-- regress-327170.js initial revision: 1.1

Brendan Eich [:brendan]

Updated

•

19 years ago

Keywords: fixed1.8.1

Bob Clary [:bc] (inactive)

Updated

•

19 years ago

Keywords: fixed1.8.1

Mike Shaver (:shaver emeritus)

Updated

•

19 years ago

Attachment #211897 - Flags: superreview?(shaver)

You need to log in before you can comment on or make changes to this bug.