Last Comment Bug 328249 - E4X crash due to infinite recursion in js_IsXMLName
: E4X crash due to infinite recursion in js_IsXMLName
: crash, testcase, verified1.8.0.2, verified1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.9alpha1
Assigned To: Blake Kaplan (:mrbkap)
: Jason Orendorff [:jorendorff]
: 328254 (view as bug list)
Depends on: 328769
Blocks: 326633
  Show dependency treegraph
Reported: 2006-02-22 18:16 PST by Jesse Ruderman
Modified: 2006-03-02 12:10 PST (History)
3 users (show)
dveditz: blocking1.8.0.2+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (97 bytes, text/html)
2006-02-22 18:18 PST, Jesse Ruderman
no flags Details
Fix (987 bytes, patch)
2006-02-23 14:46 PST, Blake Kaplan (:mrbkap)
brendan: review+
brendan: approval‑branch‑1.8.1+
dveditz: approval1.8.0.2+
Details | Diff | Splinter Review

Description Jesse Ruderman 2006-02-22 18:16:57 PST
Comment 1 Jesse Ruderman 2006-02-22 18:18:05 PST
Created attachment 212837 [details]
Comment 2 Brendan Eich [:brendan] 2006-02-22 18:45:48 PST
Blake generously offered to dive between this bullet and the president, in slow-mo yelling "guuuuuuhnnnnnnnnnnnn!", or was that "eeeeeeeeeeeeeefoooooooorrrrrrrrrrrrrxxxxxxxxxxxxxxxxxxxxxxxx!"?

Comment 3 Blake Kaplan (:mrbkap) 2006-02-23 14:43:48 PST
*** Bug 328254 has been marked as a duplicate of this bug. ***
Comment 4 Blake Kaplan (:mrbkap) 2006-02-23 14:45:40 PST
Our cycle detection wasn't handling lists, causing us to miss the "easy" case described here. Lists of length 1 are special in that you can do stuff on them that acts like you're doing it to its only element, therefore CheckCycle needs to deal.

Note that we catch the case where kids->length > 1 before we ever get near the CheckCycle code.
Comment 5 Blake Kaplan (:mrbkap) 2006-02-23 14:46:40 PST
Created attachment 212961 [details] [diff] [review]
Comment 6 Brendan Eich [:brendan] 2006-02-23 14:57:28 PST
Comment on attachment 212961 [details] [diff] [review]

I was a collaborator on this fix, but sure, r=me.

BTW, E4X sucks.

Comment 7 Blake Kaplan (:mrbkap) 2006-02-23 15:03:24 PST
Fix checked into trunk.
Comment 8 Daniel Veditz [:dveditz] 2006-02-24 12:27:50 PST
Comment on attachment 212961 [details] [diff] [review]

approved for 1.8.9 branch, a=dveditz for drivers
Comment 9 Daniel Veditz [:dveditz] 2006-02-24 12:28:22 PST
> 1.8.9 branch

1.8.0, I mean

Comment 10 Blake Kaplan (:mrbkap) 2006-02-24 13:21:23 PST
Fix checked into the 1.8 branches.
Comment 11 Bob Clary [:bc:] 2006-02-26 00:50:46 PST
Checking in regress-328249.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-328249.js,v  <--  regress-328249.js
initial revision: 1.1

I don't see a crash in today's ff trunk on winxp, but a current debug shell does appear to crash. I'll know more when I do a full test run.
Comment 12 Dave Liebreich [:davel] 2006-03-01 14:04:36 PST
Marking [rft-dl] (ready for testing in Firefox release candidates) since in-testsuite+ indicates a test case exists in the js test library.
Comment 13 Bob Clary [:bc:] 2006-03-02 12:10:41 PST
v ff 20060302 win/linux/mac

Note You need to log in before you can comment on or make changes to this bug.