E4X crash due to infinite recursion in js_IsXMLName

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
JavaScript Engine
P1
critical
VERIFIED FIXED
12 years ago
12 years ago

People

(Reporter: Jesse Ruderman, Assigned: mrbkap)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.9alpha1
crash, testcase, verified1.8.0.2, verified1.8.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.0.2 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [patch][rft-dl])

Attachments

(2 attachments)

(Reporter)

Description

12 years ago
 
(Reporter)

Comment 1

12 years ago
Created attachment 212837 [details]
testcase
Blake generously offered to dive between this bullet and the president, in slow-mo yelling "guuuuuuhnnnnnnnnnnnn!", or was that "eeeeeeeeeeeeeefoooooooorrrrrrrrrrrrrxxxxxxxxxxxxxxxxxxxxxxxx!"?

/be
Assignee: general → mrbkap
(Assignee)

Comment 3

12 years ago
*** Bug 328254 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 4

12 years ago
Our cycle detection wasn't handling lists, causing us to miss the "easy" case described here. Lists of length 1 are special in that you can do stuff on them that acts like you're doing it to its only element, therefore CheckCycle needs to deal.

Note that we catch the case where kids->length > 1 before we ever get near the CheckCycle code.
Status: NEW → ASSIGNED
OS: MacOS X → All
Priority: -- → P1
Hardware: Macintosh → All
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
(Assignee)

Comment 5

12 years ago
Created attachment 212961 [details] [diff] [review]
Fix
Attachment #212961 - Flags: review?(brendan)
Comment on attachment 212961 [details] [diff] [review]
Fix 

I was a collaborator on this fix, but sure, r=me.

BTW, E4X sucks.

/be
Attachment #212961 - Flags: review?(brendan)
Attachment #212961 - Flags: review+
Attachment #212961 - Flags: approval1.8.0.2?
Attachment #212961 - Flags: approval-branch-1.8.1+
(Assignee)

Comment 7

12 years ago
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Flags: blocking1.8.0.2?
(Reporter)

Updated

12 years ago
Status: RESOLVED → VERIFIED
Flags: blocking1.8.0.2? → blocking1.8.0.2+
Comment on attachment 212961 [details] [diff] [review]
Fix 

approved for 1.8.9 branch, a=dveditz for drivers
Attachment #212961 - Flags: approval1.8.0.2? → approval1.8.0.2+
> 1.8.9 branch

1.8.0, I mean

(Assignee)

Comment 10

12 years ago
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.2, fixed1.8.1

Comment 11

12 years ago
Checking in regress-328249.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-328249.js,v  <--  regress-328249.js
initial revision: 1.1
done

I don't see a crash in today's ff trunk on winxp, but a current debug shell does appear to crash. I'll know more when I do a full test run.
Flags: testcase+
(Assignee)

Updated

12 years ago
Depends on: 328769
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates) since in-testsuite+ indicates a test case exists in the js test library.
Whiteboard: [patch] → [patch][rft-dl]

Comment 13

12 years ago
v ff 1.8.0.1/1.8/1.9 20060302 win/linux/mac
Keywords: fixed1.8.0.2, fixed1.8.1 → verified1.8.0.2, verified1.8.1
You need to log in before you can comment on or make changes to this bug.