Last Comment Bug 328249 - E4X crash due to infinite recursion in js_IsXMLName
: E4X crash due to infinite recursion in js_IsXMLName
Status: VERIFIED FIXED
[patch][rft-dl]
: crash, testcase, verified1.8.0.2, verified1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
P1 critical (vote)
: mozilla1.9alpha1
Assigned To: Blake Kaplan (:mrbkap)
:
: Jason Orendorff [:jorendorff]
Mentors:
: 328254 (view as bug list)
Depends on: 328769
Blocks: 326633
  Show dependency treegraph
 
Reported: 2006-02-22 18:16 PST by Jesse Ruderman
Modified: 2006-03-02 12:10 PST (History)
3 users (show)
dveditz: blocking1.8.0.2+
bob: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (97 bytes, text/html)
2006-02-22 18:18 PST, Jesse Ruderman
no flags Details
Fix (987 bytes, patch)
2006-02-23 14:46 PST, Blake Kaplan (:mrbkap)
brendan: review+
brendan: approval‑branch‑1.8.1+
dveditz: approval1.8.0.2+
Details | Diff | Splinter Review

Description User image Jesse Ruderman 2006-02-22 18:16:57 PST
 
Comment 1 User image Jesse Ruderman 2006-02-22 18:18:05 PST
Created attachment 212837 [details]
testcase
Comment 2 User image Brendan Eich [:brendan] 2006-02-22 18:45:48 PST
Blake generously offered to dive between this bullet and the president, in slow-mo yelling "guuuuuuhnnnnnnnnnnnn!", or was that "eeeeeeeeeeeeeefoooooooorrrrrrrrrrrrrxxxxxxxxxxxxxxxxxxxxxxxx!"?

/be
Comment 3 User image Blake Kaplan (:mrbkap) 2006-02-23 14:43:48 PST
*** Bug 328254 has been marked as a duplicate of this bug. ***
Comment 4 User image Blake Kaplan (:mrbkap) 2006-02-23 14:45:40 PST
Our cycle detection wasn't handling lists, causing us to miss the "easy" case described here. Lists of length 1 are special in that you can do stuff on them that acts like you're doing it to its only element, therefore CheckCycle needs to deal.

Note that we catch the case where kids->length > 1 before we ever get near the CheckCycle code.
Comment 5 User image Blake Kaplan (:mrbkap) 2006-02-23 14:46:40 PST
Created attachment 212961 [details] [diff] [review]
Fix
Comment 6 User image Brendan Eich [:brendan] 2006-02-23 14:57:28 PST
Comment on attachment 212961 [details] [diff] [review]
Fix 

I was a collaborator on this fix, but sure, r=me.

BTW, E4X sucks.

/be
Comment 7 User image Blake Kaplan (:mrbkap) 2006-02-23 15:03:24 PST
Fix checked into trunk.
Comment 8 User image Daniel Veditz [:dveditz] 2006-02-24 12:27:50 PST
Comment on attachment 212961 [details] [diff] [review]
Fix 

approved for 1.8.9 branch, a=dveditz for drivers
Comment 9 User image Daniel Veditz [:dveditz] 2006-02-24 12:28:22 PST
> 1.8.9 branch

1.8.0, I mean

Comment 10 User image Blake Kaplan (:mrbkap) 2006-02-24 13:21:23 PST
Fix checked into the 1.8 branches.
Comment 11 User image Bob Clary [:bc:] 2006-02-26 00:50:46 PST
Checking in regress-328249.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-328249.js,v  <--  regress-328249.js
initial revision: 1.1
done

I don't see a crash in today's ff trunk on winxp, but a current debug shell does appear to crash. I'll know more when I do a full test run.
Comment 12 User image Dave Liebreich [:davel] 2006-03-01 14:04:36 PST
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates) since in-testsuite+ indicates a test case exists in the js test library.
Comment 13 User image Bob Clary [:bc:] 2006-03-02 12:10:41 PST
v ff 1.8.0.1/1.8/1.9 20060302 win/linux/mac

Note You need to log in before you can comment on or make changes to this bug.