Closed Bug 374025 Opened 18 years ago Closed 17 years ago

Crash [@ js_RepeatChar] with XML.prettyIndent set to 2^31

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

Details

(Keywords: crash, testcase)

Crash Data

js> XML.prettyIndent = 2147483648; uneval(<x><y/></x>); Bus error Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 js 0x000b3ad4 js_RepeatChar + 95 (jsscan.c:848) 1 js 0x000d0f9b XMLToXMLString + 106 (jsxml.c:2684) 2 js 0x000d1c98 XMLToXMLString + 3431 (jsxml.c:2978) 3 js 0x000d207b ToXMLString + 444 (jsxml.c:3056) 4 js 0x000dc7a8 xml_toXMLString + 24 (jsxml.c:7132) 5 js 0x00057e7f js_Invoke + 2954 (jsinterp.c:1353) 6 js 0x000582a2 js_InternalInvoke + 309 (jsinterp.c:1447) 7 js 0x00083c50 js_TryMethod + 346 (jsobj.c:4595) 8 js 0x000c4c0a js_ValueToSource + 360 (jsstr.c:2693) 9 js 0x000be173 str_uneval + 26 (jsstr.c:466) ...
Crash does not occur anymore in latest js shell: gary-kwongs-mac-mini:lithium gkwong$ ./js-opt js> XML.prettyIndent = 2147483648; uneval(<x><y/></x>); <x> <y/> </x> js> ======= gary-kwongs-mac-mini:lithium gkwong$ ./js-debug js> XML.prettyIndent = 2147483648; uneval(<x><y/></x>); <x> <y/> </x> js>
Math.pow(2,30) hang Math.pow(2,31) - 1 "out of memory" Math.pow(2,31) treated as 0 (no indenting)
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
Flags: in-testsuite?
/cvsroot/mozilla/js/tests/e4x/extensions/regress-374025.js,v <-- regress-374025.js initial revision: 1.1 The Math.pow's are covered in other tests.
Flags: in-testsuite?
Flags: in-testsuite+
Flags: in-litmus-
Fixed on trunk by bug 410192 (thanks, hg bisect), more shortly.
Crash Signature: [@ js_RepeatChar]
You need to log in before you can comment on or make changes to this bug.