Closed Bug 378789 Opened 17 years ago Closed 17 years ago

js_PutEscapedString can not deal with strings with \0

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: igor, Assigned: igor)

References

Details

(Keywords: regression)

Attachments

(1 file)

Fix
1.10 KB, patch
brendan
: review+
Details | Diff | Splinter Review 
DEBUG-only js_PutEscapedStringImpl in jsstr.c added in patch from bug 366725 can not cope with strings containing '\0'. This is trivially visible through dumpHeap call in js shell:

js> dumpHeap(null, [ "a\0b" ], null, 1);
0x8880c18 atom length            via id
0x88851a0 Array 88851c0          via __proto__
0x8884c40 BackstagePass 88b9798  via __parent__
Assertion failure: ' ' <= u && u < 127, at /home/igor/m/trunk/mozilla/js/src/jsstr.c:4938
Attached patch FixSplinter Review 
When I wrote js_PutEscapedStringImpl I forgot that strchr(str, 0) returns a pointer to \0, not null. Thus for \0 embedded in JSString the code accesses one past the last character of js_EscapeMap. The patch fixes that with the explicit check for \0.
Attachment #262799 - Flags: review?(brendan)
Attachment #262799 - Flags: review?(brendan) → review+
I committed the patch from comment 1 to the trunk:

Checking in jsstr.c;
/cvsroot/mozilla/js/src/jsstr.c,v  <--  jsstr.c
new revision: 3.142; previous revision: 3.141
done
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
/cvsroot/mozilla/js/tests/js1_8/extensions/regress-378789.js,v  <--  regress-378789.js
initial revision: 1.1
Flags: in-testsuite+
verified fixed 1.9.0 2007-05-07 windows/linux/mac* shell
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: