Closed
Bug 414772
Opened 17 years ago
Closed 15 years ago
<path d="M4e-356"> makes debug Firefox exit saying "Zero passed to d2b" (prdtoa.c)
Categories
(NSPR :: NSPR, defect)
NSPR
NSPR
Tracking
(status1.9.1 .4-fixed)
RESOLVED
FIXED
4.8.1
Tracking | Status | |
---|---|---|
status1.9.1 | --- | .4-fixed |
People
(Reporter: jruderman, Assigned: wtc)
Details
(Keywords: assertion, testcase, Whiteboard: [notacrash])
Attachments
(3 files)
71 bytes,
image/svg+xml
|
Details | |
678 bytes,
patch
|
jruderman
:
review+
|
Details | Diff | Splinter Review |
937 bytes,
patch
|
Details | Diff | Splinter Review |
Loading this SVG testcase in a Mac trunk debug build makes Firefox exit, saying "Zero passed to d2b". Seems harmless in a nightly. Found by a fuzzer written by olliej. #0 0x900102d4 in exit () #1 0x005ba28d in d2b (d=0, e=0xbfffcc48, bits=0xbfffcc44) at /Users/jruderman/trunk/mozilla/nsprpub/pr/src/misc/prdtoa.c:1353 #2 0x005badf0 in PR_strtod (s00=0x3d98a542 "e-356", se=0xbfffcd3c) at /Users/jruderman/trunk/mozilla/nsprpub/pr/src/misc/prdtoa.c:2031 #3 0x1837a41e in nsSVGDataParser::MatchNumber (this=0xbfffd034, aX=0xbfffce20) at /Users/jruderman/trunk/mozilla/content/svg/content/src/nsSVGDataParser.cpp:184 ...
Comment 1•15 years ago
|
||
also crashes 1.9.1 and 1.9.0 windows debug builds.
blocking1.9.1: --- → ?
Flags: wanted1.9.0.x?
Comment 2•15 years ago
|
||
not a crash in opt builds, this is a PR_ASSERT() that's otherwise handled.
blocking1.9.1: ? → ---
Flags: wanted1.9.0.x?
Whiteboard: [notacrash][sg:nse]
Assignee | ||
Comment 3•15 years ago
|
||
There are two Bug("Zero passed to d2b"); statements in the d2b() function in prdtoa.c. The one at line 1353 of prdtoa.c, rev. 4.5 has been deleted in the latest version of dtoa.c from the upstream, so we can just delete it. To review this patch, search for b->wds = (x[1] = z) ? 2 : 1; in the latest version of dtoa.c (http://www.netlib.org/fp/dtoa.c) and verify that there is no Bug("Zero passed to d2b"); following it (after the "else"). I believe this change is this one in the dtoa.c "changes" file: http://www.netlib.org/fp/changes Mon Mar 16 00:32:43 MDT 2009 ... dtoa.c and gdtoa/misc.c: Remove a buggy test activated with -DDEBUG.
Attachment #402851 -
Flags: review?
Assignee | ||
Updated•15 years ago
|
Attachment #402851 -
Flags: review? → review?(jruderman)
Reporter | ||
Updated•15 years ago
|
Attachment #402851 -
Flags: review?(jruderman) → review+
Reporter | ||
Comment 4•15 years ago
|
||
Sure, if you think my review is ok for a change to this file.
Reporter | ||
Comment 5•15 years ago
|
||
But netlib's lack of a real repository or changelog is disturbing. What other fixes have we missed over the years?
Assignee | ||
Comment 6•15 years ago
|
||
I checked in the patch on the NSPR trunk (NSPR 4.8.1). Checking in prdtoa.c; /cvsroot/mozilla/nsprpub/pr/src/misc/prdtoa.c,v <-- prdtoa.c new revision: 4.9; previous revision: 4.8 done
Severity: critical → normal
Status: NEW → RESOLVED
Closed: 15 years ago
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
Target Milestone: --- → 4.8.1
Assignee | ||
Comment 7•15 years ago
|
||
I have to remove the "M" from "M4e-356" to make the NSPR test program exit with "Zero passed to d2b". Jesse, do you know why? Checking in dtoa.c; /cvsroot/mozilla/nsprpub/pr/tests/dtoa.c,v <-- dtoa.c new revision: 1.8; previous revision: 1.7 done
Reporter | ||
Comment 8•15 years ago
|
||
The "M" is a SVG pathdata "moveto". http://www.w3.org/TR/SVG/paths.html#PathData
Updated•15 years ago
|
Keywords: crash
Summary: <path d="M4e-356"> makes Firefox exit saying "Zero passed to d2b" (prdtoa.c) → <path d="M4e-356"> makes debug Firefox exit saying "Zero passed to d2b" (prdtoa.c)
Updated•15 years ago
|
status1.9.1:
--- → .4-fixed
Updated•15 years ago
|
Whiteboard: [notacrash][sg:nse] → [notacrash]
You need to log in
before you can comment on or make changes to this bug.
Description
•