Closed Bug 414772 Opened 17 years ago Closed 15 years ago

<path d="M4e-356"> makes debug Firefox exit saying "Zero passed to d2b" (prdtoa.c)

Categories

(NSPR :: NSPR, defect)

Product:
NSPR
Component:
NSPR
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(status1.9.1 .4-fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.1 --- .4-fixed

People

(Reporter: jruderman, Assigned: wtc)

Details

(Keywords: assertion, testcase, Whiteboard: [notacrash])

Attachments

(3 files)

testcase (crashes debug builds of Firefox when loaded)
71 bytes, image/svg+xml
Details
Proposed patch
678 bytes, patch
jruderman
: review+
Details | Diff | Splinter Review
NSPR test case
937 bytes, patch
Details | Diff | Splinter Review 
Loading this SVG testcase in a Mac trunk debug build makes Firefox exit, saying
"Zero passed to d2b".  Seems harmless in a nightly.

Found by a fuzzer written by olliej.

#0  0x900102d4 in exit ()
#1  0x005ba28d in d2b (d=0, e=0xbfffcc48, bits=0xbfffcc44) at /Users/jruderman/trunk/mozilla/nsprpub/pr/src/misc/prdtoa.c:1353
#2  0x005badf0 in PR_strtod (s00=0x3d98a542 "e-356", se=0xbfffcd3c) at /Users/jruderman/trunk/mozilla/nsprpub/pr/src/misc/prdtoa.c:2031
#3  0x1837a41e in nsSVGDataParser::MatchNumber (this=0xbfffd034, aX=0xbfffce20) at /Users/jruderman/trunk/mozilla/content/svg/content/src/nsSVGDataParser.cpp:184
...
also crashes 1.9.1 and 1.9.0 windows debug builds.
blocking1.9.1: --- → ?
Flags: wanted1.9.0.x?
not a crash in opt builds, this is a PR_ASSERT() that's otherwise handled.
blocking1.9.1: ? → ---
Flags: wanted1.9.0.x?
Whiteboard: [notacrash][sg:nse]
Attached patch Proposed patchSplinter Review 
There are two
    Bug("Zero passed to d2b");
statements in the d2b() function in prdtoa.c.  The
one at line 1353 of prdtoa.c, rev. 4.5 has been deleted
in the latest version of dtoa.c from the upstream, so
we can just delete it.

To review this patch, search for
    b->wds = (x[1] = z) ? 2 : 1;
in the latest version of dtoa.c (http://www.netlib.org/fp/dtoa.c)
and verify that there is no
    Bug("Zero passed to d2b");
following it (after the "else").

I believe this change is this one in the dtoa.c "changes" file:
http://www.netlib.org/fp/changes

Mon Mar 16 00:32:43 MDT 2009
  ...
  dtoa.c and gdtoa/misc.c:  Remove a buggy test activated with
-DDEBUG.
Attachment #402851 - Flags: review?
Attachment #402851 - Flags: review? → review?(jruderman)
Attachment #402851 - Flags: review?(jruderman) → review+
Sure, if you think my review is ok for a change to this file.
But netlib's lack of a real repository or changelog is disturbing.  What other fixes have we missed over the years?
I checked in the patch on the NSPR trunk (NSPR 4.8.1).

Checking in prdtoa.c;
/cvsroot/mozilla/nsprpub/pr/src/misc/prdtoa.c,v  <--  prdtoa.c
new revision: 4.9; previous revision: 4.8
done
Severity: critical → normal
Status: NEW → RESOLVED
Closed: 15 years ago
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
Target Milestone: --- → 4.8.1
Attached patch NSPR test caseSplinter Review 
I have to remove the "M" from "M4e-356" to make
the NSPR test program exit with "Zero passed to d2b".
Jesse, do you know why?

Checking in dtoa.c;
/cvsroot/mozilla/nsprpub/pr/tests/dtoa.c,v  <--  dtoa.c
new revision: 1.8; previous revision: 1.7
done
The "M" is a SVG pathdata "moveto".  http://www.w3.org/TR/SVG/paths.html#PathData
Keywords: crash
Summary: <path d="M4e-356"> makes Firefox exit saying "Zero passed to d2b" (prdtoa.c) → <path d="M4e-356"> makes debug Firefox exit saying "Zero passed to d2b" (prdtoa.c)
Keywords: assertion
Whiteboard: [notacrash][sg:nse] → [notacrash]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: