Closed Bug 444233 Opened 12 years ago Closed 12 years ago

Passing JS object to SValStorageStatementBinder causes segfault [@ GetUTCTime - js_DateIsValid - JSValStorageStatementBinder]

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.9.1a1

People

(Reporter: zpao, Assigned: mrbkap)

References

Details

(Keywords: crash, fixed1.9.0.2, regression)

Crash Data

Attachments

(3 files)

Using mozStorageStatementWrapper and passing an array ([1,2]) into params causes segfault.  Will attach test case and GDB backtrace.
Severity: normal → critical
Keywords: crash
Summary: Passing JS object to SValStorageStatementBinder causes segfault → Passing JS object to SValStorageStatementBinder causes segfault [@ GetUTCTime - js_DateIsValid - JSValStorageStatementBinder]
Attachment #328593 - Attachment mime type: application/x-javascript → text/plain
Attached patch Proposed fixSplinter Review
This is a testcase + the fix. This is a regression from bug 385393. In that bug, brendan made the "is this object a date" test conditional on being called from an interpreted function (with an argv array), but we need to the test unconditionally and only throw when called from an interpreted function.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #329849 - Flags: review?(shaver)
Comment on attachment 329849 [details] [diff] [review]
Proposed fix

r=shaver, a comment in GetUTCTime explaining that this is why we do the vp thing would be extra-good.
Attachment #329849 - Flags: review?(shaver) → review+
Pushed as http://hg.mozilla.org/index.cgi/mozilla-central/rev/3c1f72eddf61
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Duplicate of this bug: 446136
As comment 3 said there was also a test checked-in. Updating some flags...

Do we also need this on 1.9.0.x branch? Bug 385393 was fixed a while ago during alpha 7 and alpha 8.
Component: Storage → JavaScript Engine
Flags: in-testsuite+
Keywords: regression
OS: Mac OS X → All
Product: Toolkit → Core
QA Contact: storage → general
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1a1
Comment on attachment 329849 [details] [diff] [review]
Proposed fix

This applies to the 1.9 branch.
Attachment #329849 - Flags: approval1.9.0.2?
Comment on attachment 329849 [details] [diff] [review]
Proposed fix

Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #329849 - Flags: approval1.9.0.2? → approval1.9.0.2+
Fix checked into the 1.9 branch.
Keywords: fixed1.9.0.2
storage/test/unit/test_bug-444233.js
Crash Signature: [@ GetUTCTime - js_DateIsValid - JSValStorageStatementBinder]
You need to log in before you can comment on or make changes to this bug.