Closed Bug 444233 Opened 16 years ago Closed 16 years ago

Passing JS object to SValStorageStatementBinder causes segfault [@ GetUTCTime - js_DateIsValid - JSValStorageStatementBinder]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1a1

People

(Reporter: zpao, Assigned: mrbkap)

References

Details

(Keywords: crash, fixed1.9.0.2, regression)

Crash Data

Attachments

(3 files)

Test Case
1.99 KB, text/plain
Details
GDB Backtrace
2.37 KB, text/plain
Details
Proposed fix
4.26 KB, patch
shaver
: review+
samuel.sidler+old
: approval1.9.0.2+
Details | Diff | Splinter Review 
Using mozStorageStatementWrapper and passing an array ([1,2]) into params causes segfault.  Will attach test case and GDB backtrace.
Severity: normal → critical
Keywords: crash
Summary: Passing JS object to SValStorageStatementBinder causes segfault → Passing JS object to SValStorageStatementBinder causes segfault [@ GetUTCTime - js_DateIsValid - JSValStorageStatementBinder]
Attachment #328593 - Attachment mime type: application/x-javascript → text/plain
Attached patch Proposed fixSplinter Review 
This is a testcase + the fix. This is a regression from bug 385393. In that bug, brendan made the "is this object a date" test conditional on being called from an interpreted function (with an argv array), but we need to the test unconditionally and only throw when called from an interpreted function.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #329849 - Flags: review?(shaver)
Blocks: jsfastnative
Comment on attachment 329849 [details] [diff] [review]
Proposed fix

r=shaver, a comment in GetUTCTime explaining that this is why we do the vp thing would be extra-good.
Attachment #329849 - Flags: review?(shaver) → review+
Pushed as http://hg.mozilla.org/index.cgi/mozilla-central/rev/3c1f72eddf61
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
As comment 3 said there was also a test checked-in. Updating some flags...

Do we also need this on 1.9.0.x branch? Bug 385393 was fixed a while ago during alpha 7 and alpha 8.
Component: Storage → JavaScript Engine
Flags: in-testsuite+
Keywords: regression
OS: Mac OS X → All
Product: Toolkit → Core
QA Contact: storage → general
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1a1
Comment on attachment 329849 [details] [diff] [review]
Proposed fix

This applies to the 1.9 branch.
Attachment #329849 - Flags: approval1.9.0.2?
Comment on attachment 329849 [details] [diff] [review]
Proposed fix

Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #329849 - Flags: approval1.9.0.2? → approval1.9.0.2+
Fix checked into the 1.9 branch.
Keywords: fixed1.9.0.2
storage/test/unit/test_bug-444233.js
Crash Signature: [@ GetUTCTime - js_DateIsValid - JSValStorageStatementBinder]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: