Created attachment 361155 [details] stack I got the crash when running mochitest. The crash happened with the test for bug 441782. No idea if this is security sensitive.
Something strange happening (gdb) p length $1 = 11 (gdb) p j $2 = 0 (gdb) p wordStart $3 = 16 (gdb) p i $4 = 27 That means that wordStart+j > 0 is true, so numString[j-1] is evaluated. And j-1 is pretty huge number because j is unsigned and its value is 0.
Perhaps this is a regression from Bug 467672?
Created attachment 361161 [details] [diff] [review] Patch I think it's a regression from bug 441782. I needed a workaround to run mochitest and this seems to work...
Comment on attachment 361161 [details] [diff] [review] Patch This seems like the correct fix. Requesting review from roc.
I pushed this. http://hg.mozilla.org/mozilla-central/rev/5f349409c9d5 Thanks Mats!
The 1.9.1 landing: <http://hg.mozilla.org/releases/mozilla-1.9.1/rev/7272f7e838d2>