Debug builds exit when converting "1e-400" to a Number

RESOLVED FIXED in mozilla1.9.3a1



9 years ago
9 years ago


(Reporter: bzbarsky, Assigned: reed)



Firefox Tracking Flags

(status1.9.2 final-fixed)




(1 attachment)

Run the testcase in the url field, or this in shell:


This causes a debug build to print "Zero passed to d2b" and then exit.  This seems to come from dtoa.c, which has:

1271                         Bug("Zero passed to d2b");

with Bug() defined as:

176 #ifdef DEBUG
177 #include "stdio.h"
178 #define Bug(x) {fprintf(stderr, "%s\n", x); exit(1);}
179 #endif

In an opt build I just get 0, as more or less expected.  The original testcase I ran into this on was actually passing this string:

  '{ "very_big_number":1e+400, "very_small_number":1e-400 }'

to JSON.parse to hit this bug.  Note that jsdtoa and prdtoa have the same code; should I file separate bugs on those?

Comment 1

9 years ago
I am going to hide this until we had a chance to analyze whats going on behind the scenes. We can reopen if this is harmless.
Group: core-security
Whiteboard: [sg:dos]
This is the JS equivalent of bug 414772. I don't think it's a security issue. We can just use that same patch.
OS: Mac OS X → All
Hardware: x86 → All
Created attachment 416532 [details] [diff] [review]
patch - v1

Direct port of the patch from bug 414772.
Assignee: general → reed
Attachment #416532 - Flags: review?(mrbkap)

Comment 4

9 years ago
Looks harmless. Opening up the bug and removing the flags.
Group: core-security
Whiteboard: [sg:dos]

Comment 5

9 years ago
Comment on attachment 416532 [details] [diff] [review]
patch - v1

Stealing. I don't think Blake minds. The code was already reviewed for the other copy of dtoa anyway.
Attachment #416532 - Flags: review?(mrbkap) → review+


9 years ago
Attachment #416532 - Flags: approval1.9.2?
Requesting approval to land this on trunk and 1.9.2, but I think this may be fine to land on trunk based on the patch being "not part of the Firefox or Fennec builds", as it only affects debug builds, which aren't the normal type of build.

Comment 7

9 years ago
Yeah, pretty sure you don't need approval. Just land on trunk and 192. Its NPOTB.

Comment 8

9 years ago
Comment on attachment 416532 [details] [diff] [review]
patch - v1

Attachment #416532 - Flags: review+
We need to change jsdtoa as well, right?
(In reply to comment #9)
> We need to change jsdtoa as well, right?

Nope, problem doesn't exist there.
Last Resolved: 9 years ago
status1.9.2: --- → final-fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
What about prdtoa.c?  That does seem to have the bug.

Comment 13

9 years ago
bz: prdtoa.c has been fixed in NSPR bug 414772.

Since NSPR and JS are separate products, every dtoa bug is
covered by an NSPR bug and a JS bug.
Ah, I see. It would have been really nice to file the JS bug when that one was fixed, so I didn't have to re-debug it 3 months later.  :(

I assume that the NSPR version that bug 414772 was fixed for hasn't been imported into mozilla-central yet?

Comment 15

9 years ago
The NSPR bug fix is already in mozilla-central, mozilla-1.9.2,
and mozilla-1.9.1.  This bug is not worth backporting to old
release branches, but it piggybacked on the fix for a security
vulnerability in dtoa.
Ah, I see.  I was confused by the other "zero passed to d2b" that's still there.  OK.
You need to log in before you can comment on or make changes to this bug.