Closed
Bug 568466
Opened 14 years ago
Closed 14 years ago
TM: fix too-late NULL check in NewXMLQName()
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: n.nethercote)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files)
826 bytes,
text/plain
|
Details | |
810 bytes,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
The attached testcase crashes 64-bit js debug shell on Mac 10.6.3 on TM tip with -j at JSObject::getClass. Seems to be a null dereference, locking s-s just-in-case. Console output: ====== /x/ 2interesting/w4313-cj-in.js:21: out of memory Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000008 0x000000010007c950 in JSObject::getClass () (gdb) bt #0 0x000000010007c950 in JSObject::getClass () #1 0x000000010016c4c9 in JSObject::isQName () #2 0x0000000100158953 in NewXMLQName () #3 0x00000001001652f3 in DeepCopyInLRS () #4 0x000000010016511c in DeepCopySetInLRS () #5 0x000000010016536f in DeepCopyInLRS () #6 0x000000010016511c in DeepCopySetInLRS () #7 0x000000010016536f in DeepCopyInLRS () #8 0x000000010016511c in DeepCopySetInLRS () #9 0x000000010016536f in DeepCopyInLRS () #10 0x000000010016511c in DeepCopySetInLRS () #11 0x000000010016536f in DeepCopyInLRS () #12 0x000000010016511c in DeepCopySetInLRS () #13 0x000000010016536f in DeepCopyInLRS () #14 0x000000010016511c in DeepCopySetInLRS () #15 0x000000010016536f in DeepCopyInLRS () #16 0x000000010016511c in DeepCopySetInLRS () #17 0x000000010016536f in DeepCopyInLRS () #18 0x000000010016511c in DeepCopySetInLRS () #19 0x000000010016536f in DeepCopyInLRS () #20 0x000000010016511c in DeepCopySetInLRS () #21 0x000000010016536f in DeepCopyInLRS () #22 0x000000010016511c in DeepCopySetInLRS () #23 0x000000010016536f in DeepCopyInLRS () #24 0x000000010016a8b8 in PutProperty () #25 0x000000010016b6dc in xml_setProperty () #26 0x000000010002497a in JSObject::setProperty () #27 0x0000000100099012 in js_Interpret () #28 0x00000001000ad80a in js_Execute () #29 0x0000000100011b33 in JS_ExecuteScript () #30 0x00000001000098e4 in Process () #31 0x000000010000a529 in ProcessArgs () #32 0x000000010000a6a4 in main () (gdb) x/i $rip 0x10007c950 <_ZNK8JSObject8getClassEv+12>: mov 0x8(%rax),%rax (gdb) x/b $rax 0x0: Cannot access memory at address 0x0
Reporter | ||
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 41884:744611b4f3d9 user: Nicholas Nethercote date: Wed May 12 18:57:36 2010 -0700 summary: Bug 560167 - encapsulate XML-related JSSLOT_* values within JSObject (attempt 2; attempt 1 was backed out due to conflicts). r=brendan.
Blocks: 560167
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Updated•14 years ago
|
blocking2.0: ? → final+
Assignee | ||
Comment 2•14 years ago
|
||
I can't reproduce, but the attached bug is very likely to fix the problem -- it moves the NULL check earlier. Gary, can you check? The crash is happening in an assertion so I don't think it counts as s-s because it cannot manifest in a release build.
Updated•14 years ago
|
Attachment #450269 -
Flags: review?(gal) → review+
Comment 3•14 years ago
|
||
Nice catch nick. Dropping the ss flags. We don't have to block on this.
Group: core-security
blocking2.0: final+ → ---
Whiteboard: [ccbr][sg:dos]
Assignee | ||
Updated•14 years ago
|
Summary: TM: (64-bit) Crash [@ JSObject::getClass] → TM: avoid premature NULL check in NewXMLQName()
Assignee | ||
Comment 4•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/aafbaa9daac4
Whiteboard: fixed-in-tracemonkey
Updated•14 years ago
|
Summary: TM: avoid premature NULL check in NewXMLQName() → TM: fix too-late NULL check in NewXMLQName()
Comment 5•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/aafbaa9daac4
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•