Closed
Bug 583615
Opened 14 years ago
Closed 14 years ago
Crash [@ JSString::length] or [@ ParseXMLSource] with e4x
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
People
(Reporter: gkw, Assigned: dmandelin)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr], [sg:dos][critsmash:investigating], [fixed-in-tracemonkey])
Crash Data
Attachments
(1 file)
1.18 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
try { x = <x><y/></x> x += /x / } catch (e) {} for each(a in [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) { x += x; } default xml namespace = x; <x></x> crashes js opt shell on TM tip without -j at ParseXMLSource and crashes js debug shell on TM tip without -j at JSString::length. Testcase has to be passed in as a CLI argument. s-s because while this seems to be a null dereference, it's best to be safe.. === Debug js console output: Program received signal SIGSEGV, Segmentation fault. 0x08055b5c in JSString::length (this=0x0) at ../../jsstr.h:235 235 return mLengthAndFlags >> FLAGS_LENGTH_SHIFT; (gdb) bt #0 0x08055b5c in JSString::length (this=0x0) at ../../jsstr.h:235 #1 0x0818deb5 in ParseXMLSource (cx=0x82d5c10, src=0xf7504c20) at ../jsxml.cpp:1687 #2 0x0818e6dd in ToXML (cx=0x82d5c10, v=...) at ../jsxml.cpp:1839 #3 0x0819f892 in js_ValueToXMLObject (cx=0x82d5c10, v=...) at ../jsxml.cpp:7726 #4 0x082358a4 in js::Interpret (cx=0x82d5c10) at ../jsinterp.cpp:6570 #5 0x080d8f30 in js::Execute (cx=0x82d5c10, chain=0xf7502000, script=0x82dcf28, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:907 #6 0x0806f764 in JS_ExecuteScript (cx=0x82d5c10, obj=0xf7502000, script=0x82dcf28, rval=0x0) at ../jsapi.cpp:4736 #7 0x0804beb5 in Process (cx=0x82d5c10, obj=0xf7502000, filename=0xffffd5c1 "../crashParseXMLSource.js", forceTTY=0) at ../../shell/js.cpp:440 #8 0x0804cd71 in ProcessArgs (cx=0x82d5c10, obj=0xf7502000, argv=0xffffd3f8, argc=1) at ../../shell/js.cpp:854 #9 0x08055304 in shell (cx=0x82d5c10, argc=1, argv=0xffffd3f8, envp=0xffffd400) at ../../shell/js.cpp:4957 #10 0x08055420 in main (argc=1, argv=0xffffd3f8, envp=0xffffd400) at ../../shell/js.cpp:5044 (gdb) x/i $eip => 0x8055b5c <_ZNK8JSString6lengthEv+6>: mov (%eax),%eax (gdb) x/b $eax 0x0: Cannot access memory at address 0x0
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Reporter | ||
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 27222:9e0f6160ef35 user: David Mandelin date: Thu Apr 16 15:00:13 2009 -0700 summary: Bug 487546: call expensive JSString finalizers only if needed, r=brendan
Blocks: 487546
Updated•14 years ago
|
Assignee: general → dmandelin
Updated•14 years ago
|
blocking2.0: ? → final+
Updated•14 years ago
|
Whiteboard: [ccbr] → [ccbr], [sg:critical]
Updated•14 years ago
|
Whiteboard: [ccbr], [sg:critical] → [ccbr], [sg:critical][critsmash:investigating]
Assignee | ||
Comment 2•14 years ago
|
||
Not sure why this is sg:crit, given that it's just an OOM-caused NPE. But at least it is easy to fix.
Attachment #462616 -
Flags: review?(jwalden+bmo)
Updated•14 years ago
|
Attachment #462616 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Comment 3•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/4bea4e06aa3f
Whiteboard: [ccbr], [sg:critical][critsmash:investigating] → [ccbr], [sg:critical][critsmash:investigating], [fixed-in-tracemonkey]
http://hg.mozilla.org/mozilla-central/rev/4bea4e06aa3f pushed at the auspicious looking Fri Aug 13 13:13:33. Also downgrading to sg:dos per dmandelin's comment 2.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [ccbr], [sg:critical][critsmash:investigating], [fixed-in-tracemonkey] → [ccbr], [sg:dos][critsmash:investigating], [fixed-in-tracemonkey]
Comment 5•14 years ago
|
||
Affects the 1.9.1/1.9.2 branches if we want to take this patch.
Updated•13 years ago
|
Crash Signature: [@ JSString::length]
[@ ParseXMLSource]
Comment 6•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug583615.js.
Flags: in-testsuite+
Comment 7•11 years ago
|
||
Setting in-testsuite- because this test is in the testsuite but marked as slow test (which means it won't run automatically). I verified manually that the tests pass, so marking this VERIFIED.
Status: RESOLVED → VERIFIED
Crash Signature: [@ JSString::length]
[@ ParseXMLSource] → [@ JSString::length]
[@ ParseXMLSource]
Flags: in-testsuite+ → in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•