Closed
Bug 593611
Opened 15 years ago
Closed 15 years ago
Crash [@ js_regexp_toString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta7+ |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
1.49 KB,
patch
|
Waldo
:
review-
brendan
:
review+
|
Details | Diff | Splinter Review |
(function() {
__defineGetter__("x", /x/.constructor)
})()
for (var a = 0; a < 4; ++a) {
if (a % 4 == 1) {
gc()
} else {
print(x);
}
}
crashes js opt shell on TM changeset 60af58b42567 without -m nor -j at js_regexp_toString.
|
Reporter | |
Comment 1•15 years ago
|
||
s-s because this involves gc.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 52720:66c8ad02543b
user: Luke Wagner
date: Mon Aug 16 12:35:04 2010 -0700
summary: Bug 581263 - remove slow natives (r=waldo,mrbkap)
Blocks: 581263
Group: core-security
|
|
Assignee | |
Comment 2•15 years ago
|
||
Ouch, I missed a case where we assumed argv was initialized for [0..fun->nargs), so this was looking at trash stack values. I wasn't able to repro the crash, but I was able to get a valgrind memcheck warning, which this patch fixes.
|
|
Assignee | |
Comment 3•15 years ago
|
||
The patch also puts back the "if (IsConstructing)" check, since 15.10.3.1 seems to require it.
|
||
Comment 4•15 years ago
|
||
Comment on attachment 472433 [details] [diff] [review]
fix
Nasty -- so we want your C++ super-safe helper instead of the current unsafe FastNative signature, pretty soon.
>+ if ((argc >= 1 && argv[0].isObject() && argv[0].toObject().isRegExp()) &&
No need to over-paren these && terms against the final && at end of line.
>+ (argc == 1 || (argc == 2 && argv[1].isUndefined())))
We know argc >= 1 starting this line, so why the argc == 2 && bit?
Leaving r?waldo but wanted to give a quick r+ to get this in for further fuzzing.
/be
Attachment #472433 -
Flags: review+
|
|
Assignee | |
Comment 5•15 years ago
|
||
(In reply to comment #4)
Thanks!
http://hg.mozilla.org/tracemonkey/rev/1d477685d70a
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Comment 6•15 years ago
|
||
D'oh!
http://hg.mozilla.org/tracemonkey/rev/9d7c084a9a56
regexp_construct is like a bermuda triangle for my brain.
|
||
Updated•15 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Whiteboard: fixed-in-tracemonkey → [sg:critical] fixed-in-tracemonkey
|
||
Comment 7•15 years ago
|
||
Comment on attachment 472433 [details] [diff] [review]
fix
My brain's gone from frazzled during the day to relaxed in the evening to sleepy now, so maybe I'm just scatterbrained now, but shouldn't that check be if (!constructing)? RegExp(p, f) sometimes returns p, but new RegExp(p, f) never should, if I read ES5 right (and assume this isn't something noted in errata). Are our RegExp shell tests all contradicting the spec on this, or something?
But the safety-fix aspect looks good, at least.
Attachment #472433 -
Flags: review?(jwalden+bmo) → review-
|
|
Assignee | |
Comment 8•15 years ago
|
||
(In reply to comment #7)
You're right, see the "D'oh!" in comment 6 :)
|
||
Comment 9•15 years ago
|
||
Status: ASSIGNED → RESOLVED
blocking2.0: ? → beta7+
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•15 years ago
|
Group: core-security
|
||
Updated•14 years ago
|
Crash Signature: [@ js_regexp_toString]
|
||
Comment 10•12 years ago
|
||
|
||
Updated•12 years ago
|
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•