Closed
Bug 593611
Opened 14 years ago
Closed 14 years ago
Crash [@ js_regexp_toString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta7+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
1.49 KB,
patch
|
Waldo
:
review-
brendan
:
review+
|
Details | Diff | Splinter Review |
(function() { __defineGetter__("x", /x/.constructor) })() for (var a = 0; a < 4; ++a) { if (a % 4 == 1) { gc() } else { print(x); } } crashes js opt shell on TM changeset 60af58b42567 without -m nor -j at js_regexp_toString.
Reporter | ||
Comment 1•14 years ago
|
||
s-s because this involves gc. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 52720:66c8ad02543b user: Luke Wagner date: Mon Aug 16 12:35:04 2010 -0700 summary: Bug 581263 - remove slow natives (r=waldo,mrbkap)
Blocks: 581263
Group: core-security
Assignee | ||
Comment 2•14 years ago
|
||
Ouch, I missed a case where we assumed argv was initialized for [0..fun->nargs), so this was looking at trash stack values. I wasn't able to repro the crash, but I was able to get a valgrind memcheck warning, which this patch fixes.
Assignee | ||
Comment 3•14 years ago
|
||
The patch also puts back the "if (IsConstructing)" check, since 15.10.3.1 seems to require it.
Comment 4•14 years ago
|
||
Comment on attachment 472433 [details] [diff] [review] fix Nasty -- so we want your C++ super-safe helper instead of the current unsafe FastNative signature, pretty soon. >+ if ((argc >= 1 && argv[0].isObject() && argv[0].toObject().isRegExp()) && No need to over-paren these && terms against the final && at end of line. >+ (argc == 1 || (argc == 2 && argv[1].isUndefined()))) We know argc >= 1 starting this line, so why the argc == 2 && bit? Leaving r?waldo but wanted to give a quick r+ to get this in for further fuzzing. /be
Attachment #472433 -
Flags: review+
Assignee | ||
Comment 5•14 years ago
|
||
(In reply to comment #4) Thanks! http://hg.mozilla.org/tracemonkey/rev/1d477685d70a
Whiteboard: fixed-in-tracemonkey
Assignee | ||
Comment 6•14 years ago
|
||
D'oh! http://hg.mozilla.org/tracemonkey/rev/9d7c084a9a56 regexp_construct is like a bermuda triangle for my brain.
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Whiteboard: fixed-in-tracemonkey → [sg:critical] fixed-in-tracemonkey
Comment 7•14 years ago
|
||
Comment on attachment 472433 [details] [diff] [review] fix My brain's gone from frazzled during the day to relaxed in the evening to sleepy now, so maybe I'm just scatterbrained now, but shouldn't that check be if (!constructing)? RegExp(p, f) sometimes returns p, but new RegExp(p, f) never should, if I read ES5 right (and assume this isn't something noted in errata). Are our RegExp shell tests all contradicting the spec on this, or something? But the safety-fix aspect looks good, at least.
Attachment #472433 -
Flags: review?(jwalden+bmo) → review-
Assignee | ||
Comment 8•14 years ago
|
||
(In reply to comment #7) You're right, see the "D'oh!" in comment 6 :)
Comment 9•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/1d477685d70a
Status: ASSIGNED → RESOLVED
blocking2.0: ? → beta7+
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Group: core-security
Updated•13 years ago
|
Crash Signature: [@ js_regexp_toString]
Updated•11 years ago
|
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•