Closed Bug 620182 Opened 14 years ago Closed 13 years ago

[@ QuoteString | DecompileSwitch] when JSVAL_IS_DOUBLE(key) and SprintDoubleValue fails due to oom

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla7

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, crash, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file, 1 obsolete file)

For checkin
700 bytes, patch
Details | Diff | Splinter Review 
1168 DecompileSwitch(SprintStack *ss, TableEntry *table, uintN tableLength,

1235                 todo = -1;
1236                 if (table[i].label) {
1239                 } else if (JSVAL_IS_DOUBLE(key)) {
this can return -1 on oom:
1242                     todo = SprintDoubleValue(&ss->sprinter, key, &junk);
1243                     str = NULL;
1244                 } else {
1248                 }
1249                 if (todo >= 0) {
1251                 } else {
and we crash under here:
1252                     rval = QuoteString(&ss->sprinter, str, (jschar)
1253                                        (JSVAL_IS_STRING(key) ? '"' : 0));

684 QuoteString(Sprinter *sp, JSString *str, uint32 quote)
701     str->getCharsAndEnd(s, z);
Attached patch patch (obsolete) — Splinter Review 
Assignee: general → timeless
Status: NEW → ASSIGNED

        Attachment #498576 -
        Flags: review?(jorendorff)

        Attachment #498576 -
        Attachment is patch: true

        Attachment #498576 -
        Attachment mime type: application/octet-stream → text/plain

    
    

    
  
Comment on attachment 498576 [details] [diff] [review]
patch

Review of attachment 498576 [details] [diff] [review]:

Write `todo < 0` instead of `todo == -1`. They're equivalent here, but `< 0` is more consistent with what the rest of the file does. r=me with that.

        Attachment #498576 -
        Flags: review?(jorendorff) → review+

    
  
Keywords: checkin-needed

    
    

    
  

      
      
      
      

        Attached patch
          
          
        For checkinSplinter Review
      

    


  

    
  

        Attachment #498576 -
        Attachment is obsolete: true

    
  
Keywords: checkin-needed

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/7e6f3b179644
Keywords: checkin-needed
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla7
Crash Signature: [@ QuoteString | DecompileSwitch]

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/7e6f3b179644
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: