Closed Bug 674545 Opened 10 years ago Closed 10 years ago
Crash with too complex regular expressions in js1
_5/extensions/regress-330569 .js and js1 _5/extensions/regress-351448 .js
js1_5/extensions/regress-330569.js and js1_5/extensions/regress-351448.js crash browser and shell opt and debug on 1.9.2 Linux 32 and 64 bit at least. Haven't tried others. Regressed around 2011-07-23
Missed this because I was using the more modern jstests, which had these tests marked as "skip" because YARR doesn't have the same complexity errors.
Assignee: general → cdleary
Status: NEW → ASSIGNED
Attachment #548919 - Flags: review?(mrbkap)
Attachment #548919 - Flags: review?(mrbkap) → review+
Attachment #548919 - Flags: approval188.8.131.52?
Comment on attachment 548919 [details] [diff] [review] Initialize res to NULL for cleanup goto. Approved for 184.108.40.206, a=dveditz Code freeze for 220.127.116.11 is Monday Aug 1, please land soon.
Attachment #548919 - Flags: approval18.104.22.168? → approval22.214.171.124+
Maybe sg:critical if you can get attacker data left over on the stack where res will be created.
Bob, do you think you could run this patch against the 1.9.2 test suite to confirm we're good now? js reftests apparently don't run on the 1.9.2 tinderboxen and I don't think I'm using the jsDriver correctly.
sure. I'll let you know in a while.
I'm running the full set of tests on 1.9.2 with the patch. The old way I normally do it is to run js shell opt/debug and browser opt/debug without jit and with jit. The browser tests actually start and stop the browser for each test so they don't get hung up or terminate due to a crash but that means it takes forever to run them. So far, non-jit js shell opt/debug and firefox opt have passed with flying colors, but i really would like to complete a bit more. The full results will be in tomorrow and we'll be able to get this in then.
All tests passed with no regressions.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Verified fixed in 1.9.2 based on passing tests.
Whiteboard: [sg:critical?] → [sg:critical?], wanted-standalone-js
You need to log in before you can comment on or make changes to this bug.