Crash in CalculateUTF8Size::write with JavaScript open() function

RESOLVED FIXED in Firefox 21

Status

()

Core
DOM
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Jerry Baker, Assigned: bholley)

Tracking

(4 keywords)

21 Branch
mozilla21
crash, regression, reproducible, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox20 unaffected, firefox21 fixed)

Details

(Whiteboard: [native-crash], crash signature)

Attachments

(1 attachment)

(Reporter)

Comment 1

5 years ago
Also happens in safe mode.

Comment 2

5 years ago
I can also reproduce it.

More reports at:
https://crash-stats.mozilla.com/report/list?signature=CalculateUTF8Size%3A%3Awrite%28wchar_t+const*%2C+unsigned+int%29
Severity: major → critical
Crash Signature: [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)]
status-firefox21: --- → affected
Component: Location Bar → DOM
Keywords: crash, regression, regressionwindow-wanted, reproducible
Product: Firefox → Core
Summary: Crash with JavaScript open() function → Crash in CalculateUTF8Size::write with JavaScript open() function
Version: Trunk → 21 Branch

Comment 3

5 years ago
Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/ff2e30afa205
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116123902
Bad:
http://hg.mozilla.org/mozilla-central/rev/712eca11a04e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130117 Firefox/21.0 ID:20130117024251
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ff2e30afa205&tochange=712eca11a04e


Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/4d2f27cdef91
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116181650
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/3b3c304723cc
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116185154
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4d2f27cdef91&tochange=3b3c304723cc

Comment 4

5 years ago
I suspect bug 824864 amongst the two DOM bugs.
status-firefox20: --- → unaffected
FWIW, using a Debug Build the Console mentions:

JavaScript error: javascript:open('http://www.google.com');Test();, line 1: Test is not defined
Assertion failure: JSVAL_IS_STRING(v), at e:\builds\moz2_slave\m-cen-w32-dbg\build\obj-firefox\dist\include\jsapi.h:2294
(Assignee)

Comment 6

5 years ago
Created attachment 705900 [details] [diff] [review]
Handle errors better in EvaluateString. v1

This bug happens when we take the !useSandbox path. Basically, when the code
throws, we can end up with garbage in *aRetValue while still returning true
from EvaluateString. It looks like the convention is for these kind of eval
functions to return success even for invalid code, so lets just make sure we
check things a bit better.

This crashtest is kind of half-baked in the sense that it doesn't actually
crash without the rest of the patch. But the testcase here involves a lot of
undefined behavior (what ends up getting left in *aRetValue) during a call
to window.open (which spins the event loop, etc). I already sunk about half
an hour into trying to make it crash, so I'm just going to go with this for
now.
Attachment #705900 - Flags: review?(bzbarsky)
Comment on attachment 705900 [details] [diff] [review]
Handle errors better in EvaluateString. v1

r=me
Attachment #705900 - Flags: review?(bzbarsky) → review+

Updated

5 years ago
Keywords: regressionwindow-wanted → testcase

Updated

5 years ago
Crash Signature: [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)] → [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)] [@ CalculateUTF8Size& copy_string<nsReadingIterator<unsigned short>, CalculateUTF8Size>(nsReadingIterator<unsigned short> const&, nsReadingIterator<unsigned short> const&, CalculateUTF8Size&)]
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [native-crash]
https://hg.mozilla.org/mozilla-central/rev/53640f283f68
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21

Updated

5 years ago
status-firefox21: affected → fixed

Updated

5 years ago
Blocks: 832599

Updated

5 years ago
Assignee: nobody → bobbyholley+bmo
You need to log in before you can comment on or make changes to this bug.