Closed Bug 833856 Opened 9 years ago Closed 9 years ago

Crash in CalculateUTF8Size::write with JavaScript open() function

Categories

(Core :: DOM: Core & HTML, defect)

21 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla21
Tracking Status
firefox20 --- unaffected
firefox21 --- fixed

People

(Reporter: mozilla, Assigned: bholley)

References

Details

(4 keywords, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

Also happens in safe mode.
I can also reproduce it.

More reports at:
https://crash-stats.mozilla.com/report/list?signature=CalculateUTF8Size%3A%3Awrite%28wchar_t+const*%2C+unsigned+int%29
Severity: major → critical
Crash Signature: [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)]
Component: Location Bar → DOM
Product: Firefox → Core
Summary: Crash with JavaScript open() function → Crash in CalculateUTF8Size::write with JavaScript open() function
Version: Trunk → 21 Branch
Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/ff2e30afa205
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116123902
Bad:
http://hg.mozilla.org/mozilla-central/rev/712eca11a04e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130117 Firefox/21.0 ID:20130117024251
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ff2e30afa205&tochange=712eca11a04e


Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/4d2f27cdef91
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116181650
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/3b3c304723cc
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116185154
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4d2f27cdef91&tochange=3b3c304723cc
I suspect bug 824864 amongst the two DOM bugs.
FWIW, using a Debug Build the Console mentions:

JavaScript error: javascript:open('http://www.google.com');Test();, line 1: Test is not defined
Assertion failure: JSVAL_IS_STRING(v), at e:\builds\moz2_slave\m-cen-w32-dbg\build\obj-firefox\dist\include\jsapi.h:2294
This bug happens when we take the !useSandbox path. Basically, when the code
throws, we can end up with garbage in *aRetValue while still returning true
from EvaluateString. It looks like the convention is for these kind of eval
functions to return success even for invalid code, so lets just make sure we
check things a bit better.

This crashtest is kind of half-baked in the sense that it doesn't actually
crash without the rest of the patch. But the testcase here involves a lot of
undefined behavior (what ends up getting left in *aRetValue) during a call
to window.open (which spins the event loop, etc). I already sunk about half
an hour into trying to make it crash, so I'm just going to go with this for
now.
Attachment #705900 - Flags: review?(bzbarsky)
Comment on attachment 705900 [details] [diff] [review]
Handle errors better in EvaluateString. v1

r=me
Attachment #705900 - Flags: review?(bzbarsky) → review+
Blocks: 824864
Crash Signature: [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)] → [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)] [@ CalculateUTF8Size& copy_string<nsReadingIterator<unsigned short>, CalculateUTF8Size>(nsReadingIterator<unsigned short> const&, nsReadingIterator<unsigned short> const&, CalculateUTF8Size&)]
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [native-crash]
https://hg.mozilla.org/mozilla-central/rev/53640f283f68
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Blocks: 832599
Assignee: nobody → bobbyholley+bmo
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.