Closed
Bug 833856
Opened 13 years ago
Closed 13 years ago
Crash in CalculateUTF8Size::write with JavaScript open() function
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
| Tracking | Status | |
|---|---|---|
| firefox20 | --- | unaffected |
| firefox21 | --- | fixed |
People
(Reporter: mozilla, Assigned: bholley)
References
Details
(4 keywords, Whiteboard: [native-crash])
Crash Data
Attachments
(1 file)
|
3.00 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
Starting with today's nightly (20130123), a bookmarklet with the following JS crashes Firefox:
javascript:open('http://www.google.com');Test();
See the following crash reports for info:
Crash ID: bp-05a8ea58-56db-4cfd-a5fe-0e0362130123
Crash ID: bp-0be28121-468a-4e60-b5b8-149ae2130123
Crash ID: bp-1b4401aa-a167-4e70-ae09-9102d2130123
Crash ID: bp-2249ed6b-d64b-4f71-996d-9966d2130123
Crash ID: bp-2a2c2a82-9a49-497d-a5fc-18b592130123
Crash ID: bp-2e043cf8-b18d-44f8-968f-1de742130123
Crash ID: bp-37286f82-7a9c-473c-89e4-8e1702130123
Crash ID: bp-6f4d8059-06a9-4a39-baba-b11ba2130123
Crash ID: bp-71e6bc32-0db6-422d-81bb-a24fd2130123
Crash ID: bp-76a379bd-0d25-4a09-83f3-30f362130123
Crash ID: bp-780fe0f0-46ba-42e4-9f07-5a2f02130123
Crash ID: bp-85b1a3b0-c829-4b6f-9d79-8e5c72130123
Crash ID: bp-9c6e5425-7f7a-42ff-a899-dd33a2130123
Crash ID: bp-aaae0622-aebe-4d7c-a49c-bbd232130123
Crash ID: bp-b6c4c3c4-73db-41eb-ae14-5a2b52130123
Crash ID: bp-d1f4a031-6158-495e-b355-cda3d2130123
Crash ID: bp-d345923f-c6f4-47f7-83fc-fd0e52130123
|
Reporter | |
Comment 1•13 years ago
|
||
Also happens in safe mode.
|
||
Comment 2•13 years ago
|
||
I can also reproduce it.
More reports at:
https://crash-stats.mozilla.com/report/list?signature=CalculateUTF8Size%3A%3Awrite%28wchar_t+const*%2C+unsigned+int%29
Severity: major → critical
Crash Signature: [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)]
status-firefox21:
--- → affected
Component: Location Bar → DOM
Product: Firefox → Core
Summary: Crash with JavaScript open() function → Crash in CalculateUTF8Size::write with JavaScript open() function
Version: Trunk → 21 Branch
|
|
||
Comment 3•13 years ago
|
||
Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/ff2e30afa205
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116123902
Bad:
http://hg.mozilla.org/mozilla-central/rev/712eca11a04e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130117 Firefox/21.0 ID:20130117024251
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ff2e30afa205&tochange=712eca11a04e
Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/4d2f27cdef91
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116181650
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/3b3c304723cc
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116185154
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4d2f27cdef91&tochange=3b3c304723cc
|
|
||
Comment 4•13 years ago
|
||
I suspect bug 824864 amongst the two DOM bugs.
status-firefox20:
--- → unaffected
|
|
||
Comment 5•13 years ago
|
||
FWIW, using a Debug Build the Console mentions:
JavaScript error: javascript:open('http://www.google.com');Test();, line 1: Test is not defined
Assertion failure: JSVAL_IS_STRING(v), at e:\builds\moz2_slave\m-cen-w32-dbg\build\obj-firefox\dist\include\jsapi.h:2294
|
Assignee | |
Comment 6•13 years ago
|
||
This bug happens when we take the !useSandbox path. Basically, when the code
throws, we can end up with garbage in *aRetValue while still returning true
from EvaluateString. It looks like the convention is for these kind of eval
functions to return success even for invalid code, so lets just make sure we
check things a bit better.
This crashtest is kind of half-baked in the sense that it doesn't actually
crash without the rest of the patch. But the testcase here involves a lot of
undefined behavior (what ends up getting left in *aRetValue) during a call
to window.open (which spins the event loop, etc). I already sunk about half
an hour into trying to make it crash, so I'm just going to go with this for
now.
Attachment #705900 -
Flags: review?(bzbarsky)
|
|
||
Comment 7•13 years ago
|
||
Comment on attachment 705900 [details] [diff] [review]
Handle errors better in EvaluateString. v1
r=me
Attachment #705900 -
Flags: review?(bzbarsky) → review+
Keywords: regressionwindow-wanted → testcase
|
|
Assignee | |
Comment 8•13 years ago
|
||
|
|
||
Updated•13 years ago
|
Crash Signature: [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)] → [@ CalculateUTF8Size::write(wchar_t const*, unsigned int)]
[@ CalculateUTF8Size& copy_string<nsReadingIterator<unsigned short>, CalculateUTF8Size>(nsReadingIterator<unsigned short> const&, nsReadingIterator<unsigned short> const&, CalculateUTF8Size&)]
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [native-crash]
|
||
Comment 9•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
|
|
||
Updated•13 years ago
|
|
||
Updated•13 years ago
|
Assignee: nobody → bobbyholley+bmo
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•