Closed Bug 837418 Opened 11 years ago Closed 11 years ago

Crash [@ JS::Handle<JSString*>::operator->] or [@ JSString::isAtom]

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla21

Tracking Flags:

Tracking

Status

firefox18

---

unaffected

firefox19

---

unaffected

firefox20

---

unaffected

firefox21

fixed

firefox-esr17

---

unaffected

b2g18

---

unaffected

b2g18-v1.0.0

---

unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

stack 11 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 5.11 KB, text/plain		Details
patch 11 years ago Brian Hackett [Laid off!] 821 bytes, patch	terrence : review+	Details \| Diff \| Splinter Review

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

11 years ago

Attached file stack — Details

x = 'x';
for (var m = 0; m < 99; ++m) {
    x = x.concat(x);
}

crashes js debug shell on m-c changeset be76182b91a6 without any CLI arguments at JSString::isAtom and crashes js opt shell at JS::Handle<JSString*>::operator->

s-s and assuming sec-critical because weird memory address 0x8000000 seems to be being accessed.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   119956:052d2de29f8f
user:        Brian Hackett
date:        Sat Jan 26 07:42:20 2013 -0700
summary:     Bug 834826 - Eliminate or refactor various unnecessary stack roots, r=terrence.

Brian Hackett [Laid off!]

Comment 1

•

11 years ago

Attached patch patch — Details — Splinter Review

Silly mistake leading to a NULL crash.

Attachment #709486 - Flags: review?(terrence)

Brian Hackett [Laid off!]

Comment 2

•

11 years ago

NULL deref, not s-s.

Group: core-security

Christian Holler (:decoder)

Comment 3

•

11 years ago

Not sec-critical either.

Keywords: sec-critical

Terrence Cole [:terrence]

Comment 4

•

11 years ago

Comment on attachment 709486 [details] [diff] [review]
patch

Review of attachment 709486 [details] [diff] [review]:
-----------------------------------------------------------------

Wow, yeah, that's a total facepalm: I should have seen that when reviewing.

Attachment #709486 - Flags: review?(terrence) → review+

Brian Hackett [Laid off!]

Comment 5

•

11 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/bf21c968fa89

Ryan VanderMeulen [:RyanVM]

Comment 6

•

11 years ago

https://hg.mozilla.org/mozilla-central/rev/bf21c968fa89

Status: NEW → RESOLVED

Closed: 11 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla21

Scoobidiver (away)

Updated

•

11 years ago

status-firefox21: affected → fixed

bhavana bajaj [:bajaj]

Updated

•

11 years ago

tracking-firefox21: ? → +

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Crash [@ JS::Handle<JSString*>::operator->] or [@ JSString::isAtom]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Updated

Updated

Attachment

General

Description

File Name

Content Type