Closed
Bug 849456
Opened 12 years ago
Closed 12 years ago
Crash [@ DeflateStringToUTF8Buffer] or [@ JS::TwoByteCharsToNewUTF8CharsZ] with --enable-more-deterministic
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
Tracking | Status | |
---|---|---|
firefox22 | --- | fixed |
People
(Reporter: gkw, Assigned: terrence)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
10.34 KB,
text/plain
|
Details | |
947 bytes,
patch
|
mjrosenb
:
review+
|
Details | Diff | Splinter Review |
s = newGlobal('');
function f(code) {
try {
evalcx(code, s)
} catch (e) {
print(' ' + e);
}
}
f("\
m = this;\
m.valueOf = (function(){});\
m += 'xxxx';\
for(let y = 0; y < 999;y++) {\
m += m\
};\
");
f("Object.preventExtensions(m);")
crashes js debug and opt shell on m-c changeset 0e7639e3bdfb with --no-ti --no-ion -a at DeflateStringToUTF8Buffer with JS::TwoByteCharsToNewUTF8CharsZ on the stack.
Setting this as s-s even though it seems to be a null deref in deterministic builds, because the crash signatures scare me.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 122625:5d8a1621a697
user: Chuck Lee
date: Fri Feb 22 10:58:52 2013 +0800
summary: Bug 835719 - 0001. Support encode string to UTF-8 byte array. r=terrence
Assignee | ||
Comment 1•12 years ago
|
||
This is a trivial NULL deref. This is fallout from a B2G fix, so should probably be uplifted to b2g18.
Updated•12 years ago
|
Attachment #723025 -
Flags: review?(mrosenberg) → review+
Assignee | ||
Updated•12 years ago
|
Keywords: checkin-needed
Comment 2•12 years ago
|
||
Keywords: checkin-needed
Comment 3•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-firefox22:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Comment 4•12 years ago
|
||
Terrence, can this be unhidden because it is just a null crash all the time?
Assignee | ||
Comment 5•12 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #3)
> https://hg.mozilla.org/mozilla-central/rev/edf62f27b3c0
There's not any point adding a test for this.
(In reply to Andrew McCreight [:mccr8] from comment #4)
> Terrence, can this be unhidden because it is just a null crash all the time?
I'm not sure what the rules are, but it's fine by me.
Flags: in-testsuite? → in-testsuite-
Reporter | ||
Updated•12 years ago
|
Group: core-security
This bug is caused by my patch in Bug 835719.
It's not uplift to b2g18, thanks for fixing it!
You need to log in
before you can comment on or make changes to this bug.
Description
•