Closed Bug 849456 Opened 11 years ago Closed 11 years ago

Crash [@ DeflateStringToUTF8Buffer] or [@ JS::TwoByteCharsToNewUTF8CharsZ] with --enable-more-deterministic

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox22 --- fixed

People

(Reporter: gkw, Assigned: terrence)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

stacks
10.34 KB, text/plain
Details
v0
947 bytes, patch
mjrosenb
: review+
Details | Diff | Splinter Review
Attached file stacks 
s = newGlobal('');
function f(code) {
    try {
        evalcx(code, s)
    } catch (e) {
        print(' ' + e);
    }
}
f("\
    m = this;\
    m.valueOf = (function(){});\
    m += 'xxxx';\
    for(let y = 0; y < 999;y++) {\
        m += m\
    };\
");
f("Object.preventExtensions(m);")

crashes js debug and opt shell on m-c changeset 0e7639e3bdfb with --no-ti --no-ion -a at DeflateStringToUTF8Buffer with JS::TwoByteCharsToNewUTF8CharsZ on the stack.

Setting this as s-s even though it seems to be a null deref in deterministic builds, because the crash signatures scare me.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   122625:5d8a1621a697
user:        Chuck Lee
date:        Fri Feb 22 10:58:52 2013 +0800
summary:     Bug 835719 - 0001. Support encode string to UTF-8 byte array. r=terrence
Attached patch v0Splinter Review 
This is a trivial NULL deref. This is fallout from a B2G fix, so should probably be uplifted to b2g18.
Assignee: general → terrence
Status: NEW → ASSIGNED
Attachment #723025 - Flags: review?(mrosenberg)
Attachment #723025 - Flags: review?(mrosenberg) → review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/edf62f27b3c0
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox22: --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Terrence, can this be unhidden because it is just a null crash all the time?
(In reply to Ryan VanderMeulen [:RyanVM] from comment #3)
> https://hg.mozilla.org/mozilla-central/rev/edf62f27b3c0

There's not any point adding a test for this.

(In reply to Andrew McCreight [:mccr8] from comment #4)
> Terrence, can this be unhidden because it is just a null crash all the time?

I'm not sure what the rules are, but it's fine by me.
Flags: in-testsuite? → in-testsuite-
Group: core-security
This bug is caused by my patch in Bug 835719.
It's not uplift to b2g18, thanks for fixing it!
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: