Closed Bug 849456 Opened 9 years ago Closed 9 years ago

Crash [@ DeflateStringToUTF8Buffer] or [@ JS::TwoByteCharsToNewUTF8CharsZ] with --enable-more-deterministic

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla22
Tracking Status
firefox22 --- fixed

People

(Reporter: gkw, Assigned: terrence)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

Attached file stacks
s = newGlobal('');
function f(code) {
    try {
        evalcx(code, s)
    } catch (e) {
        print(' ' + e);
    }
}
f("\
    m = this;\
    m.valueOf = (function(){});\
    m += 'xxxx';\
    for(let y = 0; y < 999;y++) {\
        m += m\
    };\
");
f("Object.preventExtensions(m);")

crashes js debug and opt shell on m-c changeset 0e7639e3bdfb with --no-ti --no-ion -a at DeflateStringToUTF8Buffer with JS::TwoByteCharsToNewUTF8CharsZ on the stack.

Setting this as s-s even though it seems to be a null deref in deterministic builds, because the crash signatures scare me.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   122625:5d8a1621a697
user:        Chuck Lee
date:        Fri Feb 22 10:58:52 2013 +0800
summary:     Bug 835719 - 0001. Support encode string to UTF-8 byte array. r=terrence
Attached patch v0Splinter Review
This is a trivial NULL deref. This is fallout from a B2G fix, so should probably be uplifted to b2g18.
Assignee: general → terrence
Status: NEW → ASSIGNED
Attachment #723025 - Flags: review?(mrosenberg)
Attachment #723025 - Flags: review?(mrosenberg) → review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/edf62f27b3c0
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Terrence, can this be unhidden because it is just a null crash all the time?
(In reply to Ryan VanderMeulen [:RyanVM] from comment #3)
> https://hg.mozilla.org/mozilla-central/rev/edf62f27b3c0

There's not any point adding a test for this.

(In reply to Andrew McCreight [:mccr8] from comment #4)
> Terrence, can this be unhidden because it is just a null crash all the time?

I'm not sure what the rules are, but it's fine by me.
Flags: in-testsuite? → in-testsuite-
Group: core-security
This bug is caused by my patch in Bug 835719.
It's not uplift to b2g18, thanks for fixing it!
You need to log in before you can comment on or make changes to this bug.