Closed Bug 283439 Opened 20 years ago Closed 20 years ago

Crash with evil XML: double free or corruption

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 283064
Milestone:
mozilla1.8beta2

People

(Reporter: igor, Assigned: brendan)

Details

(Keywords: js1.5)

Attachments

(2 files)

test case
(deleted), text/plain
Details
GDB stack trace
(deleted), text/plain
Details
When I run the attched test case in js shell with passing explicit stack limit of 500000 which should trigger DeutschSchorrWaite implementation, I got: ~/w/js/mozilla/js/src> ./Linux_All_DBG.OBJ/js -x -S 500000 ~/s/x.js before 2703384, after 135036, break 09146000 *** glibc detected *** double free or corruption (out): 0x08cb3788 *** Aborted
Attached file test case (deleted) —
Summary: Crash with evil XML: double free or corruption → Crash with evil XML: double free or corruption
Sorry, been up late sweating the warring-.xpt-files hell behind bug 280084. I'll look at this today. /be
Assignee: general → brendan
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta2
Dup of bug 283064? /be
Status: NEW → ASSIGNED
Attached file GDB stack trace (deleted) —
Note that without -S flag the test case runs OK. And with the flag it crashes with or without patch for bug 280844. So it can be another bug in DeutschSchorrWaite from jsgc.c
This is the dupe indeed. *** This bug has been marked as a duplicate of 283064 ***
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: