Closed Bug 620182 Opened 14 years ago Closed 13 years ago

[@ QuoteString | DecompileSwitch] when JSVAL_IS_DOUBLE(key) and SprintDoubleValue fails due to oom

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla7

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, crash, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file, 1 obsolete file)

patch 14 years ago timeless (deleted), patch	jorendorff : review+	Details \| Diff \| Splinter Review
For checkin 13 years ago (no longer active) (deleted), patch		Details \| Diff \| Splinter Review

timeless

Assignee

Description

•

14 years ago

1168 DecompileSwitch(SprintStack *ss, TableEntry *table, uintN tableLength, 1235 todo = -1; 1236 if (table[i].label) { 1239 } else if (JSVAL_IS_DOUBLE(key)) { this can return -1 on oom: 1242 todo = SprintDoubleValue(&ss->sprinter, key, &junk); 1243 str = NULL; 1244 } else { 1248 } 1249 if (todo >= 0) { 1251 } else { and we crash under here: 1252 rval = QuoteString(&ss->sprinter, str, (jschar) 1253 (JSVAL_IS_STRING(key) ? '"' : 0)); 684 QuoteString(Sprinter *sp, JSString *str, uint32 quote) 701 str->getCharsAndEnd(s, z);

timeless

Assignee

Comment 1

•

14 years ago

Attached patch patch (obsolete) (deleted) — Details — Splinter Review

Assignee: general → timeless

Status: NEW → ASSIGNED

Attachment #498576 - Flags: review?(jorendorff)

Jason Orendorff [:jorendorff]

Updated

•

14 years ago

Attachment #498576 - Attachment is patch: true

Attachment #498576 - Attachment mime type: application/octet-stream → text/plain

Jason Orendorff [:jorendorff]

Comment 2

•

14 years ago

Comment on attachment 498576 [details] [diff] [review] patch Review of attachment 498576 [details] [diff] [review]: Write `todo < 0` instead of `todo == -1`. They're equivalent here, but `< 0` is more consistent with what the rest of the file does. r=me with that.

Attachment #498576 - Flags: review?(jorendorff) → review+

timeless

Assignee

Updated

•

14 years ago

Keywords: checkin-needed

:Ms2ger (he/him; ⌚ UTC+1/+2)

Updated

•

13 years ago

Keywords: checkin-needed

(no longer active)

Comment 3

•

13 years ago

Attached patch For checkin (deleted) — Details — Splinter Review

(no longer active)

Updated

•

13 years ago

Attachment #498576 - Attachment is obsolete: true

(no longer active)

Updated

•

13 years ago

Keywords: checkin-needed

Phil Ringnalda (:philor)

Comment 4

•

13 years ago

http://hg.mozilla.org/tracemonkey/rev/7e6f3b179644

Keywords: checkin-needed

Whiteboard: fixed-in-tracemonkey

Target Milestone: --- → mozilla7

Nobody; OK to take it and work on it

Updated

•

13 years ago

Crash Signature: [@ QuoteString | DecompileSwitch]

Chris Leary [:cdleary] (not checking bugmail)

Comment 5

•

13 years ago

http://hg.mozilla.org/mozilla-central/rev/7e6f3b179644

Status: ASSIGNED → RESOLVED

Closed: 13 years ago

Resolution: --- → FIXED

Sylvestre Ledru [:Sylvestre]

Updated

•

6 years ago

Blocks: coverity-analysis

You need to log in before you can comment on or make changes to this bug.

Bugzilla

[@ QuoteString | DecompileSwitch] when JSVAL_IS_DOUBLE(key) and SprintDoubleValue fails due to oom

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, crash, Whiteboard: fixed-in-tracemonkey)

Crash Data

Security

(public)

User Story

Attachments

(1 file, 1 obsolete file)

Description

Comment 1

Updated

Comment 2

Updated

Updated

Comment 3

Updated

Updated

Comment 4

Updated

Comment 5

Updated

Attachment

General

Description

File Name

Content Type