Bugzilla@Mozilla – Bug 509075
Crash [@ js_ValueToString]
Last modified: 2010-11-06 18:30:26 PDT
Summon comment box
Created attachment 393222 [details] testcase
Created attachment 393223 [details] stack
crashes mac 1.9.2 @ JS_HashTableDestroy bp-b5d38e43-91b8-4994-8ac7-bacb62090807
I suck :(.
Created attachment 393249 [details] [review] Fix The fix here is the argc == 0 check, the rest of it is updating the code to use shiny new APIs.
I'm so sorry, I didn't think this was security-sensitive. Not bad for my fuzzer's first bug ;)
http://hg.mozilla.org/mozilla-central/rev/8b71bff4079d
Re-reported as bug 598669 / ZDI-CAN-929.
Why wasn't this fix backported to 1.9.2, especially if it's been fixed on trunk for a year? :/
I crashed with this testcase in 3.5.12pre (bp-efdae1d6-c261-42ba-a8a2-be5882100924 -- pthread_mutex_lock, something else?) but after upgrading to a current nightly I no longer crash. Is this problem a regression between 1.9.1 and 1.9.2?
I take back comment 9: it doesn't seem to crash in 1.9.1 if I open the testcase in a new tab, but if I just click the link to navigate from the bug to the testcase it goes down immediately. Another pthread_mutex_lock crash, but with symbols this time so it does look like the same area as this bug and bug 598669 bp-2fa1fcef-aab5-46a8-b5df-8ea972100924
Created attachment 478904 [details] [review] 1.9.2 fix.
Comment on attachment 478904 [details] [review] 1.9.2 fix. Thanks!
Comment on attachment 478904 [details] [review] 1.9.2 fix. This applies to 1.9.1 as well, and while I can not trigger a crash in 1.9.1 locally, this should be fixed there as well.
Comment on attachment 478904 [details] [review] 1.9.2 fix. a=LegNeato for 1.9.2.11 and 1.9.1.14
Looks like jst checked this in: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6f77c13209a8
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/54ff003f8cb0
Crashtest: http://hg.mozilla.org/mozilla-central/rev/0981dd4be638