Bug#670586: iceweasel:[regression 3.5.16-13 > 14] JavaScript SIGSEGV

[Mike Hommey]

On Tue, May 08, 2012 at 11:51:45PM +0100, Steven Chamberlain wrote:
> Hi again,
> 
> I've narrowed the regression down to this (somewhat secretive) patch:
> 
> squeeze-patches/Bug-732951.-r-bsmedberg-a-akeybl.patch
> 
> I verified that on my own build of iceweasel 3.5.16-14 I could reproduce
> the crash;  and that reverting that commit prevents it.

Could you check with the attached patch?

Thanks

Mike
-------------- next part --------------
diff --git a/xpcom/string/public/nsTSubstring.h b/xpcom/string/public/nsTSubstring.h
index a6d551d..d8fd028 100644
--- a/xpcom/string/public/nsTSubstring.h
+++ b/xpcom/string/public/nsTSubstring.h
@@ -421,7 +421,7 @@ class nsTSubstring_CharT
          * buffer sizing
          */
 
-      NS_COM void NS_FASTCALL SetCapacity( size_type newCapacity );
+      NS_COM PRBool NS_FASTCALL SetCapacity( size_type newCapacity );
 
       NS_COM PRBool NS_FASTCALL SetLength( size_type newLength );
 
diff --git a/xpcom/string/src/nsTSubstring.cpp b/xpcom/string/src/nsTSubstring.cpp
index b9d5724..3dc4a79 100644
--- a/xpcom/string/src/nsTSubstring.cpp
+++ b/xpcom/string/src/nsTSubstring.cpp
@@ -550,7 +550,7 @@ nsTSubstring_CharT::Replace( index_type cutStart, size_type cutLength, const sub
       tuple.WriteTo(mData + cutStart, length);
   }
 
-void
+PRBool
 nsTSubstring_CharT::SetCapacity( size_type capacity )
   {
     // capacity does not include room for the terminating null char
@@ -568,7 +568,7 @@ nsTSubstring_CharT::SetCapacity( size_type capacity )
         char_type* oldData;
         PRUint32 oldFlags;
         if (!MutatePrep(capacity, &oldData, &oldFlags))
-          return; // out-of-memory
+          return PR_FALSE; // out-of-memory
 
         // compute new string length
         size_type newLen = NS_MIN(mLength, capacity);
@@ -590,23 +590,17 @@ nsTSubstring_CharT::SetCapacity( size_type capacity )
         // for backwards compat with the old string implementation.
         mData[capacity] = char_type(0);
       }
+    return PR_TRUE;
   }
 
 PRBool
 nsTSubstring_CharT::SetLength( size_type length )
   {
-    SetCapacity(length);
+    if (!SetCapacity(length))
+      return PR_FALSE;
 
-    // XXX(darin): SetCapacity may fail, but it doesn't give us a way to find
-    // out.  We should improve that.  For now we just verify that the capacity
-    // changed as expected as a means of error checking.
- 
-    size_type capacity = Capacity();
-    if (capacity != size_type(-1) && capacity >= length) {
-      mLength = length;
-      return PR_TRUE;
-    }
-    return PR_FALSE;
+    mLength = length;
+    return PR_TRUE;
   }
 
 void