Closed Bug 120571 Opened 23 years ago Closed 23 years ago

JS crash: try/catch/continue.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
FreeBSD
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.8

People

(Reporter: timeless, Assigned: brendan)

Details

(Keywords: crash, js1.5, Whiteboard: [QA note: verify any fix interactively])

Attachments

(2 files)

reduced crash, crashes on tip and updated branch
1.55 KB, application/x-javascript
Details
proposed fix
3.13 KB, patch
rogerl
: review+
jst
: superreview+
Details | Diff | Splinter Review
freebsd. worldgate 0.9.7 branch build. worldgate chrome (modified) Assertion failure: top != 0, at /home/timeless/wgate/mozilla/js/src/jsopcode.c:624 Program received signal SIGABRT, Aborted. 0x286a67d0 in kill () from /usr/lib/libc_r.so.4 (gdb) where #0 0x286a67d0 in kill () from /usr/lib/libc_r.so.4 #1 0x286f0d26 in abort () from /usr/lib/libc_r.so.4 #2 0x2816904d in JS_Assert (s=0x28176761 "top != 0", file=0x281766c0 "/home/timeless/wgate/mozilla/js/src/jsopcode.c", ln=624) at /home/timeless/wgate/mozilla/js/src/jsutil.c:174 #3 0x2813c307 in PopOff (ss=0xbfbfc504, op=JSOP_LEAVEWITH) at /home/timeless/wgate/mozilla/js/src/jsopcode.c:624 #4 0x2813e3ec in Decompile (ss=0xbfbfc504, pc=0x832cb71 "\004\006ÿ¬\004\006", nb=77) at /home/timeless/wgate/mozilla/js/src/jsopcode.c:1221 #5 0x2813e87e in Decompile (ss=0xbfbfc504, pc=0x832cb45 "\a", nb=97) at /home/timeless/wgate/mozilla/js/src/jsopcode.c:1287 #6 0x2813ea7f in Decompile (ss=0xbfbfc504, pc=0x832cb31 "\a", nb=284) at /home/timeless/wgate/mozilla/js/src/jsopcode.c:1310 #7 0x2813e87e in Decompile (ss=0xbfbfc504, pc=0x832ca79 "\a\001\037;", nb=356) at /home/timeless/wgate/mozilla/js/src/jsopcode.c:1287 #8 0x28142147 in js_DecompileCode (jp=0x84cfd80, script=0x832ca00, pc=0x832ca34 ";", len=356) at /home/timeless/wgate/mozilla/js/src/jsopcode.c:2276 #9 0x281422fd in js_DecompileScript (jp=0x84cfd80, script=0x832ca00) at /home/timeless/wgate/mozilla/js/src/jsopcode.c:2296 #10 0x2814267b in js_DecompileFunction (jp=0x84cfd80, fun=0x83335e0) at /home/timeless/wgate/mozilla/js/src/jsopcode.c:2390 #11 0x280e24d8 in JS_DecompileFunction (cx=0x8304200, fun=0x83335e0, indent=0) at /home/timeless/wgate/mozilla/js/src/jsapi.c:3219 #12 0x2810ce98 in fun_toString_sub (cx=0x8304200, obj=0x8340ad0, indent=0, argc=0, argv=0x84cb06c, rval=0xbfbfc710) at /home/timeless/wgate/mozilla/js/src/jsfun.c:1372 #13 0x2810cef9 in fun_toString (cx=0x8304200, obj=0x8340ad0, argc=0, argv=0x84cb06c, rval=0xbfbfc710) at /home/timeless/wgate/mozilla/js/src/jsfun.c:1382 #14 0x28113ff6 in js_Invoke (cx=0x8304200, argc=0, flags=2) at /home/timeless/wgate/mozilla/js/src/jsinterp.c:832 #15 0x281143eb in js_InternalInvoke (cx=0x8304200, obj=0x8340ad0, fval=136894488, flags=0, argc=0, argv=0x0, rval=0xbfbfc884) at /home/timeless/wgate/mozilla/js/src/jsinterp.c:924 #16 0x281397be in js_TryMethod (cx=0x8304200, obj=0x8340ad0, atom=0x80eb140, argc=0, argv=0x0, rval=0xbfbfc884) at /home/timeless/wgate/mozilla/js/src/jsobj.c:3378 #17 0x28137d79 in js_DefaultValue (cx=0x8304200, obj=0x8340ad0, hint=JSTYPE_VOID, vp=0xbfbfd2e4) at /home/timeless/wgate/mozilla/js/src/jsobj.c:2938 #18 0x2811c2a6 in js_Interpret (cx=0x8304200, result=0xbfbfd3dc) at /home/timeless/wgate/mozilla/js/src/jsinterp.c:2239 #19 0x28114074 in js_Invoke (cx=0x8304200, argc=1, flags=2) at /home/timeless/wgate/mozilla/js/src/jsinterp.c:849 #20 0x281143eb in js_InternalInvoke (cx=0x8304200, obj=0x8427990, fval=138574288, flags=0, argc=1, argv=0xbfbfd830, rval=0xbfbfd5a4) at /home/timeless/wgate/mozilla/js/src/jsinterp.c:924 #21 0x280e2a65 in JS_CallFunctionValue (cx=0x8304200, obj=0x8427990, fval=138574288, argc=1, argv=0xbfbfd830, rval=0xbfbfd5a4) at /home/timeless/wgate/mozilla/js/src/jsapi.c:3405 #22 0x29760870 in nsJSContext::CallEventHandler (this=0x82e2e00, aTarget=0x8427990, aHandler=0x84279d0, argc=1, argv=0xbfbfd830, aBoolResult=0xbfbfd6c0, aReverseReturnResult=0) at /home/timeless/wgate/mozilla/dom/src/base/nsJSEnvironment.cpp:1008 #23 0x297a8f2b in nsJSEventListener::HandleEvent (this=0x83dfca0, aEvent=0x84ae908) at /home/timeless/wgate/mozilla/dom/src/events/nsJSEventListener.cpp:180 #24 0x2913700a in nsEventListenerManager::HandleEventSubType (this=0x83e04c0, aListenerStruct=0x83cf900, aDOMEvent=0x84ae908, aCurrentTarget=0x84bbbf0, aSubType=4, aPhaseFlags=2) at /home/timeless/wgate/mozilla/content/events/src/nsEventListenerManager.cpp:1214 #25 0x29137b8c in nsEventListenerManager::HandleEvent (this=0x83e04c0, aPresContext=0x836e800, aEvent=0xbfbfe5dc, aDOMEvent=0xbfbfe3f0, aCurrentTarget=0x84bbbf0, aFlags=2, aEventStatus=0xbfbfebe4) at /home/timeless/wgate/mozilla/content/events/src/nsEventListenerManager.cpp:1382 #26 0x29397d7f in nsGenericElement::HandleDOMEvent (this=0x83a2180, aPresContext=0x836e800, aEvent=0xbfbfe5dc, aDOMEvent=0xbfbfe3f0, aFlags=2, aEventStatus=0xbfbfebe4) at /home/timeless/wgate/mozilla/content/base/src/nsGenericElement.cpp:1867 #27 0x2915ee68 in nsGenericHTMLElement::HandleDOMEventForAnchors (this=0x83a2180, aOuter=0x83a2180, aPresContext=0x836e800, aEvent=0xbfbfe5dc, aDOMEvent=0xbfbfe3f0, aFlags=2, aEventStatus=0xbfbfebe4) at /home/timeless/wgate/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:1310 #28 0x29179259 in nsHTMLAnchorElement::HandleDOMEvent (this=0x83a2180, aPresContext=0x836e800, aEvent=0xbfbfe5dc, aDOMEvent=0xbfbfe3f0, aFlags=2, aEventStatus=0xbfbfebe4) at /home/timeless/wgate/mozilla/content/html/content/src/nsHTMLAnchorElement.cpp:419 #29 0x2938de87 in nsGenericDOMDataNode::HandleDOMEvent (this=0x83e0590, aPresContext=0x836e800, aEvent=0xbfbfe5dc, aDOMEvent=0xbfbfe3f0, aFlags=1, aEventStatus=0xbfbfebe4) at /home/timeless/wgate/mozilla/content/base/src/nsGenericDOMDataNode.cpp:730 #30 0x293e9527 in nsTextNode::HandleDOMEvent (this=0x83e0580, aPresContext=0x836e800, aEvent=0xbfbfe5dc, aDOMEvent=0x0, aFlags=1, aEventStatus=0xbfbfebe4) at /home/timeless/wgate/mozilla/content/base/src/nsTextNode.cpp:260 #31 0x29aff0b1 in PresShell::HandleEventInternal (this=0x836ec00, aEvent=0xbfbfe5dc, aView=0x0, aFlags=1, aStatus=0xbfbfebe4) at /home/timeless/wgate/mozilla/layout/html/base/src/nsPresShell.cpp:5849 #32 0x29afeeaa in PresShell::HandleEventWithTarget (this=0x836ec00, aEvent=0xbfbfe5dc, aFrame=0x83dc2b8, aContent=0x83e0580, aFlags=1, aStatus=0xbfbfebe4) at /home/timeless/wgate/mozilla/layout/html/base/src/nsPresShell.cpp:5820 #33 0x29147875 in nsEventStateManager::CheckForAndDispatchClick (this=0x83c4800, aPresContext=0x836e800, aEvent=0xbfbfed90, aStatus=0xbfbfebe4) at /home/timeless/wgate/mozilla/content/events/src/nsEventStateManager.cpp:2463 #34 0x291444cc in nsEventStateManager::PostHandleEvent (this=0x83c4800, aPresContext=0x836e800, aEvent=0xbfbfed90, aTargetFrame=0x83dc2b8, aStatus=0xbfbfebe4, aView=0x83d4d00) at /home/timeless/wgate/mozilla/content/events/src/nsEventStateManager.cpp:1545 #35 0x29aff291 in PresShell::HandleEventInternal (this=0x836ec00, aEvent=0xbfbfed90, aView=0x83d4d00, aFlags=1, aStatus=0xbfbfebe4) at /home/timeless/wgate/mozilla/layout/html/base/src/nsPresShell.cpp:5869 #36 0x29afeb11 in PresShell::HandleEvent (this=0x836ec00, aView=0x83d4d00, aEvent=0xbfbfed90, aEventStatus=0xbfbfebe4, aForceHandle=1, aHandled=@0xbfbfeb80) at /home/timeless/wgate/mozilla/layout/html/base/src/nsPresShell.cpp:5774 #37 0x29e00bb7 in nsView::HandleEvent (this=0x83d4d00, event=0xbfbfed90, aEventFlags=0, aStatus=0xbfbfebe4, aForceHandle=1, aHandled=@0xbfbfeb80) at /home/timeless/wgate/mozilla/view/src/nsView.cpp:374 #38 0x29e1009d in nsViewManager::DispatchEvent (this=0x83c4100, aEvent=0xbfbfed90, aStatus=0xbfbfebe4) at /home/timeless/wgate/mozilla/view/src/nsViewManager.cpp:1908 #39 0x29dfff6e in HandleEvent (aEvent=0xbfbfed90) at /home/timeless/wgate/mozilla/view/src/nsView.cpp:80 #40 0x28983465 in nsWidget::DispatchEvent (this=0x83c6200, aEvent=0xbfbfed90, aStatus=@0xbfbfecd4) at /home/timeless/wgate/mozilla/widget/src/gtk/nsWidget.cpp:1408 #41 0x28983005 in nsWidget::DispatchWindowEvent (this=0x83c6200, event=0xbfbfed90) at /home/timeless/wgate/mozilla/widget/src/gtk/nsWidget.cpp:1299 #42 0x28983563 in nsWidget::DispatchMouseEvent (this=0x83c6200, aEvent=@0xbfbfed90) at /home/timeless/wgate/mozilla/widget/src/gtk/nsWidget.cpp:1435 #43 0x28984ba1 in nsWidget::OnButtonReleaseSignal (this=0x83c6200, aGdkButtonEvent=0x820c018) at /home/timeless/wgate/mozilla/widget/src/gtk/nsWidget.cpp:1986 #44 0x2898b6ee in nsWindow::HandleGDKEvent (this=0x83c6200, event=0x820c018) at /home/timeless/wgate/mozilla/widget/src/gtk/nsWindow.cpp:1625 #45 0x2897a988 in dispatch_superwin_event (event=0x820c018, window=0x83c6200) at /home/timeless/wgate/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:947 #46 0x2897a47e in handle_gdk_event (event=0x820c018, data=0x0) at /home/timeless/wgate/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:768 #47 0x284d68ec in gdk_event_dispatch () from /usr/X11R6/lib/libgdk12.so.2 #48 0x28504d03 in g_main_dispatch () from /usr/local/lib/libglib12.so.3 #49 0x2850532c in g_main_iterate () from /usr/local/lib/libglib12.so.3 #50 0x285054c4 in g_main_run () from /usr/local/lib/libglib12.so.3 #51 0x284258b7 in gtk_main () from /usr/X11R6/lib/libgtk12.so.2 #52 0x28970b55 in nsAppShell::Run (this=0x80befa0) at /home/timeless/wgate/mozilla/widget/src/gtk/nsAppShell.cpp:349 #53 0x289071bd in nsAppShellService::Run (this=0x80c0580) at /home/timeless/wgate/mozilla/xpfe/appshell/src/nsAppShellService.cpp:302 #54 0x0805c0f4 in main1 (argc=1, argv=0xbfbff40c, nativeApp=0x0) at /home/timeless/wgate/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1316 #55 0x0805cfb1 in main (argc=1, argv=0xbfbff40c) at /home/timeless/wgate/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1651 #56 0x08055d51 in _start () (gdb) list 619 JSCodeSpec *cs, *topcs; 620 ptrdiff_t off; 621 622 /* ss->top points to the next free slot; be paranoid about underflow. */ 623 top = ss->top; 624 JS_ASSERT(top != 0); 625 if (top == 0) 626 return 0; 627 628 ss->top = --top; (gdb) p *ss $2 = {sprinter = {context = 0x8304200, pool = 0x8304270, base = 0x84e5830 "ÚÚÚentry = entry.QueryInterface(Components.interfaces.nsIRDFLiteral)", size = 422, offset = 3}, offsets = 0x84e5810, opcodes = 0x84e5828 "W95=V=ÚÚÚÚÚentry = entry.QueryInterface(Components.interfaces.nsIRDFLiteral)", top = 0, printer = 0x84cfd80} (gdb) up #4 0x2813e3ec in Decompile (ss=0xbfbfc504, pc=0x832cb71 "\004\006ÿ¬\004\006", nb=77) at /home/timeless/wgate/mozilla/js/src/jsopcode.c:1221 1221 rval = POP_STR(); (gdb) list 1216 case JSOP_LEAVEWITH: 1217 sn = js_GetSrcNote(jp->script, pc); 1218 todo = -2; 1219 if (sn && SN_TYPE(sn) == SRC_HIDDEN) 1220 break; 1221 rval = POP_STR(); 1222 LOCAL_ASSERT(strcmp(rval, with_cookie) == 0); 1223 jp->indent -= 4; 1224 js_printf(jp, "\t}\n"); 1225 break; (gdb) p sn $3 = (jssrcnote *) 0x8335386 "(X\\Y{±°c\0033´Í`\r" (gdb) p *jp $4 = {sprinter = {context = 0x8304200, pool = 0x84cfd94, base = 0x8514814 "\nfunction createUBHistoryMenu(aParent) {\n if (!gRDF) {\n gRDF = Components.classes['@mozilla.org/rdf/rdf-service;1'].getService(Components.interfaces. nsIRDFService);\n }\n if (!gLocalStor"..., size = 1154, offset = 1153}, pool = {first = {next = 0x8514800, base = 139263396, limit = 139263396, avail = 139263396}, current = 0x8514800, arenasize = 256, mask = 0}, indent = 20, pretty = 1, script = 0x832ca00, scope = 0x832fe80} (gdb) p pc $5 = (jsbytecode *) 0x832cb71 "\004\006ÿ¬\004\006" jesup says that our urlbar history stuff wasn't completely implemented (we just merged from 0.9.5) and he fixed that, so it's quite possible this will go away when i update.
dist/bin: ./run-mozilla.sh ./xpcshell /tmp/120571.js Type Manifest File: /home/timeless/mozilla/obj-gtk-i386-unknown-freebsd4.4/dist/bin/components/xpti.dat nsNativeComponentLoader: autoregistering begins. nsNativeComponentLoader: autoregistering succeeded nNCL: registering deferred (0) Assertion failure: top != 0, at /home/timeless/mozilla/js/src/jsopcode.c:624 Abort trap - core dumped
minimal testcase: function a120571() {while(0){try{}catch(ex){continue;}}} print(a120571) which makes this a dupe of a bug that we marked fixed recently, but i guess it's another case :) ... i'll get that bug
bug 104077 for those of you keeping score. this flavor actually crashes xpcshell.exe function b(){for(;;){try{}catch(e){continue;}}} print(b)
Summary: Assertion failure: top != 0, at /home/timeless/wgate/mozilla/js/src/jsopcode.c:624 → JS crash: try/catch/continue.
Either chingfa's great tests didn't smoke this out, or we didn't rerun all of them, but I know the bug you mean, timeless: bug 104077. Here's a disassembly of the minimal inline test function, with **comments**. main: 00000: zero 00001: ifeq 34 (33) 00004: try 00005: goto 31 (26) 00008: setsp 0 00011: nop 00012: name "Object" 00015: pushobj 00016: newinit 00017: exception 00018: initcatchvar "ex" 00021: enterwith **why the empty enterwith/leavewith block?** 00022: leavewith **note well the pc-offsets: 21, 22, 23** 00023: goto 0 (-23) **23 is the offset of the continue's goto** 00026: leavewith 00027: goto 31 (4) 00030: nop 00031: goto 0 (-31) Source notes: 0: 1 [ 1] while offset 30 2: 5 [ 4] hidden 3: 11 [ 6] catch 5: 21 [ 10] xdelta 6: 21 [ 0] hidden 7: 22 [ 1] continue **but the srcnote offset is 22, not 23!** 8: 22 [ 0] hidden **and out of order w.r.t. this one** 9: 26 [ 4] hidden 10: 27 [ 1] hidden 11: 30 [ 3] endbrace Exception table: start end catch 5 8 8 I hope shaver pops up with the patch, but I'll look too, when I get time. /be
Status: UNCONFIRMED → NEW
Ever confirmed: true
Patch in a minute. The code generator long ago grew this bug, even before exception handling. /be
Status: NEW → ASSIGNED
Keywords: js1.5, mozilla0.9.8
Target Milestone: --- → mozilla0.9.8
Attached patch proposed fixSplinter Review
Please review ASAP, I'd like to get this into 0.9.8. /be
it works if you are willing to use that as an r=.
Thanks for the testing, but testing != code review. Both are good. /be
Both of timeless' new examples have been added to the exising testcase: mozilla/js/tests/js1_5/Regress/regress-104077.js This test had contained all 13 edge cases presented by Chingfa and timeless in bug 104077, and had been passing ever since the fix for that bug went in. With the two new examples, we are up to 15 inside the test, and it is now crashing when I run it, but only in the debug JS shell. The optimized shell passes the testcase. Interactively: I can type timeless' a120571() example in the optimized shell without crashing. His b() example does crash for me. Again, both crash in the debug shell, and the testcase fails there -
Any testcase of the form function a120571() {while(0){try{}catch(ex){continue;}}} if (this.dis) dis(a120571) print(a120571) will fail without this bug's patch in the debug js shell with an assert-botch, but "pass" in the optimized shell only because assertions are off, and "pass" only in the sense that the shell doesn't crash. The optimized shell doesn't print anything, OTOH, so the result should not be considered a "true pass" :). /be
dbradley mentioned something about getting break instead of continue if the wrong path is taken. the following url in n6.2 generates the line of output below it javascript:function a(){for(;;)try{}catch(e){continue;}};document.write(a)
Whiteboard: [QA note: verify any fix interactively]
hrm. that sucks, i must have had an embedded null somewhere.
Specifically what I saw was that the JSOP_LEAVEWITH case http://lxr.mozilla.org/seamonkey/source/js/src/jsopcode.c#1216 the if statement wasn't true. It continued passed the break and that's where it tried to pop when there wasn't anything to pop. I thought I'd see if taking the break at that point might produce the desired output. It didn't crash but it output the statement "break;" instead of the expected "continue;". Not sure if that's much help.
timeless, dbradley: please to be trying the patch, it cures all ills. Where are my code reviewers? shaver's traveling -- jband, can you sr? /be
well, let's ignore n6's ability to corrupt the first few chars, the output is: function a() { for (;;) { try { } catch (e) { } break; } } } [the input had continue, not break]. any chance of finding a qualified reviewer? brendan: is 'please to be trying' a question or appreciation? i already said it worked. some day in the distant future i might become a qualified reviewer for jseng, but i suspect js2 will happen first.
oh right, well here was the point i tried to make in Comment 11: pschwartau@netscape.com could you please make the tests check that the value isn't null (as brendan noted about the basic assert in nondebug) and also that they contain break / continue where appropriate?
timeless, I'm sure your many comments in bugs and IRC are clear and meaningful to you, but they're often opaque to everyone else. Apart from the paste problem, it was not clear that you were using the patch, or that you were commenting on the patch's coverage of break as well as continue, rather than noting an outstanding problem that the patch doesn't fix. /be
Following Brendan's and timeless' suggestions, have made the last two cases in the testcase more precise by testing for the string 'continue' in a120571.toString() and in b.toString()
Comment on attachment 65532 [details] [diff] [review] proposed fix r=rogerl
Attachment #65532 - Flags: review+
Comment on attachment 65532 [details] [diff] [review] proposed fix sr=jst
Attachment #65532 - Flags: superreview+
Stack Signature MSVCRT.DLL + 0x47f2 (0x780047f2) b43da7db Trigger Time 2002-01-18 08:52:16 Email Address jsoref@wgate.com URL visited javascript:function a(){for(;;)try{}catch(e){continue;}};alert(a) User Comments having fun Build ID 2002011709 Product ID MozillaTrunk Platform Operating System Win32 Module Trigger Reason Access violation Stack Trace MSVCRT.DLL + 0x47f2 (0x780047f2) Decompile [d:\builds\seamonkey\mozilla\js\src\jsopcode.c, line 971] js_DecompileCode [d:\builds\seamonkey\mozilla\js\src\jsopcode.c, line 2277] js_DecompileScript [d:\builds\seamonkey\mozilla\js\src\jsopcode.c, line 2297] js_DecompileFunction [d:\builds\seamonkey\mozilla\js\src\jsopcode.c, line 2391] JS_DecompileFunction [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3220] fun_toString_sub [d:\builds\seamonkey\mozilla\js\src\jsfun.c, line 1352] fun_toString [d:\builds\seamonkey\mozilla\js\src\jsfun.c, line 1362] js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 834] js_InternalInvoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 925] js_TryMethod [d:\builds\seamonkey\mozilla\js\src\jsobj.c, line 3379] js_DefaultValue [d:\builds\seamonkey\mozilla\js\src\jsobj.c, line 2899] js_ValueToString [d:\builds\seamonkey\mozilla\js\src\jsstr.c, line 2574] JS_ValueToString [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 517] XPCConvert::JSData2Native [d:\builds\seamonkey\mozilla\js\src\xpconnect\src\xpcconvert.cpp, line 570] XPCWrappedNative::CallMethod [d:\builds\seamonkey\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp, line 1731] XPC_WN_CallMethod [d:\builds\seamonkey\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp, line 1267] js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 834] js_Interpret [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 2799] js_Execute [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 1014] JS_EvaluateUCScriptForPrincipals [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3358] nsJSContext::EvaluateString [d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 677] nsJSThunk::EvaluateScript [d:\builds\seamonkey\mozilla\dom\src\jsurl\nsJSProtocolHandler.cpp, line 261] nsJSChannel::AsyncOpen [d:\builds\seamonkey\mozilla\dom\src\jsurl\nsJSProtocolHandler.cpp, line 579] nsDocumentOpenInfo::Open [d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 173] nsURILoader::OpenURIVia [d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 535] nsURILoader::OpenURI [d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 496] nsDocShell::DoChannelLoad [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 4555] nsDocShell::DoURILoad [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 4339] nsDocShell::InternalLoad [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 4151] nsDocShell::LoadURI [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 587] nsDocShell::LoadURI [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2313] XPTC_InvokeByIndex [d:\builds\seamonkey\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp, line 106] XPCWrappedNative::CallMethod [d:\builds\seamonkey\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp, line 2000] XPC_WN_CallMethod [d:\builds\seamonkey\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp, line 1267] js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 834] js_Interpret [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 2799] js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 850] fun_apply [d:\builds\seamonkey\mozilla\js\src\jsfun.c, line 1512] js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 834] js_Interpret [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 2799] js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 850] js_InternalInvoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 925] JS_CallFunctionValue [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3407] nsJSContext::CallEventHandler [d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 1014] nsJSEventListener::HandleEvent [d:\builds\seamonkey\mozilla\dom\src\events\nsJSEventListener.cpp, line 182] nsXBLPrototypeHandler::ExecuteHandler [d:\builds\seamonkey\mozilla\content\xbl\src\nsXBLPrototypeHandler.cpp, line 442] DoKey [d:\builds\seamonkey\mozilla\content\xbl\src\nsXBLKeyHandler.cpp, line 108] nsXBLKeyHandler::KeyPress [d:\builds\seamonkey\mozilla\content\xbl\src\nsXBLKeyHandler.cpp, line 124] nsEventListenerManager::HandleEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 1642] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3359] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3340] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1627] nsHTMLInputElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp, line 1150] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5988] PresShell::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5911] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 387] nsViewManager::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 1909] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 83] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 854] nsWindow::DispatchWindowEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 871] nsWindow::DispatchKeyEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2601] nsWindow::OnChar [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2733] nsWindow::ProcessMessage [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3299]
Keywords: crash
sr=jband. Sure me too. It's all about trust. I like it when shaver is available to look at these jsemit tweaks too. I'm glad rogerl reviewed. timeless: it would be appreciated if you were more explicit about the conditions of your little tests and crash stacks. AFAICT, that crash happens without the patch and does not happen with the patch. brendan: FWIW, It looks like your last trip to jsemit.c in bug 104077 left behind some debug build type-mismatch warnings: X:\trunk\mozilla\js\src\jsemit.c(2836) : warning C4018: '<=' : signed/unsigned m ismatch X:\trunk\mozilla\js\src\jsemit.c(2957) : warning C4018: '<=' : signed/unsigned m ismatch These are both: JS_ASSERT(cg->stackDepth <= cg->maxStackDepth); Perhaps you'd like to stick in some casts for this checkin? rs=jband.
My results agree with jband's. With the patch applied, I do not crash on timeless' example a() above. After changing "alert" to "print", the only differences between this example and b() in Comment #3 are: function b(){for(;;){try{}catch(e){continue;}}} print(b) function a(){for(;;) try{}catch(e){continue;}} ;print(a) With the patch applied, we get the same output: function b() { for (;;) { try { } catch (e) { continue; } } } function a() { for (;;) { try { } catch (e) { continue; } } } Furthermore, the composite testcase now passes in both the debug and optimized JS shell -
Just ran the entire JS test suite successfully against the patch in the debug JS shell on WinNT. I got only the known failures; no regressions were introduced.
a=asa (on behalf of drivers) for checkin. Thanks for running the tests Phil.
Keywords: mozilla0.9.8mozilla0.9.8+
jband: sorry, i thought it was clear, i can't generate a talkback build of my own, and until now the patch isn't in the tree, the report indicated that the crash was for the for(;;) flavor. hrm, i guess it doesn't technically say it's a talkback stack... fwiw pasting |function a(){for(;;) try{}catch(e){continue;}} ;print(a)| into xpcshell.exe from 2002012203 w32 (a fix for this bug has not been committed yet) crashes as does pasting |function b(){for(;;){try{}catch(e){continue;}}} print(b)| into the same version. [i only provided the stack/crash info because brendan told me i should show the stack and flavor of a real crash.] because talkback doesn't bind to xpcshell, to report the talkback crash i i used mozilla.exe and switched from print() to alert() because print() is a dom(?) method to print to a printer in mozilla, and i don't have any idea what it would do beyond eating paper. my windows system at home doesn't know how to build optimized debug and i didn't think to make my fbsd box do it...
jband: thanks, I fixed those assertions to cast cg->stackDepth to (uintN). Curse gcc for not whining at me about such cases. As I said to jst before he sr'd, but should have said here, the patch simply (a) inline-expands the called-once js_EmitBreak and js_EmitContinue holdovers that pre-date parse-trees (!); (b) moves the SRC_CONTINUE emission into EmitGoto, so it can come after the EmitNonLocalJumpFixup. I asked timeless to produce optimized build crash evidence and set the crash keyword, which should have been done earlier to get drivers' attention -- he did that when prompted but didn't qualify the stack as showing the bug, not a further problem in the patch. Not to worry, and I won't nag timeless yet again to use a few more explanatory full sentences per bug comment :-). Thanks to timeless for his help on this bug, notwithstanding -- I mean that sincerely. /be
Fix is in. /be
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Verified FIXED - The above testcase, which contains all the scenarios above, now passes in the debug and optimized JS shells on WinNT, Linux, and Mac9.1. For good measure, I verified timeless' latter three examples interactively, in both the debug and optimized JS shells.
Status: RESOLVED → VERIFIED
Flags: testcase+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: