Closed
Bug 69607
Opened 24 years ago
Closed 24 years ago
hard crash when executing VERY simple javascript
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla0.9
People
(Reporter: f300v10, Assigned: brendan)
References
()
Details
(Keywords: crash, js1.5)
Attachments
(2 files)
329 bytes,
text/html
|
Details | |
709 bytes,
patch
|
Details | Diff | Splinter Review |
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22 i586; en-US; 0.8) Gecko/20010220
BuildID: 2001022012
This very short javascript code causes a crash ( or hung browser) on both linux
and windows. Also this problem was not in the Feb 15 build, it appears to have
shown up on the 16th or 17th. I have noticed that with just a slight change to
the code no crash occurs.
http://216.227.33.173/mozilla_test/js_ok.html
I just removed the else condition, and it does not crash.This bug may be related
to 66046 but I don't think so, since this just showed up in the latest builds.
The URLs given point to my server at home, and my DSL is acting up, so if it
does not work the first time, try back later. Thanks.
Reproducible: Always
Steps to Reproduce:
1.Go to above URL, thats it.
2.
3.
Actual Results: Crash.
Expected Results: Should not crash.
Here is the html of the test case. It does not do very much, this is a very
reduced case from the script I found the bug on.
<html>
<head>
<title> True/False Test Crash</title>
</head>
<body>
This is a test case that will cause a crash.<br>
<script type="text/javascript">
var test1;
var test2;
var test3;
if( false){
test1 = 1;
}else{
test2 = 0;
}
if( false){
test3 = 0;
}
</script>
End of test case.
</body>
</html>
Comment 2•24 years ago
|
||
Comment 3•24 years ago
|
||
Confirming on WinNT and Linux with builds from yesterday (2001-02-19).
Changing OS from "Linux" --> "All".
Linux stack trace:
#0 0x40240259 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2935
#1 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#2 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#3 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#4 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#5 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#6 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#7 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#8 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#9 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#10 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#11 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#12 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#13 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#14 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#15 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#16 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#17 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#18 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#19 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#20 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#21 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#22 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#23 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#24 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#25 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#26 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#27 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#28 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#29 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#30 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#31 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#32 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#33 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#34 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#35 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#36 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#37 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#38 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#39 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#40 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
etc.
etc.
(gdb) p* cx
$1 = {links = {next = 0x86474f0, prev = 0x8480d38}, interpLevel = 0,
version = JSVERSION_DEFAULT, jsop_eq = 18 '\022',
jsop_ne = 19 '\023', runtime = 0x8110c10,
stackPool = {first = {next = 0x0, base = 139146584, limit = 139146584,
avail = 139146584}, current = 0x84b3548, arenasize = 8192, mask = 3},
fp = 0xbfffe774, codePool = {first = {
next = 0x882eca8, base = 139146616, limit = 139146616, avail = 139146616},
current = 0x882eca8, arenasize = 1024, mask = 0},
notePool = {first = {next = 0x8660788, base = 139146644, limit = 139146644,
avail = 139146644}, current = 0x8660788,
arenasize = 256, mask = 0}, tempPool = {first = {next = 0x885c428, base =
139146672, limit = 139146672, avail = 139146672},
current = 0x85679c0, arenasize = 1024, mask = 7}, globalObject = 0x84aa158,
newborn = {0x8553538, 0x8553e78, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, regExpStatics = {input = 0x0, multiline = 0, parenCount = 0,
moreLength = 0, parens = {{length = 0,
chars = 0x0}, {length = 0, chars = 0x0}, {length = 0, chars = 0x0},
{length = 0, chars = 0x0}, {length = 0, chars = 0x0}, {
length = 0, chars = 0x0}, {length = 0, chars = 0x0}, {length = 0, chars
= 0x0}, {length = 0, chars = 0x0}},
moreParens = 0x0, lastMatch = {length = 0, chars = 0x402708e8}, lastParen =
{length = 0, chars = 0x402708e8}, leftContext = {
length = 0, chars = 0x402708e8}, rightContext = {length = 0, chars =
0x402708e8}}, sharpObjectMap = {depth = 0,
sharpgen = 0, table = 0x0}, argumentFormatMap = 0x85568d8, lastMessage =
0x0, tracefp = 0x0, branchCallback = 0x40660208,
errorReporter = 0x4065f750, data = 0x851ce80, dormantFrameChain = 0x0, thread
= 134651448, requestDepth = 0, scopeToShare = 0x0,
rval2 = 0, rval2set = 0 '\000', throwing = 0 '\000', exception = 0, options =
0, scannerVersion = JSVERSION_DEFAULT,
localeCallbacks = 0x0, resolving = 0x0, stackHeaders = 0x0}
(gdb) p* pn
$2 = {pn_type = TOK_SEMI, pn_pos = {begin = {index = 12, lineno = 19}, end =
{index = 13, lineno = 19}}, pn_op = JSOP_NOP,
pn_offset = 0, pn_arity = PN_UNARY, pn_u = {func = {fun = 0x8567b00, body =
0x8567b30, flags = 1, tryCount = 1096349697},
list = {head = 0x8567b00, tail = 0x8567b30, count = 1, extra = 1096349697},
ternary = {kid1 = 0x8567b00, kid2 = 0x8567b30,
kid3 = 0x1}, binary = {left = 0x8567b00, right = 0x8567b30, val = 1},
unary = {kid = 0x8567b00, num = 139885360}, name = {
atom = 0x8567b00, expr = 0x8567b30, slot = 1, attrs = 1096349697}, dval =
1.7021718260471125e-268}, pn_next = 0x0}
(gdb) p* tc
$3 = {flags = 1, tryCount = 0, topStmt = 0x0, decls = {list = 0x85679f0, table =
0x0, count = 3}, nodeList = 0x0}
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Comment 5•24 years ago
|
||
Note the change in line number at the top of the stack:
#0 0x40240259 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2935
#1 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
Comment 6•24 years ago
|
||
reassigning to brendan (whose been hacking in here and recycling nodes).
This blows the stack for me on NT with a JS engine I just updated from the tip.
This is an infinite recursion in:
case PN_UNARY:
/* Our kid may be null (e.g. return; vs. return e;). */
pn1 = pn->pn_kid;
if (pn1 && !js_FoldConstants(cx, pn1, tc))
return JS_FALSE;
break;
pn->pn_kid is equal to pn so it just keeps going.
(as the dump above shows) pn_pos claims to be at line 19 index 12-13 - this
seems to point to the space after "test3=". MSDEV won't show me the other end of
the stack when the stack gets blown.
Assignee: rogerl → brendan
Assignee | ||
Comment 7•24 years ago
|
||
Duh! Shaver enabled a code path that exposed a bug latent since bug 33390's
patch went in. It's an egregious error to recycle a JSParseNode twice. Patch
coming right up.
/be
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla0.9
Assignee | ||
Comment 8•24 years ago
|
||
Comment 9•24 years ago
|
||
Man, I really opened a can of worms with that ``easy one-liner'', didn't I?
r=shaver
Comment 10•24 years ago
|
||
sr=jband
Assignee | ||
Comment 11•24 years ago
|
||
Fixed.
/be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 12•24 years ago
|
||
Scott's testcase has been added to the JS testsuite as follows:
js/tests/js1_5/Regress/regress-69607.js
Comment 13•24 years ago
|
||
Verified with standalone JS shell built on WinNT, Linux, and Mac.
The above testcase passes on all three platforms.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•