Closed Bug 89474 Opened 24 years ago Closed 24 years ago

JS_ValueToString(cx, DOUBLE_TO_JSVAL(0.123)) cores [WAS: JS Shell it.item() cores]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: darren.deridder, Assigned: khanson)

Details

Attachments

(1 file)

proposed fix
501 bytes, patch
Details | Diff | Splinter Review
From Bugzilla Helper: User-Agent: Mozilla/4.77 [en] (WinNT; U) BuildID: 20010703 The standalone JS Shell interpreter cores when you type > it.item() It appears that line 1576 of js.c (the call to JS_SetCallReturnValue2) is where things start to go really wrong. I checked the code out via cvs on July 3rd and compiled with Sun cc. Reproducible: Always Steps to Reproduce: 1. Start the js shell 2. type it.item() 3. core
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Solaris → All
Hardware: Sun → All
Using JS shell pulled today, 2001-07-05. I do not crash by typing it.item(); however, I DO crash by typing print(it.item()); WinNT stack trace: js_ValueToString(JSContext * 0x00301df0, long -623191334) line 2385 + 6 bytes js_ValueToStringAtom(JSContext * 0x00301df0, long -623191334) line 679 + 13 bytes js_Interpret(JSContext * 0x00301df0, long * 0x0012fed8) line 2726 + 159 bytes js_Execute(JSContext * 0x00301df0, JSObject * 0x002fb340, JSScript * 0x0030a810, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fed8) line 986 + 13 bytes JS_ExecuteScript(JSContext * 0x00301df0, JSObject * 0x002fb340, JSScript * 0x0030a810, long * 0x0012fed8) line 3169 + 25 bytes Process(JSContext * 0x00301df0, JSObject * 0x002fb340, char * 0x00000000) line 371 + 22 bytes ProcessArgs(JSContext * 0x00301df0, JSObject * 0x002fb340, char * * 0x00300074, int 0) line 529 + 17 bytes main(int 0, char * * 0x00300074) line 2097 + 21 bytes JS! mainCRTStartup + 227 bytes KERNEL32! 77f1ba06() FUNCTION AT CRASHPOINT: JSString * js_ValueToString(JSContext *cx, jsval v) { JSObject *obj; JSString *str; if (JSVAL_IS_OBJECT(v)) { obj = JSVAL_TO_OBJECT(v); if (!obj) return ATOM_TO_STRING(cx->runtime->atomState.nullAtom); if (!OBJ_DEFAULT_VALUE(cx, obj, JSTYPE_STRING, &v)) return NULL; } if (JSVAL_IS_STRING(v)) { str = JSVAL_TO_STRING(v); } else if (JSVAL_IS_INT(v)) { str = js_NumberToString(cx, JSVAL_TO_INT(v)); } else if (JSVAL_IS_DOUBLE(v)) { str = js_NumberToString(cx, *JSVAL_TO_DOUBLE(v)); <<<<<<<< CRASHED HERE } else if (JSVAL_IS_BOOLEAN(v)) { str = js_BooleanToString(cx, JSVAL_TO_BOOLEAN(v)); } else { str = ATOM_TO_STRING(cx->runtime->atomState.typeAtoms[JSTYPE_VOID]); } return str; }
Some additional characterizations... the behaviour is somewhat inconsistent: "it.item()" will not seg core if it is the first operation being performed on "it". The call to jsstr.c:js_valueToString in this case evaluates parameter "v" as an object. If any other operation has been performed on "it" since starting the js shell, calling it.item() will cause a seg core. The call to jsstr.c:js_valueToString in this case evaluates parameter "v" as a double. Then the call JSVAL_TO_DOUBLE fails. My stack trace is quite similar.
Darren is right; all you have to do is type it.item() twice to crash. The first time you don't crash, but the second time you do. I can't find "it" as a reserved word in ECMA-262. But look at this output from the JS shell: js> it [object It] js> typeof it object js> Object.prototype.toString.apply(it) [object It] js> Object.prototype.toString.apply(it.prototype) [object global] js> for (prop in it){print(prop)} color height width funny array js> typeof it.color undefined js> it.array.length 13: TypeError: it.array has no properties js> var obj = new Object() js> for (prop in obj){print(prop)} js> obj.__proto__ = it [object It] js> for (prop in obj){print(prop)} color height width funny array
Seems to be a problem only with the JS shell. Trying this HTML <SCRIPT> it.item(); it.item(); it.item(); it.item(); </SCRIPT> simply produces this error in the JavaScript Console: Error: it is not defined Line: 2 and there is no crash -
Testcase added to JS test suite - js/tests/js1_5/Regress/regress-89474.js
Reassigning to Kenton -
Assignee: rogerl → khanson
It makes sense that this is only a problem in the JS Shell, because the object known as "it" is only defined within the js shell (js.c). But this bug is coming back to haunt me, and I think the issue may be more severe than a mere quirk in the JS Shell. It appears that JS_ValueToString will always core if used with DOUBLE_TO_JSVAL(x) where x is a double with the whole number part equal to zero. i.e. // THIS CORES! JS_ValueToString(cx, DOUBLE_TO_JSVAL(0.123)); Perhaps the title / severity of this bug should be modified pending verification of this behaviour... any thoughts?
Updating summary; cc'ing Brendan -
Summary: JS Shell it.item() cores → JS_ValueToString(cx, DOUBLE_TO_JSVAL(0.123)) cores [WAS: JS Shell it.item() cores]
This bug is invalid. DOUBLE_TO_JSVAL takes a jsdouble *, not a jsdouble. It casts (as it must) the parameter to (jsval), which chops 32 bits out of the double you're passing literally. Don't pass doubles, literal or otherwise, to DOUBLE_TO_JSVAL. /be
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
Sorry, I closed this prematurely. Passing a double to DOUBLE_TO_JSVAL is invalid, but as Darren kindly pointed out to me in email, the js shell crash in the original comment (upon the *second* it.item() call in the shell) still needs to be fixed. Patch coming up. /be
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
So the bug reported in the first comment (but not cited in the summary) was that js.c:its_item used argv[0] without checking that argc was != 0. That's a UMR, in purify parlance. The fix is trivial, and I'm going to check it in forthwith (js.c is not part of Mozilla builds). /be
Fix is in. /be
Status: REOPENED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
Verified Fixed in JS shell built 2001-07-14 on WinNT, Linux, and Mac - js/tests/js1_5/Regress/regress-89474.js passes on all three platforms.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: