Closed Bug 69607 Opened 23 years ago Closed 23 years ago

hard crash when executing VERY simple javascript

Categories

(Core :: JavaScript Engine, defect, P1)

x86
All
defect

Tracking

()

VERIFIED FIXED
mozilla0.9

People

(Reporter: f300v10, Assigned: brendan)

References

()

Details

(Keywords: crash, js1.5)

Attachments

(2 files)

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22 i586; en-US; 0.8) Gecko/20010220
BuildID:    2001022012

This very short javascript code causes a crash ( or hung browser) on both linux
and windows.  Also this problem was not in the Feb 15 build, it appears to have
shown up on the 16th or 17th.  I have noticed that with just a slight change to
the code no crash occurs.

http://216.227.33.173/mozilla_test/js_ok.html

I just removed the else condition, and it does not crash.This bug may be related
to 66046 but I don't think so, since this just showed up in the latest builds.

The URLs given point to my server at home, and my DSL is acting up, so if it
does not work the first time, try back later.  Thanks.

Reproducible: Always
Steps to Reproduce:
1.Go to above URL, thats it.
2.
3.

Actual Results:  Crash.

Expected Results:  Should not crash.

Here is the html of the test case. It does not do very much, this is a very
reduced case from the script I found the bug on.

<html>
<head>
<title> True/False Test Crash</title>
</head>
<body>
This is a test case that will cause a crash.<br>
<script type="text/javascript">

var test1;
var test2;
var test3;

if( false){
    test1 = 1;
}else{
    test2 = 0;
}
if( false){
    test3 = 0;
}
</script>
End of test case.
</body>
</html>
*** Bug 69608 has been marked as a duplicate of this bug. ***
Attached file Scott's HTML testcase
Confirming on WinNT and Linux with builds from yesterday (2001-02-19).
Changing OS from "Linux"  --> "All".


Linux stack trace: 

#0  0x40240259 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2935
#1  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#2  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#3  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#4  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#5  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#6  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#7  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#8  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#9  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#10 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#11 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#12 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#13 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#14 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#15 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#16 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#17 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#18 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#19 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#20 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#21 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#22 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#23 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#24 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#25 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#26 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#27 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#28 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#29 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#30 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#31 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#32 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#33 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#34 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#35 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#36 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#37 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#38 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#39 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#40 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977


                      etc.
                      etc.  



(gdb) p* cx
$1 = {links = {next = 0x86474f0, prev = 0x8480d38}, interpLevel = 0, 
version = JSVERSION_DEFAULT, jsop_eq = 18 '\022', 
jsop_ne = 19 '\023', runtime = 0x8110c10, 
stackPool = {first = {next = 0x0, base = 139146584, limit = 139146584, 
      avail = 139146584}, current = 0x84b3548, arenasize = 8192, mask = 3}, 
fp = 0xbfffe774, codePool = {first = {
      next = 0x882eca8, base = 139146616, limit = 139146616, avail = 139146616},
current = 0x882eca8, arenasize = 1024, mask = 0}, 
  notePool = {first = {next = 0x8660788, base = 139146644, limit = 139146644,
avail = 139146644}, current = 0x8660788, 
    arenasize = 256, mask = 0}, tempPool = {first = {next = 0x885c428, base =
139146672, limit = 139146672, avail = 139146672}, 
    current = 0x85679c0, arenasize = 1024, mask = 7}, globalObject = 0x84aa158,
newborn = {0x8553538, 0x8553e78, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, regExpStatics = {input = 0x0, multiline = 0, parenCount = 0,
moreLength = 0, parens = {{length = 0, 
        chars = 0x0}, {length = 0, chars = 0x0}, {length = 0, chars = 0x0},
{length = 0, chars = 0x0}, {length = 0, chars = 0x0}, {
        length = 0, chars = 0x0}, {length = 0, chars = 0x0}, {length = 0, chars
= 0x0}, {length = 0, chars = 0x0}}, 
    moreParens = 0x0, lastMatch = {length = 0, chars = 0x402708e8}, lastParen =
{length = 0, chars = 0x402708e8}, leftContext = {
      length = 0, chars = 0x402708e8}, rightContext = {length = 0, chars =
0x402708e8}}, sharpObjectMap = {depth = 0, 
    sharpgen = 0, table = 0x0}, argumentFormatMap = 0x85568d8, lastMessage =
0x0, tracefp = 0x0, branchCallback = 0x40660208, 
  errorReporter = 0x4065f750, data = 0x851ce80, dormantFrameChain = 0x0, thread
= 134651448, requestDepth = 0, scopeToShare = 0x0, 
  rval2 = 0, rval2set = 0 '\000', throwing = 0 '\000', exception = 0, options =
0, scannerVersion = JSVERSION_DEFAULT, 
  localeCallbacks = 0x0, resolving = 0x0, stackHeaders = 0x0}


(gdb) p* pn
$2 = {pn_type = TOK_SEMI, pn_pos = {begin = {index = 12, lineno = 19}, end =
{index = 13, lineno = 19}}, pn_op = JSOP_NOP, 
  pn_offset = 0, pn_arity = PN_UNARY, pn_u = {func = {fun = 0x8567b00, body =
0x8567b30, flags = 1, tryCount = 1096349697}, 
    list = {head = 0x8567b00, tail = 0x8567b30, count = 1, extra = 1096349697},
ternary = {kid1 = 0x8567b00, kid2 = 0x8567b30, 
      kid3 = 0x1}, binary = {left = 0x8567b00, right = 0x8567b30, val = 1},
unary = {kid = 0x8567b00, num = 139885360}, name = {
      atom = 0x8567b00, expr = 0x8567b30, slot = 1, attrs = 1096349697}, dval =
1.7021718260471125e-268}, pn_next = 0x0}


(gdb) p* tc
$3 = {flags = 1, tryCount = 0, topStmt = 0x0, decls = {list = 0x85679f0, table =
0x0, count = 3}, nodeList = 0x0}

Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
cc'ing Brendan and jband - 
Keywords: crash
Note the change in line number at the top of the stack:

#0  0x40240259 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2935
#1  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
reassigning to brendan (whose been hacking in here and recycling nodes).

This blows the stack for me on NT with a JS engine I just updated from the tip.

This is an infinite recursion in: 

      case PN_UNARY:
        /* Our kid may be null (e.g. return; vs. return e;). */
        pn1 = pn->pn_kid;
        if (pn1 && !js_FoldConstants(cx, pn1, tc))
            return JS_FALSE;
        break;

pn->pn_kid is equal to pn so it just keeps going.

(as the dump above shows) pn_pos claims to be at line 19 index 12-13 - this 
seems to point to the space after "test3=". MSDEV won't show me the other end of 
the stack when the stack gets blown.
Assignee: rogerl → brendan
Duh!  Shaver enabled a code path that exposed a bug latent since bug 33390's
patch went in.  It's an egregious error to recycle a JSParseNode twice.  Patch
coming right up.

/be
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla0.9
Attached patch proposed fixSplinter Review
Man, I really opened a can of worms with that ``easy one-liner'', didn't I?

r=shaver
sr=jband
Fixed.

/be
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Scott's testcase has been added to the JS testsuite as follows: 

             js/tests/js1_5/Regress/regress-69607.js 
Verified with standalone JS shell built on WinNT, Linux, and Mac. 
The above testcase passes on all three platforms.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: