Closed
Bug 154737
Opened 22 years ago
Closed 22 years ago
String(NaN) crashes JS Engine if JS_THREADSAFE is set
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.0.1
People
(Reporter: timeless, Assigned: timeless)
References
Details
(Keywords: js1.5, Whiteboard: [QA fix interactively in xpcshell; see Comments #13 & #14])
Attachments
(1 file, 1 obsolete file)
1.40 KB,
patch
|
dbradley
:
review+
brendan
:
superreview+
chofmann
:
approval+
|
Details | Diff | Splinter Review |
w23k cvs trunk build from today (opt rofile) jesse confirms it js> NaN <crash> NTDLL! 77f821e1() js_NumberToString(JSContext * 0x00af0838, double 1.#QNAN00000000) line 618 + 23 bytes js_ValueToString(JSContext * 0x00af0838, long 11004706) line 2577 + 15 bytes Process(JSContext * 0x004016fb my_ErrorReporter(JSContext *, const char *, JSErrorReport *), JSObject * 0x00a7f8b8, char * 0x00000002, _iobuf * 0x7803bb48) line 522 ProcessArgs(JSContext * 0x00af0838, JSObject * 0x00a7f8b8, char * * 0x00384ef4, int 0) line 655 + 28 bytes main(int 1, char * * 0x00384ef0) line 936 XPCSHELL! mainCRTStartup + 227 bytes KERNEL32! 77e8d326()
this might be a dupe, it seems familiar PR_Lock(PRLock * 0x00000000) line 236 JS_dtostr(char * 0x0012ee50, unsigned int 25, int 0, int 0, double 1.#QNAN00000000) line 2765 js_NumberToString(JSContext * 0x00af0bf8, double 1.#QNAN00000000) line 618 + 23 bytes js_ValueToString(JSContext * 0x00af0bf8, long 11005730) line 2577 + 15 bytes Process(JSContext * 0x004016fb my_ErrorReporter(JSContext *, const char *, JSErrorReport *), JSObject * 0x00a7fcb8, char * 0x00000002, _iobuf * 0x7803bb48) line 522 ProcessArgs(JSContext * 0x00af0bf8, JSObject * 0x00a7fcb8, char * * 0x00384ef4, int 0) line 655 + 28 bytes main(int 1, char * * 0x00384ef0) line 936 XPCSHELL! mainCRTStartup + 227 bytes KERNEL32! 77e8d326() the function call comes from ACQUIRE_DTOA_LOCK();
Bug 120992 17 May 2002 23:21 i don't understand how this ever works. anyway, here's what my research shows: 2764 ACQUIRE_DTOA_LOCK(); 2765 dtoaRet = js_dtoa(d, dtoaModes[mode], mode >= DTOSTR_FIXED, precision, &decPt, &sign, &numEnd, numBegin, bufferSize-2); js_dtoa calls InitDtoa which does: 1176 freelist_lock = PR_NewLock(); nothing else assigns to the freelist_lock. ACQUIRE_DTOA_LOCK tries to use the lock ...
Assignee: rogerl → bratell
Comment 3•22 years ago
|
||
InitDtoA is also called by JS_strtod. My guess is the following: we crash converting the double NaN to a string UNLESS we have earlier converted a string to a double. Normally, this is the case, because scripts are more likely to do "for (i=0; i<10; i++)" than to emit NaN. (Note the "0" and "10" cause InitDtoA to be called in JS_strtod.) I think all we need to do is call the init function in JS_dtostr (and remove it from js_dtoa); I'll try that in the morning when I get back to a good development machine. --scole
I'm not sure about correct style for defines in mozilla/js, but imo this is the correct thing to do.
Comment 5•22 years ago
|
||
Let me add to my prior comment 4 to make things more clear: we will crash (in THREADSAFE) if a script contains no numbers execpt the "word" numbers (Infinity; NaN), and tries to convert said numbers into strings. If any numeric number exists in a script, then the DtoA code is initialized properly during script compilation. Note that the THREADSAFE requirement means that this will crash xpcshell but not jsshell. --scole
Comment 6•22 years ago
|
||
Comment on attachment 89509 [details] [diff] [review] fix You've got the right idea; now use JS_BEGIN_MACRO and JS_END_MACRO for code safety. (See examples in jsinterp.h.) --scole
Attachment #89509 -
Attachment is obsolete: true
Comment 8•22 years ago
|
||
Looks great, timeless. I'd give it an r=, except that I figure I at least ought to compile it, but I don't have all the baggage around to actually compile the xpcshell; and this fix has no real impact on the jsshell. Kenton? --scole
Updated•22 years ago
|
while i'm rummaging through js1.5 bugs, i should cross reference bug 148171. Perhaps we should always call the init function, just like we'll always call clenaup in !JS_THREADSAFE? -- well it's an interesting idea, but I can't figure out where I'd put that, so I'll leave that for someone else to consider in the future (I'll file a bug if someone requests).
Assignee: bratell → timeless
Comment 10•22 years ago
|
||
cc'ing dbradley: could you possibly test this patch in xpcshell for possible r= on this patch? Thx - cc'ing jband for possible sr=
Summary: NaN in js engine crashes → String(NaN) crashes JS Engine if JS_THREADSAFE is set
Comment 11•22 years ago
|
||
The Mac does not exhibit this problem. The patch looks good but I'd rather defer the r= to dbradley, I will r= if necessay. Phil, can you write an automated test for this?
Comment 12•22 years ago
|
||
Kenton: we already have an automated testcase for this. The bug does not manifest itself in the JS shell unless it has been built with the JS_THREADSAFE flag set. That explains the references to the xpcshell above. Perhaps that is why you are not seeing the crash -
Comment 13•22 years ago
|
||
Actually, Phil, we don't have a testcase for this. Because the testcase *cannot* contain any numbers. So the script a = "" + NaN; would kill xpcshell, whereas the script a = "" + NaN; b = 3; would run just fine. And since js/tests/ecma/shell.js has the number "0.0000001" on line 152, running the NaN tests even in xpcshell won't crash. [This is why this bug is never seen in mozilla-the-browser: There's so much JS that's run before a page is ever loaded that everything has been initialized just fine.] --scole
Comment 14•22 years ago
|
||
Of course, then it occurs to me that jsshell and xpcshell compile by lines, not by files, so the script a = "" + NaN; b = 3; would still crash in xpcshell. But the opposite: b = 3; a = "" + NaN; won't crash. So my comment about line 152 in shell.js is still accurate. (Sigh.) --scole
Updated•22 years ago
|
Whiteboard: [QA fix interactively in xpcshell; see Comments #13 & #14]
Updated•22 years ago
|
Attachment #89512 -
Flags: superreview+
Comment 15•22 years ago
|
||
Comment on attachment 89512 [details] [diff] [review] fix in js eng style I say this is good, sr=brendan@mozilla.org. Who's with me? This should go into the 1.0 branch when it's ready, too. /be
Comment 16•22 years ago
|
||
Comment on attachment 89512 [details] [diff] [review] fix in js eng style r=dbradley Looks fine to me, I compiled and ran as well and everything looks ok.
Attachment #89512 -
Flags: review+
Assignee | ||
Comment 17•22 years ago
|
||
fixed on trunk
Keywords: mozilla1.0.1
Target Milestone: --- → mozilla1.0.1
Comment 18•22 years ago
|
||
Comment on attachment 89512 [details] [diff] [review] fix in js eng style a=chofman for 1.0.1. add fixed1.0.1 after checking in.
Attachment #89512 -
Flags: approval+
Updated•22 years ago
|
Keywords: mozilla1.0.1 → mozilla1.0.1+
Assignee | ||
Comment 19•22 years ago
|
||
committed fix to branch. Note that the commit wasn't identical due to differences between branch and trunk.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: testcase-
You need to log in
before you can comment on or make changes to this bug.
Description
•