Closed Bug 280086 Opened 20 years ago Closed 20 years ago

Caught exception: “RangeError: reserved slot index out of range” evaluating a regexp in venkman

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: timeless, Assigned: brendan)

References

Details

(Keywords: fixed-aviary1.0.1, fixed1.7.6)

Attachments

(1 file)

proposed fix
1.54 KB, patch
shaver
: review+
brendan
: approval-aviary1.0.1+
brendan
: approval1.7.6+
Details | Diff | Splinter Review 
0001: (/spider/i.test(this.steps[this.step.value].action))
Caught exception: “RangeError: reserved slot index out of range”
action is a string

i think jsd/venkman are violating something relating to jsinterp
<shaver> I would not be surprised to discover that jsd was not updated to
account for the newish reserved-slot model
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsinterp.c&rev=3.160&mark=3720-3729,1437,1523#3713
that's the two frames in jsinterp including the comment block which contains the
violated assertion
<shaver> mmmm, yes, yes indeed
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsdbgapi.c&rev=3.49&mark=865,887#864
 <shaver> so
 <shaver> hmmmmm
<shaver> I think we're hitting the cloning stuff here, badly
<shaver> possibly because it does something that is legal, but unexpected by
jsinterp



stack:
>	js3250.dll!JS_ReportErrorNumber(JSContext * cx=0x00a5f460, const
JSErrorFormatString * (void *, const char *, const unsigned int)*
errorCallback=0x00b0922e, void * userRef=0x00000000, const unsigned int
errorNumber=0x000000a6, ...)  Line 4034	C
 	js3250.dll!ReservedSlotIndexOK(JSContext * cx=0x0012cfc0, JSObject *
obj=0x00070023, JSClass * clasp=0x09e6b190, unsigned long index=0x00000002,
unsigned long limit=0x00000002)  Line 2988 + 0x12	C
 	js3250.dll!JS_GetReservedSlot(JSContext * cx=0x00a5f460, JSObject *
obj=0x09e6b190, unsigned long index=0x00000002, long * vp=0x0012d110)  Line
3003 + 0xe	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00010001, long * result=0x00b1b41c) 
Line 3792 + 0x17	C
 	js3250.dll!js_Execute(JSContext * cx=0x00a45520, JSObject * chain=0x0a1a1710,
JSScript * script=0x0b806fe8, JSStackFrame * down=0x09f761f0, unsigned int
flags=0x00000030, long * result=0x0012d270)  Line 1526	C
 	js3250.dll!JS_EvaluateUCInStackFrame(JSContext * cx=0x00a5f460, JSStackFrame *
fp=0x0b806fe8, const unsigned short * bytes=0x0b81d510, unsigned int
length=0x00000034, const char * filename=0x0249bb88, unsigned int
lineno=0x00000001, long * rval=0x0012d270)  Line 889	C
 	jsd3250.dll!jsd_EvaluateUCScriptInStackFrame(JSDContext * jsdc=0x00000001,
JSDThreadState * jsdthreadstate=0x0a1cc3f8, JSDStackFrameInfo *
jsdframe=0x0a197cd0, const unsigned short * bytes=0x0b81d510, unsigned int
length=0x00000034, const char * filename=0x0249bb88, unsigned int
lineno=0x00000001, int eatExceptions=0x00000000, long * rval=0x0012d270)  Line 457	C
 	jsd3250.dll!JSD_AttemptUCScriptInStackFrame(JSDContext * jsdc=0x00a45520,
JSDThreadState * jsdthreadstate=0x0a1cc3f8, JSDStackFrameInfo *
jsdframe=0x0a197cd0, const unsigned short * bytes=0x0b81d510, unsigned int
length=0x00000034, const char * filename=0x0249bb88, unsigned int
lineno=0x00000001, long * rval=0x0012d270)  Line 774 + 0x1f	C
 	jsd3250.dll!jsdStackFrame::Eval(const nsAString & bytes={...}, const char *
fileName=0x0249bb88, unsigned int line=0x00000001, jsdIValue * *
result=0x0012d2fc, int * _rval=0x0012d30c)  Line 1896 + 0x22	C++
 	xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x0a1cc480, unsigned int
methodIndex=0x00000014, unsigned int paramCount=0x00000005, nsXPTCVariant *
params=0x0012d2cc)  Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...},
XPCWrappedNative::CallMode mode=CALL_METHOD)  Line 2034 + 0x16	C++
 	xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x02901148, JSObject *
obj=0x0a1a16c8, unsigned int argc=0x00000004, long * argv=0x09f9895c, long *
vp=0x0012d530)  Line 1287 + 0xa	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x00000000, unsigned int argc=0x00010001,
unsigned int flags=0x00b1b41c)  Line 1293 + 0x11	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00010001, long * result=0x00b1b41c) 
Line 3627	C
 	js3250.dll!js_Invoke(JSContext * cx=0x00000000, unsigned int argc=0x00010001,
unsigned int flags=0x00b1b41c)  Line 1313 + 0xa	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00010001, long * result=0x00b1b41c) 
Line 3627	C
 	js3250.dll!js_Invoke(JSContext * cx=0x00000000, unsigned int argc=0x00010001,
unsigned int flags=0x00b1b41c)  Line 1313 + 0xa	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00010001, long * result=0x00b1b41c) 
Line 3627	C
 	js3250.dll!js_Invoke(JSContext * cx=0x00000000, unsigned int argc=0x00010001,
unsigned int flags=0x00b1b41c)  Line 1313 + 0xa	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x02901174, JSObject *
obj=0x09d39f08, long fval=0x0ab1c880, unsigned int flags=0x00000000, unsigned
int argc=0x00000001, long * argv=0x0012dcb8, long * rval=0x0012dcdc)  Line
1390 + 0xe	C
 	js3250.dll!JS_CallFunctionValue(JSContext * cx=0x02901148, JSObject *
obj=0x09d39f08, long fval=0x0ab1c880, unsigned int argc=0x00000001, long *
argv=0x0012dcb8, long * rval=0x0012dcdc)  Line 3767 + 0x1a	C

js stack trace (top two frames):
+	filename	0x0b07b26d "x-jsd:interactive-session"	const char *
	lineno	0x00000001	unsigned int
+	filename	0x0a199705
"file:///C:/DOCUME~1/someone/LOCALS~1/Temp/OurApp/OurFile.js"	const char *
	lineno	0x000007ff	unsigned int

venkman is stopped in ourfile, and i'm evaluating the string listed in 0001. I
believe this almost always happens to me when i try to use regexps, but I
haven't spent any time chasing it until now.
workaround:
0001: eval("/spider/i.test(this.steps[this.step.value].action)")
$[9] = [boolean] true

(workaround is based on the assertion in jsinterp which seems to be violated
somehow)
Is venkman using some jsd api that calls JS_Evaluate*InStackFrame from
jsdbgapi.h? I see the bug: JS_EvaluateUCInStackFrame does not toggle
JSOPTION_COMPILE_N_GO as does JS_EvaluateUCScriptForPrincipals.  Path anon.

/be
Assignee: general → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached patch proposed fixSplinter Review 
At this point setting the special flags may be useless -- it depends on whether
the compiler can reuse the top frame.  In timeless's case, it clearly could
not, or the JSFRAME_EVAL would have caused JSOP_OBJECT to be selected instead
of JSOP_REGEXP.

/be
Attachment #172697 - Flags: review?(shaver)
Comment on attachment 172697 [details] [diff] [review]
proposed fix

Boy, I'd love some C++ autohelpers For that sort of thing.

r=shaver
Attachment #172697 - Flags: review?(shaver) → review+
C++ is for sissies ;-).

Fixed.  Timeless, go for it on branch approval requests.

/be
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Attachment #172697 - Flags: approval1.7.6?
Attachment #172697 - Flags: approval-aviary1.0.1?
Comment on attachment 172697 [details] [diff] [review]
proposed fix

We approved this at today's 4:45pm drivers meeting, and I am checking into both
branches.

/be
Attachment #172697 - Flags: approval1.7.6?
Attachment #172697 - Flags: approval1.7.6+
Attachment #172697 - Flags: approval-aviary1.0.1?
Attachment #172697 - Flags: approval-aviary1.0.1+
Keywords: fixed-aviary1.0.1, fixed1.7.6
Blocks: 309752
Flags: testcase-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: