Closed
Bug 284032
Opened 19 years ago
Closed 19 years ago
JS_ValueToInt32(jsval=NaN) can cause assertion in jsopcode.c, line 1906.
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.8beta5
People
(Reporter: rob, Assigned: brendan)
Details
(Keywords: fixed1.8)
Attachments
(4 files)
2.35 KB,
text/plain
|
Details | |
77 bytes,
application/x-javascript
|
Details | |
2.53 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
840 bytes,
patch
|
mrbkap
:
review+
brendan
:
approval1.8b5+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.5)) Build Identifier: JavaScript-C 1.5 pre-release 6a 2004-06-09 Passing an argument value of NaN to a native C method, which in turn is passed to JS_ValueToInt32(), may, under some undetermined circumstances, cause an assertion in jsopcode.c, line 1906: case JSOP_GETARG: atom = GetSlotAtom(jp, js_GetArgument, GET_ARGNO(pc)); LOCAL_ASSERT(atom); <--- asserting here goto do_name; Reproducible: Always Steps to Reproduce: 1. Build and run Synchronet (http://synchro.net) v3.12 2. Access the url: http://localhost/msgs/msg.ssjs?msg_sub=general&message=NaN Actual Results: Segfault (on Linux) or exception (on Win32). Expected Results: Reported an error converting "NaN" to an integer. js32.dll (Win32): NTDLL! 77f813b1() Decompile(SprintStack * 0x02e2c1e8, unsigned char * 0x035961f2, int 0x00000003) line 1906 + 46 bytes js_DecompileCode(JSPrinter * 0x03a2ebb0, JSScript * 0x03596128, unsigned char * 0x035961f2, unsigned int 0x00000003) line 2557 + 17 bytes js_DecompileValueGenerator(JSContext * 0x02b35460, int 0x00000001, long 0x02933782, JSString * 0x00000000) line 2896 + 21 bytes js_ValueToInt32(JSContext * 0x02b35460, long 0x02933782, long * 0x02e2c5d8) line 840 + 17 bytes JS_ValueToInt32(JSContext * 0x02b35460, long 0x02933782, long * 0x02e2c5d8) line 578 + 17 bytes js_get_msg_header(JSContext * 0x02b35460, JSObject * 0x03a00b60, unsigned int 0x00000002, long * 0x0358ec18, long* 0x02e2ca9c) line 643 + 32 bytes js_Invoke(JSContext * 0x02b35460, unsigned int 0x00000002, unsigned int 0x00000000) line 1293 + 26 bytes js_Interpret(JSContext * 0x02b35460, unsigned char * 0x035961f5, long * 0x02e2db2c) line 3566 + 15 bytes js_Execute(JSContext * 0x02b35460, JSObject * 0x029337a8, JSScript * 0x0358df38, JSStackFrame * 0x00000000, unsigned int 0x00000000, long * 0x02e2e164) line 1523 + 19 bytes JS_ExecuteScript(JSContext * 0x02b35460, JSObject * 0x029337a8, JSScript * 0x0358df38, long * 0x02e2e164) line 3630 + 25 bytes exec_ssjs(http_session_t * 0x02e2e234, char * 0x02e2e351) line 2758 + 36 bytes respond(http_session_t * 0x02e2e234) line 2809 + 18 bytes http_session_thread(void * 0x00000000) line 2943 + 12 bytes _threadstart(void * 0x00d73b38) line 187 + 13 bytes libjs.so (Linux): (gdb) bt #0 0xf6fe97a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0xf6b71955 in raise () from /lib/tls/libc.so.6 #2 0xf6b73319 in abort () from /lib/tls/libc.so.6 #3 0xf6f9e52e in JS_Assert (s=0xf6fbf394 "atom", file=0xf6fbeefb "jsopcode.c", ln=1906) at jsutil.c:155 #4 0xf6f75c88 in Decompile (ss=0xf061b560, pc=0x9b6079a "T", nb=3) at jsopcode.c:1906 #5 0xf6f77c38 in js_DecompileCode (jp=0x9e9bca0, script=0x9b606d0, pc=0x9b6079a "T", len=3) at jsopcode.c:2557 #6 0xf6f7887d in js_DecompileValueGenerator (cx=0x91b2b20, spindex=1, v=151888770, fallback=0x0) at jsopcode.c:2906 #7 0xf6f64df5 in js_ValueToInt32 (cx=0x91b2b20, v=151888770, ip=0xf061b804) at jsnum.c:840 #8 0xf6f0e39e in JS_ValueToInt32 (cx=0x91b2b20, v=151888770, ip=0xf061b804) at jsapi.c:578 #9 0xf6dcc8dc in js_get_msg_header (cx=0x91b2b20, obj=0x9e759d0, argc=2, argv=0x9b67848, rval=0xf061bc80) at js_msgbase.c:638 #10 0xf6f4751f in js_Invoke (cx=0x91b2b20, argc=2, flags=0) at jsinterp.c:1293 #11 0xf6f56c34 in js_Interpret (cx=0x91b2b20, pc=0x9b6079d ":", result=0xf061c3a0) at jsinterp.c:3566 #12 0xf6f47f48 in js_Execute (cx=0x91b2b20, chain=0x90da3a8, script=0x9b66be8, down=0x0, flags=0, result=0xf061d884) at jsinterp.c:1523 #13 0xf6f169c0 in JS_ExecuteScript (cx=0x91b2b20, obj=0x90da3a8, script=0x9b66be8, rval=0xf061d884) at jsapi.c:3630 #14 0xf6ce2cc2 in exec_ssjs (session=0xf061d8f0, script=0xf061e909 "/sbbs/web/html/msgs/msg.ssjs") at websrvr.c:2758 #15 0xf6ce2f81 in respond (session=0xf061d8f0) at websrvr.c:2809 #16 0xf6ce3669 in http_session_thread (arg=0x0) at websrvr.c:2943 #17 0xf6c761d5 in start_thread () from /lib/tls/libpthread.so.0 #18 0xf6c0f2da in clone () from /lib/tls/libc.so.6
Comment 2•19 years ago
|
||
Attaching a quick&dirty, but simple stand-alone example to reproduce this bug. Only tested on Mac OS X. Compile: gcc -DXP_UNIX -o nanbug nanbug.c -I<jsinc> -L<jslib> -ljs Run: ./nanbug nanbug.js -> Assertion failure: atom, at jsopcode.c:1864
Comment 3•19 years ago
|
||
Comment 4•19 years ago
|
||
Updated•19 years ago
|
Attachment #197710 -
Attachment mime type: application/octet-stream → text/plain
Comment 5•19 years ago
|
||
I created a very similar function in the JS shell (that just called JS_ValueToInt32 on its first argument), but could not reproduce this assertion on Linux with an up-to-date trunk build. I'll try to see if I can get a Mac OSX box to test this on.
Comment 6•19 years ago
|
||
A comment to the failure to reproduce using a patched JS shell: Using this script with the program I submitted further narrows down the situations in which the assert triggers: // Crashes: // function convert(arg) { // test(arg); // } // var str = "sdflkj"; // convert(str); // Does _not_ crash: var str = "sdflkj"; test(str);
Comment 7•19 years ago
|
||
Ah-hah, that does, indeed, assert on Linux, as well.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 8•19 years ago
|
||
It seems that the doesn't like the native frame and starts looking for the argument in the previous (scripted) frame, but there aren't any arguments to find there...
Comment 9•19 years ago
|
||
(In reply to comment #8) > It seems that the doesn't like the native frame and starts looking for the That the _decompiler_ doesn't like... of course.
Assignee | ||
Comment 10•19 years ago
|
||
I swear I added this the other year, for an older bug reporting the same symptom. Must have lost it in a laptop migration, or something. /be
Attachment #197777 -
Flags: review?(mrbkap)
Comment 11•19 years ago
|
||
Comment on attachment 197777 [details] [diff] [review] js.c patch to add toint32 test command r=mrbkap
Attachment #197777 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 12•19 years ago
|
||
Safe for 1.8b5, just get this (if it passes your review and testing and stuff) and the js.c change in for me. Thanks, /be
Attachment #197822 -
Flags: review?(mrbkap)
Attachment #197822 -
Flags: approval1.8b5+
Comment 13•19 years ago
|
||
Comment on attachment 197822 [details] [diff] [review] fix I gave on IRC last night r=mrbkap
Attachment #197822 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 14•19 years ago
|
||
Let's get this in ASAP, it's a clean fix. /be
Flags: blocking1.8b5+
Updated•19 years ago
|
Assignee: general → brendan
Target Milestone: --- → mozilla1.8beta5
Comment 15•19 years ago
|
||
Fix checked in.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: testcase-
You need to log in
before you can comment on or make changes to this bug.
Description
•