JS_ValueToInt32(jsval=NaN) can cause assertion in jsopcode.c, line 1906.

RESOLVED FIXED in mozilla1.8beta5



JavaScript Engine
13 years ago
12 years ago


(Reporter: Rob Swindell, Assigned: brendan)



Bug Flags:
blocking1.8b5 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)



(4 attachments)



13 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.5))
Build Identifier: JavaScript-C 1.5 pre-release 6a 2004-06-09

Passing an argument value of NaN to a native C method, which in turn is passed 
to JS_ValueToInt32(), may, under some undetermined circumstances, cause an 
assertion in jsopcode.c, line 1906:

       case JSOP_GETARG:
                atom = GetSlotAtom(jp, js_GetArgument, GET_ARGNO(pc));
                LOCAL_ASSERT(atom); <--- asserting here
                goto do_name;

Reproducible: Always

Steps to Reproduce:
1. Build and run Synchronet (http://synchro.net) v3.12
2. Access the url: http://localhost/msgs/msg.ssjs?msg_sub=general&message=NaN
Actual Results:  
Segfault (on Linux) or exception (on Win32).

Expected Results:  
Reported an error converting "NaN" to an integer.

js32.dll (Win32):

NTDLL! 77f813b1()
Decompile(SprintStack * 0x02e2c1e8, unsigned char * 0x035961f2, int
0x00000003) line 1906 + 46 bytes
js_DecompileCode(JSPrinter * 0x03a2ebb0, JSScript * 0x03596128, unsigned
char * 0x035961f2, unsigned int 0x00000003) line 2557 + 17 bytes
js_DecompileValueGenerator(JSContext * 0x02b35460, int 0x00000001, long
0x02933782, JSString * 0x00000000) line 2896 + 21 bytes
js_ValueToInt32(JSContext * 0x02b35460, long 0x02933782, long * 0x02e2c5d8)
line 840 + 17 bytes
JS_ValueToInt32(JSContext * 0x02b35460, long 0x02933782, long * 0x02e2c5d8)
line 578 + 17 bytes
js_get_msg_header(JSContext * 0x02b35460, JSObject * 0x03a00b60, unsigned
int 0x00000002, long * 0x0358ec18, long* 0x02e2ca9c) line 643 + 32 bytes
js_Invoke(JSContext * 0x02b35460, unsigned int 0x00000002, unsigned int
0x00000000) line 1293 + 26 bytes
js_Interpret(JSContext * 0x02b35460, unsigned char * 0x035961f5, long *
0x02e2db2c) line 3566 + 15 bytes
js_Execute(JSContext * 0x02b35460, JSObject * 0x029337a8, JSScript *
0x0358df38, JSStackFrame * 0x00000000, unsigned int 0x00000000, long *
0x02e2e164) line 1523 + 19 bytes
JS_ExecuteScript(JSContext * 0x02b35460, JSObject * 0x029337a8, JSScript *
0x0358df38, long * 0x02e2e164) line 3630 + 25 bytes
exec_ssjs(http_session_t * 0x02e2e234, char * 0x02e2e351) line 2758 + 36
respond(http_session_t * 0x02e2e234) line 2809 + 18 bytes
http_session_thread(void * 0x00000000) line 2943 + 12 bytes
_threadstart(void * 0x00d73b38) line 187 + 13 bytes

libjs.so (Linux):

(gdb) bt
#0  0xf6fe97a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0xf6b71955 in raise () from /lib/tls/libc.so.6
#2  0xf6b73319 in abort () from /lib/tls/libc.so.6
#3  0xf6f9e52e in JS_Assert (s=0xf6fbf394 "atom", file=0xf6fbeefb
"jsopcode.c", ln=1906) at jsutil.c:155
#4  0xf6f75c88 in Decompile (ss=0xf061b560, pc=0x9b6079a "T", nb=3) at
#5  0xf6f77c38 in js_DecompileCode (jp=0x9e9bca0, script=0x9b606d0,
pc=0x9b6079a "T", len=3) at jsopcode.c:2557
#6  0xf6f7887d in js_DecompileValueGenerator (cx=0x91b2b20, spindex=1,
v=151888770, fallback=0x0) at jsopcode.c:2906
#7  0xf6f64df5 in js_ValueToInt32 (cx=0x91b2b20, v=151888770, ip=0xf061b804)
at jsnum.c:840
#8  0xf6f0e39e in JS_ValueToInt32 (cx=0x91b2b20, v=151888770, ip=0xf061b804)
at jsapi.c:578
#9  0xf6dcc8dc in js_get_msg_header (cx=0x91b2b20, obj=0x9e759d0, argc=2,
argv=0x9b67848, rval=0xf061bc80)
    at js_msgbase.c:638
#10 0xf6f4751f in js_Invoke (cx=0x91b2b20, argc=2, flags=0) at
#11 0xf6f56c34 in js_Interpret (cx=0x91b2b20, pc=0x9b6079d ":",
result=0xf061c3a0) at jsinterp.c:3566
#12 0xf6f47f48 in js_Execute (cx=0x91b2b20, chain=0x90da3a8,
script=0x9b66be8, down=0x0, flags=0, result=0xf061d884)
    at jsinterp.c:1523
#13 0xf6f169c0 in JS_ExecuteScript (cx=0x91b2b20, obj=0x90da3a8,
script=0x9b66be8, rval=0xf061d884) at jsapi.c:3630
#14 0xf6ce2cc2 in exec_ssjs (session=0xf061d8f0, script=0xf061e909
"/sbbs/web/html/msgs/msg.ssjs") at websrvr.c:2758
#15 0xf6ce2f81 in respond (session=0xf061d8f0) at websrvr.c:2809
#16 0xf6ce3669 in http_session_thread (arg=0x0) at websrvr.c:2943
#17 0xf6c761d5 in start_thread () from /lib/tls/libpthread.so.0
#18 0xf6c0f2da in clone () from /lib/tls/libc.so.6

Comment 1

12 years ago
-> default qa
QA Contact: pschwartau → general

Comment 2

12 years ago
Attaching a quick&dirty, but simple stand-alone example to reproduce this bug. Only tested on Mac OS 
Compile: gcc -DXP_UNIX -o nanbug nanbug.c -I<jsinc> -L<jslib> -ljs
Run: ./nanbug nanbug.js
 -> Assertion failure: atom, at jsopcode.c:1864

Comment 3

12 years ago
Created attachment 197710 [details]
stand-alone example program

Comment 4

12 years ago
Created attachment 197711 [details]
script to use with stand-alone example program


12 years ago
Attachment #197710 - Attachment mime type: application/octet-stream → text/plain
I created a very similar function in the JS shell (that just called
JS_ValueToInt32 on its first argument), but could not reproduce this assertion
on Linux with an up-to-date trunk build. I'll try to see if I can get a Mac OSX
box to test this on.

Comment 6

12 years ago
A comment to the failure to reproduce using a patched JS shell:
Using this script with the program I submitted further narrows down the situations in which the assert 

// Crashes:

// function convert(arg) {
//   test(arg);
// }
// var str = "sdflkj";
// convert(str);

// Does _not_ crash:

 var str = "sdflkj";
Ah-hah, that does, indeed, assert on Linux, as well.
Ever confirmed: true
It seems that the doesn't like the native frame and starts looking for the
argument in the previous (scripted) frame, but there aren't any arguments to
find there...
(In reply to comment #8)
> It seems that the doesn't like the native frame and starts looking for the

That the _decompiler_ doesn't like... of course.


Comment 10

12 years ago
Created attachment 197777 [details] [diff] [review]
js.c patch to add toint32 test command

I swear I added this the other year, for an older bug reporting the same
symptom. Must have lost it in a laptop migration, or something.

Attachment #197777 - Flags: review?(mrbkap)
Comment on attachment 197777 [details] [diff] [review]
js.c patch to add toint32 test command

Attachment #197777 - Flags: review?(mrbkap) → review+

Comment 12

12 years ago
Created attachment 197822 [details] [diff] [review]
fix I gave on IRC last night

Safe for 1.8b5, just get this (if it passes your review and testing and stuff)
and the js.c change in for me.	Thanks,

Attachment #197822 - Flags: review?(mrbkap)
Attachment #197822 - Flags: approval1.8b5+
Comment on attachment 197822 [details] [diff] [review]
fix I gave on IRC last night

Attachment #197822 - Flags: review?(mrbkap) → review+

Comment 14

12 years ago
Let's get this in ASAP, it's a clean fix.

Flags: blocking1.8b5+


12 years ago
Assignee: general → brendan
Target Milestone: --- → mozilla1.8beta5
Fix checked in.
Last Resolved: 12 years ago
Resolution: --- → FIXED
Fixes checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8


12 years ago
Flags: testcase-
You need to log in before you can comment on or make changes to this bug.