Closed Bug 284032 Opened 19 years ago Closed 19 years ago

JS_ValueToInt32(jsval=NaN) can cause assertion in jsopcode.c, line 1906.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta5

People

(Reporter: rob, Assigned: brendan)

Details

(Keywords: fixed1.8)

Attachments

(4 files)

stand-alone example program
2.35 KB, text/plain
Details
script to use with stand-alone example program
77 bytes, application/x-javascript
Details
js.c patch to add toint32 test command
2.53 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
fix I gave on IRC last night
840 bytes, patch
mrbkap
: review+
brendan
: approval1.8b5+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.5))
Build Identifier: JavaScript-C 1.5 pre-release 6a 2004-06-09

Passing an argument value of NaN to a native C method, which in turn is passed 
to JS_ValueToInt32(), may, under some undetermined circumstances, cause an 
assertion in jsopcode.c, line 1906:

       case JSOP_GETARG:
                atom = GetSlotAtom(jp, js_GetArgument, GET_ARGNO(pc));
                LOCAL_ASSERT(atom); <--- asserting here
                goto do_name;


Reproducible: Always

Steps to Reproduce:
1. Build and run Synchronet (http://synchro.net) v3.12
2. Access the url: http://localhost/msgs/msg.ssjs?msg_sub=general&message=NaN
Actual Results:  
Segfault (on Linux) or exception (on Win32).

Expected Results:  
Reported an error converting "NaN" to an integer.

js32.dll (Win32):

NTDLL! 77f813b1()
Decompile(SprintStack * 0x02e2c1e8, unsigned char * 0x035961f2, int
0x00000003) line 1906 + 46 bytes
js_DecompileCode(JSPrinter * 0x03a2ebb0, JSScript * 0x03596128, unsigned
char * 0x035961f2, unsigned int 0x00000003) line 2557 + 17 bytes
js_DecompileValueGenerator(JSContext * 0x02b35460, int 0x00000001, long
0x02933782, JSString * 0x00000000) line 2896 + 21 bytes
js_ValueToInt32(JSContext * 0x02b35460, long 0x02933782, long * 0x02e2c5d8)
line 840 + 17 bytes
JS_ValueToInt32(JSContext * 0x02b35460, long 0x02933782, long * 0x02e2c5d8)
line 578 + 17 bytes
js_get_msg_header(JSContext * 0x02b35460, JSObject * 0x03a00b60, unsigned
int 0x00000002, long * 0x0358ec18, long* 0x02e2ca9c) line 643 + 32 bytes
js_Invoke(JSContext * 0x02b35460, unsigned int 0x00000002, unsigned int
0x00000000) line 1293 + 26 bytes
js_Interpret(JSContext * 0x02b35460, unsigned char * 0x035961f5, long *
0x02e2db2c) line 3566 + 15 bytes
js_Execute(JSContext * 0x02b35460, JSObject * 0x029337a8, JSScript *
0x0358df38, JSStackFrame * 0x00000000, unsigned int 0x00000000, long *
0x02e2e164) line 1523 + 19 bytes
JS_ExecuteScript(JSContext * 0x02b35460, JSObject * 0x029337a8, JSScript *
0x0358df38, long * 0x02e2e164) line 3630 + 25 bytes
exec_ssjs(http_session_t * 0x02e2e234, char * 0x02e2e351) line 2758 + 36
bytes
respond(http_session_t * 0x02e2e234) line 2809 + 18 bytes
http_session_thread(void * 0x00000000) line 2943 + 12 bytes
_threadstart(void * 0x00d73b38) line 187 + 13 bytes

libjs.so (Linux):

(gdb) bt
#0  0xf6fe97a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0xf6b71955 in raise () from /lib/tls/libc.so.6
#2  0xf6b73319 in abort () from /lib/tls/libc.so.6
#3  0xf6f9e52e in JS_Assert (s=0xf6fbf394 "atom", file=0xf6fbeefb
"jsopcode.c", ln=1906) at jsutil.c:155
#4  0xf6f75c88 in Decompile (ss=0xf061b560, pc=0x9b6079a "T", nb=3) at
jsopcode.c:1906
#5  0xf6f77c38 in js_DecompileCode (jp=0x9e9bca0, script=0x9b606d0,
pc=0x9b6079a "T", len=3) at jsopcode.c:2557
#6  0xf6f7887d in js_DecompileValueGenerator (cx=0x91b2b20, spindex=1,
v=151888770, fallback=0x0) at jsopcode.c:2906
#7  0xf6f64df5 in js_ValueToInt32 (cx=0x91b2b20, v=151888770, ip=0xf061b804)
at jsnum.c:840
#8  0xf6f0e39e in JS_ValueToInt32 (cx=0x91b2b20, v=151888770, ip=0xf061b804)
at jsapi.c:578
#9  0xf6dcc8dc in js_get_msg_header (cx=0x91b2b20, obj=0x9e759d0, argc=2,
argv=0x9b67848, rval=0xf061bc80)
    at js_msgbase.c:638
#10 0xf6f4751f in js_Invoke (cx=0x91b2b20, argc=2, flags=0) at
jsinterp.c:1293
#11 0xf6f56c34 in js_Interpret (cx=0x91b2b20, pc=0x9b6079d ":",
result=0xf061c3a0) at jsinterp.c:3566
#12 0xf6f47f48 in js_Execute (cx=0x91b2b20, chain=0x90da3a8,
script=0x9b66be8, down=0x0, flags=0, result=0xf061d884)
    at jsinterp.c:1523
#13 0xf6f169c0 in JS_ExecuteScript (cx=0x91b2b20, obj=0x90da3a8,
script=0x9b66be8, rval=0xf061d884) at jsapi.c:3630
#14 0xf6ce2cc2 in exec_ssjs (session=0xf061d8f0, script=0xf061e909
"/sbbs/web/html/msgs/msg.ssjs") at websrvr.c:2758
#15 0xf6ce2f81 in respond (session=0xf061d8f0) at websrvr.c:2809
#16 0xf6ce3669 in http_session_thread (arg=0x0) at websrvr.c:2943
#17 0xf6c761d5 in start_thread () from /lib/tls/libpthread.so.0
#18 0xf6c0f2da in clone () from /lib/tls/libc.so.6
-> default qa
QA Contact: pschwartau → general
Attaching a quick&dirty, but simple stand-alone example to reproduce this bug. Only tested on Mac OS 
X.
Compile: gcc -DXP_UNIX -o nanbug nanbug.c -I<jsinc> -L<jslib> -ljs
Run: ./nanbug nanbug.js
 -> Assertion failure: atom, at jsopcode.c:1864
Attachment #197710 - Attachment mime type: application/octet-stream → text/plain
I created a very similar function in the JS shell (that just called
JS_ValueToInt32 on its first argument), but could not reproduce this assertion
on Linux with an up-to-date trunk build. I'll try to see if I can get a Mac OSX
box to test this on.
A comment to the failure to reproduce using a patched JS shell:
Using this script with the program I submitted further narrows down the situations in which the assert 
triggers:

// Crashes:

// function convert(arg) {
//   test(arg);
// }
// var str = "sdflkj";
// convert(str);


// Does _not_ crash:

 var str = "sdflkj";
 test(str);

Ah-hah, that does, indeed, assert on Linux, as well.
Status: UNCONFIRMED → NEW
Ever confirmed: true
It seems that the doesn't like the native frame and starts looking for the
argument in the previous (scripted) frame, but there aren't any arguments to
find there...
(In reply to comment #8)
> It seems that the doesn't like the native frame and starts looking for the

That the _decompiler_ doesn't like... of course.


I swear I added this the other year, for an older bug reporting the same
symptom. Must have lost it in a laptop migration, or something.

/be
Attachment #197777 - Flags: review?(mrbkap)
Comment on attachment 197777 [details] [diff] [review]
js.c patch to add toint32 test command

r=mrbkap
Attachment #197777 - Flags: review?(mrbkap) → review+
Safe for 1.8b5, just get this (if it passes your review and testing and stuff)
and the js.c change in for me.	Thanks,

/be
Attachment #197822 - Flags: review?(mrbkap)
Attachment #197822 - Flags: approval1.8b5+
Comment on attachment 197822 [details] [diff] [review]
fix I gave on IRC last night

r=mrbkap
Attachment #197822 - Flags: review?(mrbkap) → review+
Let's get this in ASAP, it's a clean fix.

/be
Flags: blocking1.8b5+
Assignee: general → brendan
Target Milestone: --- → mozilla1.8beta5
Fix checked in.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Fixes checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8
Flags: testcase-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: