Last Comment Bug 284032 - JS_ValueToInt32(jsval=NaN) can cause assertion in jsopcode.c, line 1906.
: JS_ValueToInt32(jsval=NaN) can cause assertion in jsopcode.c, line 1906.
: fixed1.8
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- normal with 1 vote (vote)
: mozilla1.8beta5
Assigned To: Brendan Eich [:brendan]
: Jason Orendorff [:jorendorff]
Depends on:
  Show dependency treegraph
Reported: 2005-02-27 22:12 PST by Rob Swindell
Modified: 2005-10-23 16:36 PDT (History)
3 users (show)
brendan: blocking1.8b5+
bob: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stand-alone example program (2.35 KB, text/plain)
2005-09-28 09:10 PDT, Marius Kintel
no flags Details
script to use with stand-alone example program (77 bytes, application/x-javascript)
2005-09-28 09:12 PDT, Marius Kintel
no flags Details
js.c patch to add toint32 test command (2.53 KB, patch)
2005-09-28 17:41 PDT, Brendan Eich [:brendan]
mrbkap: review+
Details | Diff | Splinter Review
fix I gave on IRC last night (840 bytes, patch)
2005-09-29 02:09 PDT, Brendan Eich [:brendan]
mrbkap: review+
brendan: approval1.8b5+
Details | Diff | Splinter Review

Description Rob Swindell 2005-02-27 22:12:04 PST
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.5))
Build Identifier: JavaScript-C 1.5 pre-release 6a 2004-06-09

Passing an argument value of NaN to a native C method, which in turn is passed 
to JS_ValueToInt32(), may, under some undetermined circumstances, cause an 
assertion in jsopcode.c, line 1906:

       case JSOP_GETARG:
                atom = GetSlotAtom(jp, js_GetArgument, GET_ARGNO(pc));
                LOCAL_ASSERT(atom); <--- asserting here
                goto do_name;

Reproducible: Always

Steps to Reproduce:
1. Build and run Synchronet ( v3.12
2. Access the url: http://localhost/msgs/msg.ssjs?msg_sub=general&message=NaN
Actual Results:  
Segfault (on Linux) or exception (on Win32).

Expected Results:  
Reported an error converting "NaN" to an integer.

js32.dll (Win32):

NTDLL! 77f813b1()
Decompile(SprintStack * 0x02e2c1e8, unsigned char * 0x035961f2, int
0x00000003) line 1906 + 46 bytes
js_DecompileCode(JSPrinter * 0x03a2ebb0, JSScript * 0x03596128, unsigned
char * 0x035961f2, unsigned int 0x00000003) line 2557 + 17 bytes
js_DecompileValueGenerator(JSContext * 0x02b35460, int 0x00000001, long
0x02933782, JSString * 0x00000000) line 2896 + 21 bytes
js_ValueToInt32(JSContext * 0x02b35460, long 0x02933782, long * 0x02e2c5d8)
line 840 + 17 bytes
JS_ValueToInt32(JSContext * 0x02b35460, long 0x02933782, long * 0x02e2c5d8)
line 578 + 17 bytes
js_get_msg_header(JSContext * 0x02b35460, JSObject * 0x03a00b60, unsigned
int 0x00000002, long * 0x0358ec18, long* 0x02e2ca9c) line 643 + 32 bytes
js_Invoke(JSContext * 0x02b35460, unsigned int 0x00000002, unsigned int
0x00000000) line 1293 + 26 bytes
js_Interpret(JSContext * 0x02b35460, unsigned char * 0x035961f5, long *
0x02e2db2c) line 3566 + 15 bytes
js_Execute(JSContext * 0x02b35460, JSObject * 0x029337a8, JSScript *
0x0358df38, JSStackFrame * 0x00000000, unsigned int 0x00000000, long *
0x02e2e164) line 1523 + 19 bytes
JS_ExecuteScript(JSContext * 0x02b35460, JSObject * 0x029337a8, JSScript *
0x0358df38, long * 0x02e2e164) line 3630 + 25 bytes
exec_ssjs(http_session_t * 0x02e2e234, char * 0x02e2e351) line 2758 + 36
respond(http_session_t * 0x02e2e234) line 2809 + 18 bytes
http_session_thread(void * 0x00000000) line 2943 + 12 bytes
_threadstart(void * 0x00d73b38) line 187 + 13 bytes (Linux):

(gdb) bt
#0  0xf6fe97a2 in _dl_sysinfo_int80 () from /lib/
#1  0xf6b71955 in raise () from /lib/tls/
#2  0xf6b73319 in abort () from /lib/tls/
#3  0xf6f9e52e in JS_Assert (s=0xf6fbf394 "atom", file=0xf6fbeefb
"jsopcode.c", ln=1906) at jsutil.c:155
#4  0xf6f75c88 in Decompile (ss=0xf061b560, pc=0x9b6079a "T", nb=3) at
#5  0xf6f77c38 in js_DecompileCode (jp=0x9e9bca0, script=0x9b606d0,
pc=0x9b6079a "T", len=3) at jsopcode.c:2557
#6  0xf6f7887d in js_DecompileValueGenerator (cx=0x91b2b20, spindex=1,
v=151888770, fallback=0x0) at jsopcode.c:2906
#7  0xf6f64df5 in js_ValueToInt32 (cx=0x91b2b20, v=151888770, ip=0xf061b804)
at jsnum.c:840
#8  0xf6f0e39e in JS_ValueToInt32 (cx=0x91b2b20, v=151888770, ip=0xf061b804)
at jsapi.c:578
#9  0xf6dcc8dc in js_get_msg_header (cx=0x91b2b20, obj=0x9e759d0, argc=2,
argv=0x9b67848, rval=0xf061bc80)
    at js_msgbase.c:638
#10 0xf6f4751f in js_Invoke (cx=0x91b2b20, argc=2, flags=0) at
#11 0xf6f56c34 in js_Interpret (cx=0x91b2b20, pc=0x9b6079d ":",
result=0xf061c3a0) at jsinterp.c:3566
#12 0xf6f47f48 in js_Execute (cx=0x91b2b20, chain=0x90da3a8,
script=0x9b66be8, down=0x0, flags=0, result=0xf061d884)
    at jsinterp.c:1523
#13 0xf6f169c0 in JS_ExecuteScript (cx=0x91b2b20, obj=0x90da3a8,
script=0x9b66be8, rval=0xf061d884) at jsapi.c:3630
#14 0xf6ce2cc2 in exec_ssjs (session=0xf061d8f0, script=0xf061e909
"/sbbs/web/html/msgs/msg.ssjs") at websrvr.c:2758
#15 0xf6ce2f81 in respond (session=0xf061d8f0) at websrvr.c:2809
#16 0xf6ce3669 in http_session_thread (arg=0x0) at websrvr.c:2943
#17 0xf6c761d5 in start_thread () from /lib/tls/
#18 0xf6c0f2da in clone () from /lib/tls/
Comment 1 Bob Clary [:bc:] 2005-09-04 12:30:12 PDT
-> default qa
Comment 2 Marius Kintel 2005-09-28 09:09:51 PDT
Attaching a quick&dirty, but simple stand-alone example to reproduce this bug. Only tested on Mac OS 
Compile: gcc -DXP_UNIX -o nanbug nanbug.c -I<jsinc> -L<jslib> -ljs
Run: ./nanbug nanbug.js
 -> Assertion failure: atom, at jsopcode.c:1864
Comment 3 Marius Kintel 2005-09-28 09:10:56 PDT
Created attachment 197710 [details]
stand-alone example program
Comment 4 Marius Kintel 2005-09-28 09:12:01 PDT
Created attachment 197711 [details]
script to use with stand-alone example program
Comment 5 Blake Kaplan (:mrbkap) 2005-09-28 11:16:15 PDT
I created a very similar function in the JS shell (that just called
JS_ValueToInt32 on its first argument), but could not reproduce this assertion
on Linux with an up-to-date trunk build. I'll try to see if I can get a Mac OSX
box to test this on.
Comment 6 Marius Kintel 2005-09-28 11:25:24 PDT
A comment to the failure to reproduce using a patched JS shell:
Using this script with the program I submitted further narrows down the situations in which the assert 

// Crashes:

// function convert(arg) {
//   test(arg);
// }
// var str = "sdflkj";
// convert(str);

// Does _not_ crash:

 var str = "sdflkj";
Comment 7 Blake Kaplan (:mrbkap) 2005-09-28 11:38:20 PDT
Ah-hah, that does, indeed, assert on Linux, as well.
Comment 8 Blake Kaplan (:mrbkap) 2005-09-28 13:22:28 PDT
It seems that the doesn't like the native frame and starts looking for the
argument in the previous (scripted) frame, but there aren't any arguments to
find there...
Comment 9 Blake Kaplan (:mrbkap) 2005-09-28 13:23:46 PDT
(In reply to comment #8)
> It seems that the doesn't like the native frame and starts looking for the

That the _decompiler_ doesn't like... of course.

Comment 10 Brendan Eich [:brendan] 2005-09-28 17:41:02 PDT
Created attachment 197777 [details] [diff] [review]
js.c patch to add toint32 test command

I swear I added this the other year, for an older bug reporting the same
symptom. Must have lost it in a laptop migration, or something.

Comment 11 Blake Kaplan (:mrbkap) 2005-09-28 17:50:58 PDT
Comment on attachment 197777 [details] [diff] [review]
js.c patch to add toint32 test command

Comment 12 Brendan Eich [:brendan] 2005-09-29 02:09:27 PDT
Created attachment 197822 [details] [diff] [review]
fix I gave on IRC last night

Safe for 1.8b5, just get this (if it passes your review and testing and stuff)
and the js.c change in for me.	Thanks,

Comment 13 Blake Kaplan (:mrbkap) 2005-09-29 09:35:19 PDT
Comment on attachment 197822 [details] [diff] [review]
fix I gave on IRC last night

Comment 14 Brendan Eich [:brendan] 2005-09-29 09:50:35 PDT
Let's get this in ASAP, it's a clean fix.

Comment 15 Blake Kaplan (:mrbkap) 2005-09-29 17:24:31 PDT
Fix checked in.
Comment 16 Blake Kaplan (:mrbkap) 2005-09-29 18:07:09 PDT
Fixes checked into MOZILLA_1_8_BRANCH.

Note You need to log in before you can comment on or make changes to this bug.