Closed
Bug 284032
Opened 21 years ago
Closed 20 years ago
JS_ValueToInt32(jsval=NaN) can cause assertion in jsopcode.c, line 1906.
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.8beta5
People
(Reporter: rob, Assigned: brendan)
Details
(Keywords: fixed1.8)
Attachments
(4 files)
|
2.35 KB,
text/plain
|
Details | |
|
77 bytes,
application/x-javascript
|
Details | |
|
2.53 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
|
840 bytes,
patch
|
mrbkap
:
review+
brendan
:
approval1.8b5+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.5))
Build Identifier: JavaScript-C 1.5 pre-release 6a 2004-06-09
Passing an argument value of NaN to a native C method, which in turn is passed
to JS_ValueToInt32(), may, under some undetermined circumstances, cause an
assertion in jsopcode.c, line 1906:
case JSOP_GETARG:
atom = GetSlotAtom(jp, js_GetArgument, GET_ARGNO(pc));
LOCAL_ASSERT(atom); <--- asserting here
goto do_name;
Reproducible: Always
Steps to Reproduce:
1. Build and run Synchronet (http://synchro.net) v3.12
2. Access the url: http://localhost/msgs/msg.ssjs?msg_sub=general&message=NaN
Actual Results:
Segfault (on Linux) or exception (on Win32).
Expected Results:
Reported an error converting "NaN" to an integer.
js32.dll (Win32):
NTDLL! 77f813b1()
Decompile(SprintStack * 0x02e2c1e8, unsigned char * 0x035961f2, int
0x00000003) line 1906 + 46 bytes
js_DecompileCode(JSPrinter * 0x03a2ebb0, JSScript * 0x03596128, unsigned
char * 0x035961f2, unsigned int 0x00000003) line 2557 + 17 bytes
js_DecompileValueGenerator(JSContext * 0x02b35460, int 0x00000001, long
0x02933782, JSString * 0x00000000) line 2896 + 21 bytes
js_ValueToInt32(JSContext * 0x02b35460, long 0x02933782, long * 0x02e2c5d8)
line 840 + 17 bytes
JS_ValueToInt32(JSContext * 0x02b35460, long 0x02933782, long * 0x02e2c5d8)
line 578 + 17 bytes
js_get_msg_header(JSContext * 0x02b35460, JSObject * 0x03a00b60, unsigned
int 0x00000002, long * 0x0358ec18, long* 0x02e2ca9c) line 643 + 32 bytes
js_Invoke(JSContext * 0x02b35460, unsigned int 0x00000002, unsigned int
0x00000000) line 1293 + 26 bytes
js_Interpret(JSContext * 0x02b35460, unsigned char * 0x035961f5, long *
0x02e2db2c) line 3566 + 15 bytes
js_Execute(JSContext * 0x02b35460, JSObject * 0x029337a8, JSScript *
0x0358df38, JSStackFrame * 0x00000000, unsigned int 0x00000000, long *
0x02e2e164) line 1523 + 19 bytes
JS_ExecuteScript(JSContext * 0x02b35460, JSObject * 0x029337a8, JSScript *
0x0358df38, long * 0x02e2e164) line 3630 + 25 bytes
exec_ssjs(http_session_t * 0x02e2e234, char * 0x02e2e351) line 2758 + 36
bytes
respond(http_session_t * 0x02e2e234) line 2809 + 18 bytes
http_session_thread(void * 0x00000000) line 2943 + 12 bytes
_threadstart(void * 0x00d73b38) line 187 + 13 bytes
libjs.so (Linux):
(gdb) bt
#0 0xf6fe97a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1 0xf6b71955 in raise () from /lib/tls/libc.so.6
#2 0xf6b73319 in abort () from /lib/tls/libc.so.6
#3 0xf6f9e52e in JS_Assert (s=0xf6fbf394 "atom", file=0xf6fbeefb
"jsopcode.c", ln=1906) at jsutil.c:155
#4 0xf6f75c88 in Decompile (ss=0xf061b560, pc=0x9b6079a "T", nb=3) at
jsopcode.c:1906
#5 0xf6f77c38 in js_DecompileCode (jp=0x9e9bca0, script=0x9b606d0,
pc=0x9b6079a "T", len=3) at jsopcode.c:2557
#6 0xf6f7887d in js_DecompileValueGenerator (cx=0x91b2b20, spindex=1,
v=151888770, fallback=0x0) at jsopcode.c:2906
#7 0xf6f64df5 in js_ValueToInt32 (cx=0x91b2b20, v=151888770, ip=0xf061b804)
at jsnum.c:840
#8 0xf6f0e39e in JS_ValueToInt32 (cx=0x91b2b20, v=151888770, ip=0xf061b804)
at jsapi.c:578
#9 0xf6dcc8dc in js_get_msg_header (cx=0x91b2b20, obj=0x9e759d0, argc=2,
argv=0x9b67848, rval=0xf061bc80)
at js_msgbase.c:638
#10 0xf6f4751f in js_Invoke (cx=0x91b2b20, argc=2, flags=0) at
jsinterp.c:1293
#11 0xf6f56c34 in js_Interpret (cx=0x91b2b20, pc=0x9b6079d ":",
result=0xf061c3a0) at jsinterp.c:3566
#12 0xf6f47f48 in js_Execute (cx=0x91b2b20, chain=0x90da3a8,
script=0x9b66be8, down=0x0, flags=0, result=0xf061d884)
at jsinterp.c:1523
#13 0xf6f169c0 in JS_ExecuteScript (cx=0x91b2b20, obj=0x90da3a8,
script=0x9b66be8, rval=0xf061d884) at jsapi.c:3630
#14 0xf6ce2cc2 in exec_ssjs (session=0xf061d8f0, script=0xf061e909
"/sbbs/web/html/msgs/msg.ssjs") at websrvr.c:2758
#15 0xf6ce2f81 in respond (session=0xf061d8f0) at websrvr.c:2809
#16 0xf6ce3669 in http_session_thread (arg=0x0) at websrvr.c:2943
#17 0xf6c761d5 in start_thread () from /lib/tls/libpthread.so.0
#18 0xf6c0f2da in clone () from /lib/tls/libc.so.6
|
||
Comment 2•20 years ago
|
||
Attaching a quick&dirty, but simple stand-alone example to reproduce this bug. Only tested on Mac OS
X.
Compile: gcc -DXP_UNIX -o nanbug nanbug.c -I<jsinc> -L<jslib> -ljs
Run: ./nanbug nanbug.js
-> Assertion failure: atom, at jsopcode.c:1864
|
|
||
Comment 3•20 years ago
|
||
|
|
||
Comment 4•20 years ago
|
||
|
|
||
Updated•20 years ago
|
Attachment #197710 -
Attachment mime type: application/octet-stream → text/plain
|
||
Comment 5•20 years ago
|
||
I created a very similar function in the JS shell (that just called
JS_ValueToInt32 on its first argument), but could not reproduce this assertion
on Linux with an up-to-date trunk build. I'll try to see if I can get a Mac OSX
box to test this on.
|
|
||
Comment 6•20 years ago
|
||
A comment to the failure to reproduce using a patched JS shell:
Using this script with the program I submitted further narrows down the situations in which the assert
triggers:
// Crashes:
// function convert(arg) {
// test(arg);
// }
// var str = "sdflkj";
// convert(str);
// Does _not_ crash:
var str = "sdflkj";
test(str);
|
|
||
Comment 7•20 years ago
|
||
Ah-hah, that does, indeed, assert on Linux, as well.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 8•20 years ago
|
||
It seems that the doesn't like the native frame and starts looking for the
argument in the previous (scripted) frame, but there aren't any arguments to
find there...
|
|
||
Comment 9•20 years ago
|
||
(In reply to comment #8)
> It seems that the doesn't like the native frame and starts looking for the
That the _decompiler_ doesn't like... of course.
|
|
Assignee | |
Comment 10•20 years ago
|
||
I swear I added this the other year, for an older bug reporting the same
symptom. Must have lost it in a laptop migration, or something.
/be
Attachment #197777 -
Flags: review?(mrbkap)
|
|
||
Comment 11•20 years ago
|
||
Comment on attachment 197777 [details] [diff] [review]
js.c patch to add toint32 test command
r=mrbkap
Attachment #197777 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 12•20 years ago
|
||
Safe for 1.8b5, just get this (if it passes your review and testing and stuff)
and the js.c change in for me. Thanks,
/be
Attachment #197822 -
Flags: review?(mrbkap)
Attachment #197822 -
Flags: approval1.8b5+
|
|
||
Comment 13•20 years ago
|
||
Comment on attachment 197822 [details] [diff] [review]
fix I gave on IRC last night
r=mrbkap
Attachment #197822 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 14•20 years ago
|
||
Let's get this in ASAP, it's a clean fix.
/be
Flags: blocking1.8b5+
|
|
||
Updated•20 years ago
|
Assignee: general → brendan
Target Milestone: --- → mozilla1.8beta5
|
|
||
Comment 15•20 years ago
|
||
Fix checked in.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
||
Updated•20 years ago
|
Flags: testcase-
You need to log in
before you can comment on or make changes to this bug.
Description
•