Closed
Bug 295602
Opened 20 years ago
Closed 19 years ago
crash when programmatically using JavaScript engine (SpiderMonkey) for calculations.
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
EXPIRED
People
(Reporter: barakad, Unassigned)
References
Details
Attachments
(1 file)
|
711 bytes,
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Build Identifier: http://lxr.mozilla.org/mozilla/source/js/src There is a strange problem with AIX comiler Visual Age C++ v.6.0 - modulo 8 operation is in correct and this causes the JavaScript engine to crash. Reproducible: Sometimes Steps to Reproduce: 1. Build JavaScript engine (SpiderMonky) on AIX 5.1 with visual age 6.0 compiler 2. Try to activate simple numerical and logical expressions 3. We call the JavaScript engine via JNI (but we are not sure it is crucial) Actual Results: Crash originated from functions in jsatom.c Expected Results: Correct calculating. There is a strange problem with AIX comiler Visual Age C++ v.6.0: modulo 8 ( %8 ) operation return wrong values (Maybe compiler optimization bug). The functions js_Atomize, js_AtomizeChars and js_AtomizeDouble define local automatic buffers and try to use pointers to 8 divisable address in these buffers; the fact that the address is divisable by 8 is important since the last three bits of the address are explicitly manipulated. Receiving such 8 divisable address is done using a macro named ALIGN that uses %8. Since %8 doesn't work correctly the address isn't always divisable by 8 and the bit manipulation on the addresses causes segmentation violation. In order to correct this we added the following, make sure that the address is divisable by 8, before the call to ALIGN: bufst=(char*)((((unsigned long)buf+ALIGNMENT(JSString)-1)/ALIGNMENT(JSString))* ALIGNMENT(JSString)) ; This fixed the problem.
|
||
Comment 1•20 years ago
|
||
This is a spidermonkey bug, not one in the javascript debugger.
Assignee: rginda → general
Component: JavaScript Debugger → JavaScript Engine
Product: Other Applications → Core
QA Contact: caillon → general
Version: unspecified → Trunk
|
||
Comment 2•20 years ago
|
||
*** Bug 295607 has been marked as a duplicate of this bug. ***
|
||
Comment 3•20 years ago
|
||
Why is this bug on file in bugzilla.mozilla.org? Can someone at least link to the internal bug # for the Visual Age problem? /be
|
||
Comment 4•20 years ago
|
||
|
|
||
Updated•20 years ago
|
Attachment #184630 -
Flags: review?(timeless)
|
|
||
Comment 5•20 years ago
|
||
Comment on attachment 184630 [details] [diff] [review] v1 patch, replace modulo operator with binary and > /* Worst-case alignment grain and aligning macro for 2x-sized buffer. */ > #define ALIGNMENT(t) JS_MAX(JSVAL_ALIGN, sizeof(t)) >-#define ALIGN(b,t) ((t*) &(b)[ALIGNMENT(t) - (jsuword)(b) % ALIGNMENT(t)]) >+ >+/* The macro assumes that b is of type "char *" */ >+#define ALIGN(b,t) ((t*) (b + (ALIGNMENT(t) - ((jsuword)(b) & (ALIGNMENT(t) - 1))))) 1. Parenthesize the first occurrence of b in the macro's body. 2. Comment that the macro also assumes ALIGNMENT(t) is a power of two. I take it there's no forthcoming compiler fix? That bug, if real, will probably bite other code. I do not mind manual reduction in strength -- I do it elswhere in the JS engine -- but this could turn into a fool's errand of patching many places to strength-reduce % to &. /be
Comment on attachment 184630 [details] [diff] [review] v1 patch, replace modulo operator with binary and reporter: please verify this patch works :) when you post a new patch please set r? brendan@mozilla.org, thanks for poking.
Attachment #184630 -
Flags: review?(timeless)
|
||
Updated•20 years ago
|
Summary: crash when programaticly using JavaScript engine (SpiderMonkey) for calculations. → crash when programmatically using JavaScript engine (SpiderMonkey) for calculations.
|
||
Comment 7•20 years ago
|
||
Which level of the VisualAge PTFs are installed? Note that we are already disabling optimization on AIX for jsatom.c - see Bug 161542 for more information.
|
|
||
Comment 8•20 years ago
|
||
If someone can provide a reduced testcase which illustrates the issue, I'll file a defect against the compiler to get this resolved.
|
||
Comment 9•19 years ago
|
||
This is an automated message, with ID "auto-resolve01". This bug has had no comments for a long time. Statistically, we have found that bug reports that have not been confirmed by a second user after three months are highly unlikely to be the source of a fix to the code. While your input is very important to us, our resources are limited and so we are asking for your help in focussing our efforts. If you can still reproduce this problem in the latest version of the product (see below for how to obtain a copy) or, for feature requests, if it's not present in the latest version and you still believe we should implement it, please visit the URL of this bug (given at the top of this mail) and add a comment to that effect, giving more reproduction information if you have it. If it is not a problem any longer, you need take no action. If this bug is not changed in any way in the next two weeks, it will be automatically resolved. Thank you for your help in this matter. The latest beta releases can be obtained from: Firefox: http://www.mozilla.org/projects/firefox/ Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html Seamonkey: http://www.mozilla.org/projects/seamonkey/
|
|
||
Comment 10•19 years ago
|
||
This bug has been automatically resolved after a period of inactivity (see above comment). If anyone thinks this is incorrect, they should feel free to reopen it.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → EXPIRED
You need to log in
before you can comment on or make changes to this bug.
Description
•