295607 - crash when programaticly using JavaScript engine (SpiderMonkey) for calculations.

Status: VERIFIED DUPLICATE of bug 295602

(Core :: JavaScript Engine, defect)

Description

[barak adorian]

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Build Identifier: http://lxr.mozilla.org/mozilla/source/js/src

There is a strange problem with AIX comiler Visual Age C++ v.6.0 - 
modulo 8 operation is in correct and this causes the JavaScript engine to crash.


Reproducible: Sometimes

Steps to Reproduce:
1. Build JavaScript engine (SpiderMonky) on AIX 5.1 with visual age 6.0 compiler
2. Try to activate simple numerical and logical expressions
3. We call the JavaScript engine via JNI (but we are not sure it is crucial)

Actual Results:  
Crash originated from functions in jsatom.c


Expected Results:  
Correct calculating.

There is a strange problem with AIX comiler Visual Age C++ v.6.0:
modulo 8 ( %8 ) operation return wrong values (Maybe compiler optimization bug).
The functions js_Atomize, js_AtomizeChars and js_AtomizeDouble define local 
automatic buffers and try to use pointers to 8 divisable address in these 
buffers; the fact that the address is divisable by 8 is important since the 
last three bits of the address are explicitly manipulated. Receiving such 8 
divisable address is done using a macro named ALIGN that uses %8.
Since %8 doesn't work correctly the address isn't always divisable by 8 and the 
bit manipulation on the addresses causes segmentation violation.
In order to correct this we added the following, make sure that the address is 
divisable by 8, before the call to ALIGN:
bufst=(char*)((((unsigned long)buf+ALIGNMENT(JSString)-1)/ALIGNMENT(JSString))* 
                 ALIGNMENT(JSString)) ;
This fixed the problem.

Comment 1

[Hermann Schwab]

Bug 295602 crash when programaticly using JavaScript engine (SpiderMonkey) for
calculations.

*** This bug has been marked as a duplicate of 295602 ***