crash: stack corruption during execution JS_ValueToString

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
12 years ago
4 years ago

People

(Reporter: Konstantin Mirny, Unassigned)

Tracking

Trunk
Other
Linux
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon; MRA 4.0 (build 00768); .NET CLR 1.1.4322; .NET CLR 2.0.40607)
Build Identifier: 

When 'double' variable defined in JavaScript is too long, stack is corrupted 
after execution js_dtoa(). It only happens on Linux, on Windows everything is 
Ok. We are using JS as standalone engine - not inside Mozilla, but it should be 
reproducible in Mozilla also.
Stack before corruption:
0x0804ccda in main () at jstest.cpp:121
0x0804eb92 in XmlScope::GetVar() at xmlscope.cpp: 332
0x08055795 in SpiderMonkeyStore::GetVar() and jssmstore.cpp:699
0x00120e5b in JS_ValueToString() at jsapi.c:546
0x00191c7b in js_ValueToString() at jsstr.c:2663
0x0016258d in js_NumberToString() at jsnum.c:608
JS_dtostr() at jsdtoa.c:2778

Reproducible: Always

Steps to Reproduce:
1.Define variable in the scope:
var tmp = 23948730458647527874392837439299837412374859487593;
2. call JS_ValueToString for that variable

Actual Results:  
Stack is corrupted after calling JS_dtostr()


Linux RedHat Enterprise 3.2.3
I cannot seem reproduce this on Linux using an up-to-date trunk build.
Konstantin, what release of SpiderMonkey are you using?
(Reporter)

Comment 2

12 years ago
We are using js-1.5-rc6a.
RC6a is quite old.  Perhaps someone can suggest a bug that was fixed since then
that matches this bug.  There will be a JS1.6 RC1 soon, I believe (bclary knows
all), but in the mean time you could do worse than to try the MOZILLA_1_8_BRANCH
version of js/src.

/be

Updated

12 years ago
Whiteboard: DUPEME

Comment 4

12 years ago
Checking in regress-310295.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-310295.js,v  <--  regress-310295.js
initial revision: 1.1
done

works for me in 1.0.7/1.6. I couldn't find any particular bug fixed in the correct date range. Marking works for me.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Flags: testcase+
Resolution: --- → WORKSFORME

Updated

4 years ago
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.