317714 - Crash loading www.cnn.com [@ js_Interpret]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Andrew Schultz]

With linux seamonkey trunk build 2005112402, I crash loading www.cnn.com.  The following simplified javascript is to blame:

var d5="-1";
var r3=d5.split(":");
r3[0]++;

Stacktrace from JS shell:

#0  0x08092bc5 in js_Interpret (cx=0x8189988, pc=0x819f6a4 "1\002�\004", 
    result=0xbff88838) at jsinterp.c:3453
#1  0x08086dca in js_Execute (cx=0x8189988, chain=0x818afc8, script=0x819f670, 
    down=0x0, flags=0, result=0xbff89904) at jsinterp.c:1457
#2  0x08055609 in JS_ExecuteScript (cx=0x8189988, obj=0x818afc8, 
    script=0x819f670, rval=0xbff89904) at jsapi.c:3998
#3  0x08049617 in Process (cx=0x8189988, obj=0x818afc8, filename=0x0)
    at js.c:259
#4  0x08049c9e in ProcessArgs (cx=0x8189988, obj=0x818afc8, argv=0xbff89a78, 
    argc=0) at js.c:471
#5  0x0804ce2f in main (argc=0, argv=0xbff89a78, envp=0xbff89a7c) at js.c:2618

This regressed between linux seamonkey trunk builds 2005-11-21-05 and 2005-11-23-09.

Comment 1

[:Gavin Sharp [email: gavin@gavinsharp.com]]

Possible bugs: bug 121414, bug 316885, bug 316879
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&date=explicit&mindate=2005-11-21+05%3A00&maxdate=2005-11-23+09%3A00

Comment 2

[Andrew Schultz]

or just

var r3="-1";
r3[0]++;

Comment 3

[Andrew Schultz]

backing out bug 316885 stops the crash
Apparently I can't make the dependency because I'm not in the security group.

Comment 4

[Brendan Eich [:brendan]]

Attachment: fix

I'm about to check this in.

/be

Comment 5

[Mike Shaver (:shaver emeritus)]

Comment on attachment 204148 [details] [diff] [review]
fix

r=shaver.  (This looks like code I misreviewed before, alas.)

Comment 6

[Brendan Eich [:brendan]]

Attachment: the right fix

We need that extra stack slot for all post-increment operator forms except name ops (which consume no stack slots, and produce one slot, so we can "pre-use" that result slot for the pre-increment result).

/be

Comment 7

[Brendan Eich [:brendan]]

Fixed.

/be

Comment 8

[Mike Shaver (:shaver emeritus)]

Comment on attachment 204149 [details] [diff] [review]
the right fix

r=shaver, makes sense. (Though after my review history on this bug, one wonders what value I'm adding here!)

Comment 9

[Warren TenBrook]

*** Bug 317697 has been marked as a duplicate of this bug. ***

Comment 10

[Adam Guthrie]

*** Bug 318066 has been marked as a duplicate of this bug. ***

Comment 11

[Bob Clary [:bc] (inactive)]

/cvsroot/mozilla/js/tests/js1_5/Regress/regress-317714-01.js,v  <--  regress-317714-01.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/Regress/regress-317714-02.js,v  <--  regress-317714-02.js
initial revision: 1.1

Comment 12

[Daniel Veditz [:dveditz]]

This is required for nominated blocker bug 316885 -- I assume the first patch is obsolete? Please put approval requests on the right patch

Comment 13

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

It looks like only the second patch landed on the trunk.

Comment 14

[Daniel Veditz [:dveditz]]

Comment on attachment 204149 [details] [diff] [review]
the right fix

a=dveditz for drivers

Comment 15

[Bob Clary [:bc] (inactive)]

v 2006-01-11 1.8.0.1, 1.8.1, trunk windows/linux/mac

Comment 16

[Daniel Veditz [:dveditz]]

Not needed on aviary101/moz17 branches per caillon in bug 316885

Comment 17

[Bob Clary [:bc] (inactive)]

No crash on Firefox 1.0.x/Mozilla 1.7.x from 2006-02-02 on winxp or linux.

Comment 18

[Bob Clary [:bc] (inactive)]

per comment 12, adding to js16