The default bug view has changed. See this FAQ.

Crash loading www.cnn.com [@ js_Interpret]

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
12 years ago
6 years ago

People

(Reporter: Andrew Schultz, Assigned: brendan)

Tracking

(5 keywords)

Trunk
x86
Linux
crash, regression, top100, verified1.8.0.1, verified1.8.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.13 -
blocking-aviary1.0.8 -
blocking1.8.1 +
blocking1.8.0.1 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: required for 316885 in 1.8, crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

12 years ago
With linux seamonkey trunk build 2005112402, I crash loading www.cnn.com.  The following simplified javascript is to blame:

var d5="-1";
var r3=d5.split(":");
r3[0]++;

Stacktrace from JS shell:

#0  0x08092bc5 in js_Interpret (cx=0x8189988, pc=0x819f6a4 "1\002�\004", 
    result=0xbff88838) at jsinterp.c:3453
#1  0x08086dca in js_Execute (cx=0x8189988, chain=0x818afc8, script=0x819f670, 
    down=0x0, flags=0, result=0xbff89904) at jsinterp.c:1457
#2  0x08055609 in JS_ExecuteScript (cx=0x8189988, obj=0x818afc8, 
    script=0x819f670, rval=0xbff89904) at jsapi.c:3998
#3  0x08049617 in Process (cx=0x8189988, obj=0x818afc8, filename=0x0)
    at js.c:259
#4  0x08049c9e in ProcessArgs (cx=0x8189988, obj=0x818afc8, argv=0xbff89a78, 
    argc=0) at js.c:471
#5  0x0804ce2f in main (argc=0, argv=0xbff89a78, envp=0xbff89a7c) at js.c:2618

This regressed between linux seamonkey trunk builds 2005-11-21-05 and 2005-11-23-09.
Possible bugs: bug 121414, bug 316885, bug 316879
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&date=explicit&mindate=2005-11-21+05%3A00&maxdate=2005-11-23+09%3A00
(Reporter)

Comment 2

12 years ago
or just

var r3="-1";
r3[0]++;
(Reporter)

Comment 3

12 years ago
backing out bug 316885 stops the crash
Apparently I can't make the dependency because I'm not in the security group.
Assignee: general → brendan

Updated

12 years ago
Depends on: 316885
(Assignee)

Comment 4

12 years ago
Created attachment 204148 [details] [diff] [review]
fix

I'm about to check this in.

/be
Attachment #204148 - Flags: review?(shaver)
Comment on attachment 204148 [details] [diff] [review]
fix

r=shaver.  (This looks like code I misreviewed before, alas.)
Attachment #204148 - Flags: review?(shaver) → review+
(Assignee)

Comment 6

12 years ago
Created attachment 204149 [details] [diff] [review]
the right fix

We need that extra stack slot for all post-increment operator forms except name ops (which consume no stack slots, and produce one slot, so we can "pre-use" that result slot for the pre-increment result).

/be
Attachment #204149 - Flags: review?(shaver)
(Assignee)

Comment 7

12 years ago
Fixed.

/be
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Comment on attachment 204149 [details] [diff] [review]
the right fix

r=shaver, makes sense. (Though after my review history on this bug, one wonders what value I'm adding here!)
Attachment #204149 - Flags: review?(shaver) → review+

Comment 9

12 years ago
*** Bug 317697 has been marked as a duplicate of this bug. ***

Comment 10

12 years ago
*** Bug 318066 has been marked as a duplicate of this bug. ***

Comment 11

11 years ago
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-317714-01.js,v  <--  regress-317714-01.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/Regress/regress-317714-02.js,v  <--  regress-317714-02.js
initial revision: 1.1
Flags: testcase+
Flags: blocking1.8.1+
Flags: blocking1.8.0.1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Whiteboard: required for 316885
This is required for nominated blocker bug 316885 -- I assume the first patch is obsolete? Please put approval requests on the right patch
Whiteboard: required for 316885 → required for 316885, which patch?
It looks like only the second patch landed on the trunk.
Comment on attachment 204149 [details] [diff] [review]
the right fix

a=dveditz for drivers
Attachment #204149 - Flags: approval1.8.1+
Attachment #204149 - Flags: approval1.8.0.1+
(Assignee)

Updated

11 years ago
Keywords: fixed1.8.0.1, fixed1.8.1

Comment 15

11 years ago
v 2006-01-11 1.8.0.1, 1.8.1, trunk windows/linux/mac
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.1, fixed1.8.1 → verified1.8.0.1, verified1.8.1
Not needed on aviary101/moz17 branches per caillon in bug 316885
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Keywords: qawanted
Whiteboard: required for 316885, which patch? → required for 316885 in 1.8, qawanted for 1.7

Comment 17

11 years ago
No crash on Firefox 1.0.x/Mozilla 1.7.x from 2006-02-02 on winxp or linux.
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-
Whiteboard: required for 316885 in 1.8, qawanted for 1.7 → required for 316885 in 1.8

Comment 18

11 years ago
per comment 12, adding to js16
Blocks: 309169
(Assignee)

Updated

11 years ago
Keywords: fixed1.8.1

Updated

11 years ago
Keywords: fixed1.8.1, qawanted
Crash Signature: [@ js_Interpret]
You need to log in before you can comment on or make changes to this bug.