Last Comment Bug 317714 - Crash loading www.cnn.com [@ js_Interpret]
: Crash loading www.cnn.com [@ js_Interpret]
Status: VERIFIED FIXED
required for 316885 in 1.8
: crash, regression, top100, verified1.8.0.1, verified1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: Brendan Eich [:brendan]
:
Mentors:
http://www.cnn.com/
: 317697 318066 (view as bug list)
Depends on: 316885
Blocks: js1.6rc1
  Show dependency treegraph
 
Reported: 2005-11-24 14:35 PST by Andrew Schultz
Modified: 2011-06-13 10:01 PDT (History)
7 users (show)
dveditz: blocking1.7.13-
dveditz: blocking‑aviary1.0.8-
dveditz: blocking1.8.1+
dveditz: blocking1.8.0.1+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (2.15 KB, patch)
2005-11-24 23:16 PST, Brendan Eich [:brendan]
shaver: review+
Details | Diff | Splinter Review
the right fix (3.99 KB, patch)
2005-11-24 23:51 PST, Brendan Eich [:brendan]
shaver: review+
dveditz: approval1.8.0.1+
dveditz: approval1.8.1+
Details | Diff | Splinter Review

Description Andrew Schultz 2005-11-24 14:35:25 PST
With linux seamonkey trunk build 2005112402, I crash loading www.cnn.com.  The following simplified javascript is to blame:

var d5="-1";
var r3=d5.split(":");
r3[0]++;

Stacktrace from JS shell:

#0  0x08092bc5 in js_Interpret (cx=0x8189988, pc=0x819f6a4 "1\002�\004", 
    result=0xbff88838) at jsinterp.c:3453
#1  0x08086dca in js_Execute (cx=0x8189988, chain=0x818afc8, script=0x819f670, 
    down=0x0, flags=0, result=0xbff89904) at jsinterp.c:1457
#2  0x08055609 in JS_ExecuteScript (cx=0x8189988, obj=0x818afc8, 
    script=0x819f670, rval=0xbff89904) at jsapi.c:3998
#3  0x08049617 in Process (cx=0x8189988, obj=0x818afc8, filename=0x0)
    at js.c:259
#4  0x08049c9e in ProcessArgs (cx=0x8189988, obj=0x818afc8, argv=0xbff89a78, 
    argc=0) at js.c:471
#5  0x0804ce2f in main (argc=0, argv=0xbff89a78, envp=0xbff89a7c) at js.c:2618

This regressed between linux seamonkey trunk builds 2005-11-21-05 and 2005-11-23-09.
Comment 2 Andrew Schultz 2005-11-24 14:44:52 PST
or just

var r3="-1";
r3[0]++;
Comment 3 Andrew Schultz 2005-11-24 14:58:21 PST
backing out bug 316885 stops the crash
Apparently I can't make the dependency because I'm not in the security group.
Comment 4 Brendan Eich [:brendan] 2005-11-24 23:16:25 PST
Created attachment 204148 [details] [diff] [review]
fix

I'm about to check this in.

/be
Comment 5 Mike Shaver (:shaver -- probably not reading bugmail closely) 2005-11-24 23:21:47 PST
Comment on attachment 204148 [details] [diff] [review]
fix

r=shaver.  (This looks like code I misreviewed before, alas.)
Comment 6 Brendan Eich [:brendan] 2005-11-24 23:51:05 PST
Created attachment 204149 [details] [diff] [review]
the right fix

We need that extra stack slot for all post-increment operator forms except name ops (which consume no stack slots, and produce one slot, so we can "pre-use" that result slot for the pre-increment result).

/be
Comment 7 Brendan Eich [:brendan] 2005-11-24 23:53:39 PST
Fixed.

/be
Comment 8 Mike Shaver (:shaver -- probably not reading bugmail closely) 2005-11-25 06:51:12 PST
Comment on attachment 204149 [details] [diff] [review]
the right fix

r=shaver, makes sense. (Though after my review history on this bug, one wonders what value I'm adding here!)
Comment 9 Warren TenBrook 2005-11-25 20:20:04 PST
*** Bug 317697 has been marked as a duplicate of this bug. ***
Comment 10 Adam Guthrie 2005-11-28 21:56:45 PST
*** Bug 318066 has been marked as a duplicate of this bug. ***
Comment 11 Bob Clary [:bc:] 2005-12-26 13:19:01 PST
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-317714-01.js,v  <--  regress-317714-01.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/Regress/regress-317714-02.js,v  <--  regress-317714-02.js
initial revision: 1.1
Comment 12 Daniel Veditz [:dveditz] 2006-01-06 11:28:57 PST
This is required for nominated blocker bug 316885 -- I assume the first patch is obsolete? Please put approval requests on the right patch
Comment 13 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2006-01-10 11:26:39 PST
It looks like only the second patch landed on the trunk.
Comment 14 Daniel Veditz [:dveditz] 2006-01-10 11:27:55 PST
Comment on attachment 204149 [details] [diff] [review]
the right fix

a=dveditz for drivers
Comment 15 Bob Clary [:bc:] 2006-01-12 07:28:05 PST
v 2006-01-11 1.8.0.1, 1.8.1, trunk windows/linux/mac
Comment 16 Daniel Veditz [:dveditz] 2006-01-31 07:15:33 PST
Not needed on aviary101/moz17 branches per caillon in bug 316885
Comment 17 Bob Clary [:bc:] 2006-02-02 14:47:48 PST
No crash on Firefox 1.0.x/Mozilla 1.7.x from 2006-02-02 on winxp or linux.
Comment 18 Bob Clary [:bc:] 2006-03-10 13:44:12 PST
per comment 12, adding to js16

Note You need to log in before you can comment on or make changes to this bug.