325721 - assigning to a global variable in javascript crashes browser

Status: VERIFIED DUPLICATE of bug 325540

(Core :: JavaScript Engine, defect)

Description

[Paul Dickson]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060202 Fedora/1.5.0.1-2 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060202 Fedora/1.5.0.1-2 Firefox/1.5.0.1

It appears that assigning to global variables in javascript that are not preceded with "var" causes the browser to crash in 1.5.0.1.  This does not occur in 1.5.

The problem occurs on Linux and Windows machines.

Reproducible: Always

Steps to Reproduce:
1. (On Linux)
2. ulimit -c unlimited
3. DEBUG_CORE_FILES=1 firefox -safe-mode
4. Go to:  http://simonbaird.com/mptw1/
5. Click on Minesweep

Actual Results:  
Browser core dumps.

Expected Results:  
A little game of minesweep should run.

This is being discussed at http://groups.google.com/group/TiddlyWiki, in the thread "FireFox 1.5.0.1 Dumps with Tiddlywiki 1.2.x".

If this is really a change in how Javascript handles global variables, this it should not be crashing the browser.

Comment 1

[Paul Dickson]

Attachment: back trace of firefox's stack from core file

Here is a dump of the stack from the core file that was created

Comment 2

[Bob Clary [:bc] (inactive)]

For some reason, simonbaird.com doesn't resolve for me. Can you post a reduced test case and attach it to the bug?

Comment 3

[Bob Clary [:bc] (inactive)]

confirmed with trunk and 1.8 on winxp

JS_PUBLIC_API(void *)
JS_GetPrivate(JSContext *cx, JSObject *obj)
{
    jsval v;

=>    JS_ASSERT(OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE);
    v = GC_AWARE_GET_SLOT(cx, obj, JSSLOT_PRIVATE);
    if (!JSVAL_IS_INT(v))
        return NULL;
    return JSVAL_TO_PRIVATE(v);
}

-	cx	0x03f972f0
+	links	{...}
	interpLevel	0x00000002
	stackLimit	0x000af9d4
	version	0x0000
	jsop_eq	0x12 ''
	jsop_ne	0x13 ''
+	runtime	0x00fb2340
+	stackPool	{...}
+	fp	0x04c0c6ec
+	tempPool	{...}
+	globalObject	0x0336f198
+	newborn	0x03f97348
+	lastAtom	0x04b38fd0
	lastInternalResult	0x04523dfc
+	regExpStatics	{...}
+	sharpObjectMap	{...}
+	argumentFormatMap	0x03f97580
+	lastMessage	0x00000000 ""
	tracefp	0x00000000
	branchCallback	0x01c2efd0 nsJSContext::DOMBranchCallback(JSContext *, JSScript *)
	errorReporter	0x01c2e170 NS_ScriptErrorReporter(JSContext *, const char *, JSErrorReport *)
	data	0x03f971a0
+	dormantFrameChain	0x00000000
	thread	0x003f4c98
	requestDepth	0x00000000
+	scopeToShare	0x00000000
+	lockedSealedScope	0x00000000
	rval2	0x00000000
	rval2set	0x00 ''
	xmlSettingFlags	0x00 ''
	creatingException	0x00 ''
	throwing	0x00 ''
	exception	0x80000001
	options	0x00000088
+	localeCallbacks	0x0210e7b0 localeCallbacks
+	resolvingTable	0x03f97e00
+	stackHeaders	0x04c0bff0
+	localRootStack	0x00000000
-	obj	0x00000920
	map	CXX0017: Error: symbol "" not found
	slots	CXX0030: Error: expression cannot be evaluated
	v	0x04b06f85

JS_GetPrivate(JSContext * 0x03f972f0, JSObject * 0x00000920) line 2147 + 3 bytes
call_resolve(JSContext * 0x03f972f0, JSObject * 0x04e085a8, long 0x04e0849c, unsigned int 0x00000002, JSObject * * 0x0012d0ec) line 812 + 13 bytes
js_LookupPropertyWithFlags(JSContext * 0x03f972f0, JSObject * 0x04e085a8, long 0x04b38fd0, unsigned int 0x00000002, JSObject * * 0x0012d18c, JSProperty * * 0x0012d178) line 2714 + 78 bytes
js_LookupProperty(JSContext * 0x03f972f0, JSObject * 0x04e085a8, long 0x04b38fd0, JSObject * * 0x0012d18c, JSProperty * * 0x0012d178) line 2619 + 27 bytes
js_FindProperty(JSContext * 0x03f972f0, long 0x04b38fd0, JSObject * * 0x0012d1bc, JSObject * * 0x0012d1c0, JSProperty * * 0x0012d1b8) line 2828 + 31 bytes
js_FindIdentifierBase(JSContext * 0x03f972f0, long 0x04b38fd0) line 2859 + 25 bytes
js_Interpret(JSContext * 0x03f972f0, unsigned char * 0x04e0c4ed, long * 0x0012dc1c) line 2788 + 16 bytes
js_Invoke(JSContext * 0x03f972f0, unsigned int 0x00000005, unsigned int 0x00000001) line 1254 + 19 bytes
js_Interpret(JSContext * 0x03f972f0, unsigned char * 0x04516766, long * 0x0012e690) line 3292 + 15 bytes
js_Invoke(JSContext * 0x03f972f0, unsigned int 0x00000001, unsigned int 0x00000002) line 1254 + 19 bytes
js_InternalInvoke(JSContext * 0x03f972f0, JSObject * 0x04f92140, long 0x042c8238, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012e88c, long * 0x0012e888) line 1331 + 20 bytes
JS_CallFunctionValue(JSContext * 0x03f972f0, JSObject * 0x04f92140, long 0x042c8238, unsigned int 0x00000001, long * 0x0012e88c, long * 0x0012e888) line 4169 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x04f92140, JSObject * 0x042c8238, unsigned int 0x00000001, long * 0x0012e88c, long * 0x0012e888) line 1424 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04cd1188, nsIDOMEvent * 0x04d706b8) line 186 + 54 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x04ccc820, nsIDOMEventListener * 0x04cd1188, nsIDOMEvent * 0x04d706b8, nsIDOMEventTarget * 0x04ccc4c0, unsigned int 0x00000004, unsigned int 0x00000007) line 1653 + 16 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x04ccc7c8, nsPresContext * 0x042f9468, nsEvent * 0x0012ef28, nsIDOMEvent * * 0x0012eba4, nsIDOMEventTarget * 0x04ccc4c0, unsigned int 0x00000007, nsEventStatus * 0x0012f3b4) line 1760
nsGenericElement::HandleDOMEvent(nsPresContext * 0x042f9468, nsEvent * 0x0012ef28, nsIDOMEvent * * 0x0012eba4, unsigned int 0x00000007, nsEventStatus * 0x0012f3b4) line 2199
nsGenericHTMLElement::HandleDOMEventForAnchors(nsPresContext * 0x042f9468, nsEvent * 0x0012ef28, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012f3b4) line 1459 + 31 bytes
nsHTMLAnchorElement::HandleDOMEvent(nsPresContext * 0x042f9468, nsEvent * 0x0012ef28, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012f3b4) line 296
PresShell::HandleEventInternal(nsEvent * 0x0012ef28, nsIView * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012f3b4) line 6056 + 52 bytes
PresShell::HandleEventWithTarget(PresShell * const 0x044db120, nsEvent * 0x0012ef28, nsIFrame * 0x04c52418, nsIContent * 0x04ccc5e0, unsigned int 0x00000001, nsEventStatus * 0x0012f3b4) line 5953 + 22 bytes
nsEventStateManager::CheckForAndDispatchClick(nsPresContext * 0x042f9468, nsMouseEvent * 0x0012f5d0, nsEventStatus * 0x0012f3b4) line 3019 + 66 bytes
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x042fa2f8, nsPresContext * 0x042f9468, nsEvent * 0x0012f5d0, nsIFrame * 0x04c52418, nsEventStatus * 0x0012f3b4, nsIView * 0x042ad020) line 2008 + 23 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f5d0, nsIView * 0x042ad020, unsigned int 0x00000001, nsEventStatus * 0x0012f3b4) line 6110 + 61 bytes
PresShell::HandlePositionedEvent(nsIView * 0x042ad020, nsIFrame * 0x04c52418, nsGUIEvent * 0x0012f5d0, nsEventStatus * 0x0012f3b4) line 5937 + 22 bytes
PresShell::HandleEvent(PresShell * const 0x044db198, nsIView * 0x042ad020, nsGUIEvent * 0x0012f5d0, nsEventStatus * 0x0012f3b4) line 5748 + 27 bytes
nsViewManager::HandleEvent(nsView * 0x042ad020, nsPoint {...}, nsGUIEvent * 0x0012f5d0, int 0x00000000) line 1675
nsViewManager::DispatchEvent(nsViewManager * const 0x042acf78, nsGUIEvent * 0x0012f5d0, nsEventStatus * 0x0012f4d8) line 1628 + 37 bytes
HandleEvent(nsGUIEvent * 0x0012f5d0) line 176
nsWindow::DispatchEvent(nsWindow * const 0x04aa69bc, nsGUIEvent * 0x0012f5d0, nsEventStatus & nsEventStatus_eIgnore) line 1168 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f5d0) line 1189
nsWindow::DispatchMouseEvent(unsigned int 0x0000012d, unsigned int 0x00000000, long 0x01760063) line 6077 + 24 bytes
ChildWindow::DispatchMouseEvent(unsigned int 0x0000012d, unsigned int 0x00000000, long 0x01760063) line 6259
nsWindow::ProcessMessage(unsigned int 0x00000202, unsigned int 0x00000000, long 0x01760063, long * 0x0012fad4) line 4554 + 30 bytes
nsWindow::WindowProc(HWND__ * 0x002601e8, unsigned int 0x00000202, unsigned int 0x00000000, long 0x01760063) line 1357 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d489cd()
USER32! 77d48a10()
nsAppShell::Run(nsAppShell * const 0x0341c268) line 135
nsAppStartup::Run(nsAppStartup * const 0x0341c1c8) line 161 + 26 bytes
XRE_main(int 0x00000003, char * * 0x003f7228, const nsXREAppData * 0x0040301c kAppData) line 2321 + 35 bytes
main(int 0x00000003, char * * 0x003f7228) line 61 + 19 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()

Comment 4

[Bob Clary [:bc] (inactive)]

1. load the http://simonbaird.com/mptw1/ page
2. open venkman
3. load the source for http://simonbaird.com/mptw1/ in venkman's source view
4. search for createTiddlerViewer
5. set break point at line 1905 at the call to createTiddlerViewer
6. click Minesweeper on http://simonbaird.com/mptw1/
7. you end up in an anonymous function hander. Attempting to access the w argument or lookaheadRegExp will assert

    JS_ASSERT(fp->fun);

call_resolve(JSContext * 0x033bcfb8, JSObject * 0x039c3ef0, long 0x02d8769c, unsigned int 0x00000000, JSObject * * 0x001281e4) line 804 + 31 bytes
js_LookupPropertyWithFlags(JSContext * 0x033bcfb8, JSObject * 0x039c3ef0, long 0x03641e98, unsigned int 0x00000000, JSObject * * 0x00128284, JSProperty * * 0x00128270) line 2714 + 78 bytes
js_LookupProperty(JSContext * 0x033bcfb8, JSObject * 0x039c3ef0, long 0x03641e98, JSObject * * 0x00128284, JSProperty * * 0x00128270) line 2619 + 27 bytes
js_FindProperty(JSContext * 0x033bcfb8, long 0x03641e98, JSObject * * 0x00128b14, JSObject * * 0x00128ba4, JSProperty * * 0x00128ae8) line 2828 + 31 bytes
js_Interpret(JSContext * 0x033bcfb8, unsigned char * 0x05d00a88, long * 0x00128c28) line 3839 + 34 bytes
js_Execute(JSContext * 0x033bcfb8, JSObject * 0x05f43690, JSScript * 0x05d00a58, JSStackFrame * 0x05e78fa4, unsigned int 0x00000030, long * 0x00128d40) line 1480 + 19 bytes
JS_EvaluateUCInStackFrame(JSContext * 0x033bcfb8, JSStackFrame * 0x05e78fa4, const unsigned short * 0x0603fa20, unsigned int 0x0000000f, const char * 0x05ede988, unsigned int 0x00000001, long * 0x00128d40) line 929 + 30 bytes
jsd_EvaluateUCScriptInStackFrame(JSDContext * 0x0100eec0, JSDThreadState * 0x05f3a1b8, JSDStackFrameInfo * 0x05db3ee8, const unsigned short * 0x0603fa20, unsigned int 0x0000000f, const char * 0x05ede988, unsigned int 0x00000001, int 0x00000000, long * 0x00128d40) line 456 + 37 bytes
JSD_AttemptUCScriptInStackFrame(JSDContext * 0x0100eec0, JSDThreadState * 0x05f3a1b8, JSDStackFrameInfo * 0x05db3ee8, const unsigned short * 0x0603fa20, unsigned int 0x0000000f, const char * 0x05ede988, unsigned int 0x00000001, long * 0x00128d40) line 795 + 39 bytes
jsdStackFrame::Eval(jsdStackFrame * const 0x05f7ca78, const nsAString_internal & {...}, const char * 0x05ede988, unsigned int 0x00000001, jsdIValue * * 0x00128f0c, int * 0x00128f1c) line 1920 + 52 bytes
XPTC_InvokeByIndex(nsISupports * 0x05f7ca78, unsigned int 0x00000014, unsigned int 0x00000005, nsXPTCVariant * 0x00128edc) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2152 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x03815fd0, JSObject * 0x05f43640, unsigned int 0x00000004, long * 0x063e8b58, long * 0x001291b4) line 1444 + 14 bytes
js_Invoke(JSContext * 0x03815fd0, unsigned int 0x00000004, unsigned int 0x00000000) line 1230 + 23 bytes
js_Interpret(JSContext * 0x03815fd0, unsigned char * 0x0425a412, long * 0x00129c78) line 3779 + 15 bytes
js_Invoke(JSContext * 0x03815fd0, unsigned int 0x00000001, unsigned int 0x00000000) line 1254 + 19 bytes
js_Interpret(JSContext * 0x03815fd0, unsigned char * 0x0430b317, long * 0x0012a6ec) line 3779 + 15 bytes
js_Invoke(JSContext * 0x03815fd0, unsigned int 0x00000003, unsigned int 0x00000000) line 1254 + 19 bytes
js_Interpret(JSContext * 0x03815fd0, unsigned char * 0x04255a40, long * 0x0012b160) line 3779 + 15 bytes
js_Invoke(JSContext * 0x03815fd0, unsigned int 0x00000001, unsigned int 0x00000002) line 1254 + 19 bytes
js_InternalInvoke(JSContext * 0x03815fd0, JSObject * 0x050c5878, long 0x05fbc828, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012b35c, long * 0x0012b358) line 1331 + 20 bytes
JS_CallFunctionValue(JSContext * 0x03815fd0, JSObject * 0x050c5878, long 0x05fbc828, unsigned int 0x00000001, long * 0x0012b35c, long * 0x0012b358) line 4169 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x050c5878, JSObject * 0x05fbc828, unsigned int 0x00000001, long * 0x0012b35c, long * 0x0012b358) line 1424 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x043ceb68, nsIDOMEvent * 0x05fa89d8) line 186 + 54 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03837ae8, nsIDOMEventListener * 0x043ceb68, nsIDOMEvent * 0x05fa89d8, nsIDOMEventTarget * 0x05fa8da8, unsigned int 0x00000004, unsigned int 0x00000002) line 1653 + 16 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x043bc218, nsPresContext * 0x0385fe18, nsEvent * 0x0012c14c, nsIDOMEvent * * 0x0012ba54, nsIDOMEventTarget * 0x05fa8da8, unsigned int 0x00000002, nsEventStatus * 0x0012bf78) line 1760
nsXULElement::HandleDOMEvent(nsPresContext * 0x0385fe18, nsEvent * 0x0012c14c, nsIDOMEvent * * 0x0012ba54, unsigned int 0x00000002, nsEventStatus * 0x0012bf78) line 1885
nsXULElement::HandleDOMEvent(nsPresContext * 0x0385fe18, nsEvent * 0x0012c14c, nsIDOMEvent * * 0x0012ba54, unsigned int 0x00000002, nsEventStatus * 0x0012bf78) line 1904 + 60 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x0385fe18, nsEvent * 0x0012c14c, nsIDOMEvent * * 0x0012ba54, unsigned int 0x00000007, nsEventStatus * 0x0012bf78) line 2224 + 60 bytes
nsHTMLInputElement::HandleDOMEvent(nsPresContext * 0x0385fe18, nsEvent * 0x0012c14c, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012bf78) line 1359 + 31 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012c14c, nsIView * 0x04175860, unsigned int 0x00000001, nsEventStatus * 0x0012bf78) line 6056 + 52 bytes
PresShell::HandleEvent(PresShell * const 0x04175100, nsIView * 0x04175860, nsGUIEvent * 0x0012c14c, nsEventStatus * 0x0012bf78) line 5831 + 25 bytes
nsViewManager::HandleEvent(nsView * 0x04175860, nsPoint {...}, nsGUIEvent * 0x0012c14c, int 0x00000000) line 1675
nsViewManager::DispatchEvent(nsViewManager * const 0x03809418, nsGUIEvent * 0x0012c14c, nsEventStatus * 0x0012c09c) line 1628 + 37 bytes
HandleEvent(nsGUIEvent * 0x0012c14c) line 176
nsWindow::DispatchEvent(nsWindow * const 0x037d62d4, nsGUIEvent * 0x0012c14c, nsEventStatus & nsEventStatus_eIgnore) line 1168 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012c14c) line 1189
nsWindow::DispatchKeyEvent(unsigned int 0x00000083, unsigned short 0x0000, unsigned int 0x0000000d, long 0x001c0001, unsigned int 0x00000000) line 3381 + 15 bytes
nsWindow::OnKeyDown(unsigned int 0x0000000d, unsigned int 0x0000001c, long 0x001c0001) line 3519
nsWindow::ProcessMessage(unsigned int 0x00000100, unsigned int 0x0000000d, long 0x001c0001, long * 0x0012c69c) line 4462 + 32 bytes
nsWindow::WindowProc(HWND__ * 0x000b01b4, unsigned int 0x00000100, unsigned int 0x0000000d, long 0x001c0001) line 1357 + 27 bytes

Comment 5

[Paul Dickson]

Although its already been confirmed, I created a reduced version of the URL:

  http://members.cox.net/paul.dickson/TiddlyWiki-1.2.39.empty.html

TiddlyWiki itself doesn't seem to have this problem, only the plugins like Minesweeper.  The above web page includes only TiddlyWiki and Minesweeper for 140K (the original page was 500+K).

Comment 6

[Blake Kaplan (:mrbkap) (inactive)]

Is it actually an assertion or are we just crashing on that line? Tentatively marking as a dupe of bug 325540, but please reopen if this isn't the case.

*** This bug has been marked as a duplicate of 325540 ***

Comment 7

[Bob Clary [:bc] (inactive)]

wfm with today's trunk.

Comment 8

[Martijn Wargers (dead)]

*** Bug 331253 has been marked as a duplicate of this bug. ***