345879 - Crash when calling a function from a generator with less arguments than its arity [@ js_GetSlotThreadSafe]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Aiko]

Sample code:

function gen() {
  yield isNaN()
}
f = gen()
f.next()

This crashes the shell immediately, the browser survives for a while (until it runs GC?). It works as fine if I replace isNaN() with isNaN(1).

The following variant gives an assertion:

function gen() {
  (yield 5)()
  yield
}
f = gen()
f.next()
f.send(Function())

Assertion failure: (uint32)2 < JS_MIN(((thisp)->map)->freeslot, ((thisp)->map)->
nslots), at jsinterp.c:530

Talkback ID TB21405588G
(Line 530 instead of 529 because I already tried the patch from bug 345772.)

Comment 1

[Aiko]

Attachment: Testcases as described in comment 0

Comment 2

[Adam Guthrie]

Incident ID: 21405588
Stack Signature	0x80000001 2dbc9a4f
Product ID	Firefox2
Build ID	2006072504
Trigger Time	2006-07-25 09:09:30.0
Platform	Win32
Operating System	Windows NT 5.2 build 3790
Module	
URL visited	
User Comments	
Since Last Crash	54 sec
Total Uptime	545 sec
Trigger Reason	Access violation
Source File, Line No.	N/A
Stack Trace 	
0x80000001
js_GetSlotThreadSafe  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 585]
js_ComputeThis  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 529]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 4021]
generator_send  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsiter.c, line 798]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1349]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 4086]
js_Execute  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1599]
JS_EvaluateUCScriptForPrincipals  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4322]
nsJSContext::EvaluateString  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1124]
nsScriptLoader::EvaluateScript  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 775]
nsScriptLoader::ProcessRequest  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 673]
nsScriptLoader::DoProcessScriptElement  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 606]
nsScriptLoader::ProcessScriptElement  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 358]
nsHTMLScriptElement::MaybeProcessScript  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 663]
nsHTMLScriptElement::BindToTree  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 456]
nsGenericElement::AppendChildTo  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2860]
HTMLContentSink::ProcessSCRIPTTag  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 4172]
HTMLContentSink::AddLeaf  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 3038]
CNavDTD::AddLeaf  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 3576]
CNavDTD::HandleDefaultStartToken  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1283]
CNavDTD::HandleStartToken  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1668]
CNavDTD::HandleToken  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 955]
CNavDTD::BuildModel  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 458]
nsParser::BuildModel  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/nsParser.cpp, line 2145]

Comment 3

[Brendan Eich [:brendan]]

Attachment: proposed fixes

The two |gen| functions in the testcase demonstrate two different bugs, and should be separated.

/be

Comment 4

[Blake Kaplan (:mrbkap) (inactive)]

Fix checked into trunk.

Comment 5

[Mike Beltzner [:beltzner, not reading bugmail]]

Comment on attachment 230676 [details] [diff] [review]
proposed fixes

a=drivers. Please land this on the MOZILLA_1_8_BRANCH.

Comment 6

[Brendan Eich [:brendan]]

Fixed on the 1.8 branch.

/be

Comment 7

[Bob Clary [:bc] (inactive)]

Checking in regress-345879-01.js;
/cvsroot/mozilla/js/tests/js1_7/geniter/regress-345879-01.js,v  <--  regress-345879-01.js
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/js/tests/js1_7/geniter/regress-345879-02.js,v
done
Checking in regress-345879-02.js;
/cvsroot/mozilla/js/tests/js1_7/geniter/regress-345879-02.js,v  <--  regress-345879-02.js
initial revision: 1.1

Comment 8

[Stephen Donner [:stephend] Not actively reading bugmail]

Verified FIXED with testcase https://bugzilla.mozilla.org/attachment.cgi?id=230590 under SeaMonkey trunk build 2006-07-28-07 in Windows XP; no crash.

Comment 9

[Bob Clary [:bc] (inactive)]

verified fixed 1.8.1, 1.9 windows/mac(ppc|tel)/linux 20060728