Closed Bug 350206 Opened 19 years ago Closed 19 years ago

Assertion failure: serial <= n in jsxml.c

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: lubos, Assigned: Waldo)

Details

(Keywords: verified1.8.1)

Attachments

(3 files, 2 obsolete files)

Oops
2.12 KB, patch
brendan
: review+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
followup fix to relieve warning
931 bytes, patch
Details | Diff | Splinter Review
Testcase
2.35 KB, text/plain
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Build Identifier: JavaScript-C 1.7 pre-release 1 2006-04-04 Script (5 lines below) always ends with above assertion failure: var pa = <state1 xmlns="http://aaa" id="D1"><tag1/></state1> var ch = <state2 id="D2"><tag2/></state2> pa.appendChild(ch); pa.@msg = "Before assertion failure"; pa.toXMLString(); Without the xmlns attribute in <state1> script works fine. It doesn't matter if child gets appended before inserting attribute msg or vice versa. Before the failure the partially formatted output looks like <state1 xmls:aaa="http://aaa xmlns="http://aaa" id="D1" msg="Before assertion failure"> and <tag1 xmlns. Reproducible: Always Steps to Reproduce: 1. run the 5 source lines from detailed description in jsshell Actual Results: Assertion failure: serial <= n, at ../../../SpiderMonkey/17.1/src/jsxml.c:2554 Expected Results: No output from script Observation from debugger(devenv): before the failure the partially formatted output (structure sb in XMLToXMLString) looks like '<state1 xmls:aaa="http://aaa xmlns="http://aaa" id="D1" msg="Before assertion failure">' at higher recursion level and '<tag1 xmlns' at lower level.
E4X, sigh. /be
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached patch Fix GeneratePrefix bug (obsolete) — Splinter Review
The string at cp is never modified, so the consequent will always be evaluated and we'll continue do-while looping forever without the assertion. Fix this by comparing using a pointer initialized to cp and changed to bp if a collision happens. Note that while this fixes GeneratePrefix, there's still an underlying bug in toXMLString (assuming xmlns:aaa-1 is superfluous; reading the spec makes me loath to find out for sure). With this patch: js> pa.toXMLString(); <state1 xmlns:aaa="http://aaa" xmlns="http://aaa" id="i1" msg="Before assertion failure"> <tag1 xmlns:aaa-1="http://aaa"/> <state2 id="i2"> <tag2/> </state2> </state1>
Attachment #235550 - Flags: review?(brendan)
Comment on attachment 235550 [details] [diff] [review] Fix GeneratePrefix bug Whoa, I can't believe how broken this was. Thanks for diagnosing. How about eliminating tmp by setting bp = cp initially, then instead of testing if (!bp), test if (bp == cp) in order to decide to call JS_malloc. I haven't the heart to read the awful spec yet, but I will on Monday. /be
Attached patch Eliminate tmp (obsolete) — Splinter Review
Attachment #235550 - Attachment is obsolete: true
Attachment #235605 - Flags: review?(brendan)
Attachment #235550 - Flags: review?(brendan)
Attached patch OopsSplinter Review
Attachment #235605 - Attachment is obsolete: true
Attachment #235608 - Flags: review?(brendan)
Attachment #235605 - Flags: review?(brendan)
Comment on attachment 235608 [details] [diff] [review] Oops Excellent -- you able to do the trunk checkin? Thanks, /be
Attachment #235608 - Flags: review?(brendan)
Attachment #235608 - Flags: review+
Attachment #235608 - Flags: approval1.8.1?
> you able to do the trunk checkin? No; unlike the last time I recall this happening, despot's actually enforcing partition restrictions.
Just for patching this bug (not to mention lots of generator/iterator help), you are now a Member. So check that patch in -- and thanks! /be
Assignee: general → jwalden+bmo
Patch checked in on trunk.
Status: NEW → RESOLVED
Closed: 19 years ago
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Save iloop fix, good for 1.8.1 thanks to Jeff. /be
This needs to follow the main patch into the 1.8 branch, if the main patch is approved. /be
Checking in regress-350206.js; /cvsroot/mozilla/js/tests/e4x/Regress/regress-350206.js,v <-- regress-350206.js initial revision: 1.1
Flags: in-testsuite+
Whiteboard: [baking until 8/27]
Whiteboard: [baking until 8/27] → [baking until 8/28]
Comment on attachment 235608 [details] [diff] [review] Oops a=schrep/beltnzer for drivers.
Attachment #235608 - Flags: approval1.8.1? → approval1.8.1+
verified fixed 1.9 windows/mac*/linux
Status: RESOLVED → VERIFIED
Attached file Testcase
Since nobody's checked yet that our altered behavior on the original JS test code is correct, here's a testcase which is definitely correct and (obviously) must trigger prefix generation (since |n2| is created with an undefined prefix) and will cause a namespace collision: var t1 = <ns2:t1 xmlns:ns2="http://bar/ns2"/>; var n2 = new Namespace("http://ns2"); t1.@n2::a1 = "a1 from ns2"; t1.toXMLString(); I've tested this against pre-checkin code, and it does produce the assertion.
Checked in on branch.
Keywords: fixed1.8.1
Whiteboard: [baking until 8/28]
Checking in regress-350206-1.js; /cvsroot/mozilla/js/tests/e4x/Regress/regress-350206-1.js,v <-- regress-350206-1.js initial revision: 1.1 done
verified fixed 1.8, 1.9 20060830 windows/mac*/linux
Keywords: fixed1.8.1verified1.8.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: