457093 - toString on js function w/ try catch silently hangs js execution

Status: VERIFIED FIXED

Description

[Mathieu Fenniak]

Created attachment 340435 [details]
minimal test case

In attached test case, the "alert" function is never reached in normal execution.  It appears that calling toString on the method with a try { } catch (E) {} block stops further JS execution (without a visible exception).

This issue only occurs in Firefox 2.0.0.17; it does not occur in FF 3 or FF 2.0.0.16.

Comment 1

[Brendan Eich [:brendan]]

Gary, do you have branch ability to bisect and find the regressing cvs commit?

/be

Comment 2

[Henrik Skupin (:whimboo)]

Same happens with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17

Comment 3

[Carsten Book [:Tomcat]]

Ok found the Regression Range:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17pre)
Gecko/2008080703 BonEcho/2.0.0.17pre -> works with the Testcase
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17pre)
Gecko/2008080803 BonEcho/2.0.0.17pre -> fails on the Testcase

Bonsai Query for this Timeframe : http://tinyurl.com/4vkc7v

So regression from Bug 437288 ?

Comment 4

[Daniel Veditz [:dveditz]]

if that's the regression range bug 437288 looks like the culprit to me, too. Brian?

Comment 5

[Brendan Eich [:brendan]]

Tomcat, many thanks. See bug 437288 comment 16, which cites the bad merge I found by diffing patches (not interdiff, it failed; diff with grep to strip out context jitter).

Brian, could you field this one? Thanks.

/be

Comment 6

[Mike Beltzner [:beltzner, not reading bugmail]]

What's the impact of this in terms of broken websites and add-ons?

Comment 7

[Bob Clary [:bc:]]

not really a hang but more of script termination with no error in opt.

Assertion failure: newtop <= oldtop, at jsopcode.c:1988

/cvsroot/mozilla/js/tests/js1_5/decompilation/regress-457093-01.js,v  <-- 
regress-457093-01.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/2e7f03bc1820

Comment 8

[Gary Kwong [:gkw] [:nth10sd]]

(In reply to comment #3)
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17pre)
> Gecko/2008080703 BonEcho/2.0.0.17pre -> works with the Testcase
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17pre)
> Gecko/2008080803 BonEcho/2.0.0.17pre -> fails on the Testcase

(what a morning to wake up to; I could only hop on to this in the late afternoon local time)

Confirming Tomcat's regression range:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.17pre) Gecko/20080807 BonEcho/2.0.0.17pre -> works on testcase, dialog shows up.
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.17pre) Gecko/20080808 BonEcho/2.0.0.17pre -> fails on testcase, dialog doesn't show up.

Comment 9

[Mathieu Fenniak]

(In reply to comment #6)
> What's the impact of this in terms of broken websites and add-ons?

This issue and bug 456964 break a web application named Replicon Web TimeSheet, making it unusable with Firefox 2.0.0.17.  Web TimeSheet has over 20,000 active users; our support department has received about a dozen tickets regarding FF 2.0.0.17 in the past two days.  We only expect support calls to increase as more users apply the software update.

Comment 10

[Brian Crowder]

Created attachment 340592 [details] [diff] [review]
the fix

Comment 11

[Brian Crowder]

Created attachment 340593 [details] [diff] [review]
Whoops, without junk this time.

Comment 13

[Daniel Veditz [:dveditz]]

Comment on attachment 340593 [details] [diff] [review]
Whoops, without junk this time.

Approved for 1.8.1.18, a=dveditz

Comment 16

[Brian Crowder]

I might not get to this this weekend, so help is appreciated.

Comment 17

[Bob Clary [:bc:]]

see also bug 457417

Comment 18

[Bob Clary [:bc:]]

also js1_5/Regress/regress-252892.js Assertion failure: top != 0 is fixed by this patch.

Comment 19

[Bob Clary [:bc:]]

also js1_5/Regress/regress-417893.js browser only Assertion failure: top != 0

Comment 20

[Bob Clary [:bc:]]

also js1_5/decompilation/regress-456964-01.js and e4x/decompilation/regress-355474-01.js Assertion failure: top != 0

Comment 21

[:Gavin Sharp [email: gavin@gavinsharp.com]]

mozilla/js/src/jsopcode.c 	3.89.2.78

Comment 25

[Mathieu Fenniak]

Confirmed fixed in FF nightly 2008-09-30-03-mozilla1.8

Comment 26

[Henrik Skupin (:whimboo)]

Also verified with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.18pre) Gecko/20080930 BonEcho/2.0.0.18pre

Comment 27

[Bob Clary [:bc:]]

all tests pass 1.8.1 opt/debug shell/browser linux/mac/windows.