Crash [@ js_ValueToString] or Crash [@ js_ValueToBoolean] or "Assertion failure: slot < fp->script->nslots, at ../jsinterp.cpp"

VERIFIED FIXED in mozilla1.9.2a1

Status

()

Core
JavaScript Engine
P2
critical
VERIFIED FIXED
9 years ago
6 years ago

People

(Reporter: gkw, Assigned: brendan)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
mozilla1.9.2a1
assertion, crash, regression, testcase, verified1.9.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey, crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

9 years ago
function f(foo)
{
  var x;
  eval("__defineGetter__(\"y\", function ()x)");
}
f("");
((function(){ throw y })())

crashes opt js shell without -j at js_ValueToString at null and asserts dbg js shell without -j at Assertion failure: slot < fp->script->nslots, at ../jsinterp.cpp:2078

I'm on http://hg.mozilla.org/tracemonkey/rev/99143ce38e68

autoBisect shows this is probably related to bug 488034 or http://hg.mozilla.org/tracemonkey/rev/70111870bcf8 :

The first bad revision is:
changeset:   27186:70111870bcf8
user:        Brendan Eich
date:        Mon Apr 13 14:16:15 2009 -0700
summary:     Bug 488034 - Crash [@ js_GetUpvar] or "Assertion failure: (script)->upvarsOffset != 0, at ../jsinterp.cpp" (r=mrbkap).
Flags: blocking1.9.1?
(Reporter)

Comment 1

9 years ago
(In reply to comment #0)
> I'm on http://hg.mozilla.org/tracemonkey/rev/99143ce38e68

This is TM tip at the time of testing and filing.

Comment 2

9 years ago
This is upvar.

Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x1a7a13 "slot < fp->script->nslots", file=0x1a79e0 "../jsinterp.cpp", ln=2078) at ../jsutil.cpp:69
69	    abort();
(gdb) bt
#0  JS_Assert (s=0x1a7a13 "slot < fp->script->nslots", file=0x1a79e0 "../jsinterp.cpp", ln=2078) at ../jsutil.cpp:69
#1  0x00092e80 in js_GetUpvar (cx=0x30bc90, level=1, cookie=131073) at jsinterp.cpp:2078
#2  0x000876b4 in js_Interpret (cx=0x30bc90) at ../jsinterp.cpp:5732
#3  0x000968bd in js_Invoke (cx=0x30bc90, argc=0, vp=0x814eac, flags=0) at jsinterp.cpp:1388
#4  0x00096eed in js_InternalInvoke (cx=0x30bc90, obj=0x2a7000, fval=2781504, flags=0, argc=0, argv=0x0, rval=0xbffff288) at jsinterp.cpp:1441
#5  0x00097167 in js_InternalGetOrSet (cx=0x30bc90, obj=0x2a7000, id=2791052, fval=2781504, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbffff288) at jsinterp.cpp:1504
#6  0x000a4d88 in js_GetSprop (cx=0x30bc90, sprop=0x810630, obj=0x2a7000, vp=0xbffff288) at jsscope.h:359
#7  0x000a4fd4 in js_NativeGet (cx=0x30bc90, obj=0x2a7000, pobj=0x2a7000, sprop=0x810630, vp=0xbffff288) at ../jsobj.cpp:4185
#8  0x00083feb in js_Interpret (cx=0x30bc90) at ../jsinterp.cpp:5306
#9  0x00095ace in js_Execute (cx=0x30bc90, chain=0x2a7000, script=0x30dbc0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1614
#10 0x000105da in JS_ExecuteScript (cx=0x30bc90, obj=0x2a7000, script=0x30dbc0, rval=0x0) at ../jsapi.cpp:5076
#11 0x000094b4 in Process (cx=0x30bc90, obj=0x2a7000, filename=0xbffff98c "x.js", forceTTY=0) at ../../shell/js.cpp:412
#12 0x0000a1ca in ProcessArgs (cx=0x30bc90, obj=0x2a7000, argv=0xbffff88c, argc=2) at ../../shell/js.cpp:806
#13 0x0000a57c in main (argc=2, argv=0xbffff88c, envp=0xbffff898) at ../../shell/js.cpp:4726
(Reporter)

Comment 3

9 years ago
function f(code)
{
  var x;
  eval("__defineGetter__(\"\\u3056\", function ()x)");
  var g = new Function("return eval(\"\\u3056\")");
  if (g()){}
}
f();

crashes opt at js_ValueToBoolean at null without -j, and asserts similarly at debug without -j.
Summary: Crash [@ js_ValueToString] or "Assertion failure: slot < fp->script->nslots, at ../jsinterp.cpp" → Crash [@ js_ValueToString] or Crash [@ js_ValueToBoolean] or "Assertion failure: slot < fp->script->nslots, at ../jsinterp.cpp"
(Assignee)

Comment 4

9 years ago
Easy to fix, more in a bit (possibly tomorrow a.m.).

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P2
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.1b4
(Assignee)

Comment 5

9 years ago
Created attachment 372829 [details] [diff] [review]
fix

JSCompiler::analyzeFunctions does the right thing, we just do not take heed of its conclusions in this late make-upvar-for-eval function.

Probably recognizing upvars reaching above eval called from a function should be handled by making real JSDefinitions in the parser, but that's for later.

/be
Attachment #372829 - Flags: review?(mrbkap)
(Assignee)

Updated

9 years ago
Duplicate of this bug: 488501

Updated

9 years ago
Flags: blocking1.9.1? → blocking1.9.1+
(Assignee)

Comment 7

9 years ago
Created attachment 372896 [details] [diff] [review]
slightly tidier fix

The funbox member is null-initialized in JSTreeContext's ctor (jsemit.h). It's set as follows:

$ egrep '(tc|cg2?)->funbox = ' *.cpp
jsemit.cpp:        cg2->funbox = pn->pn_funbox;
jsparse.cpp:    funtc->funbox = funbox;
h-199:src brendaneich$ 

So rather than test TCF_IN_FUNCTION (which vacuously could be asserted in the consequent) this patch tests the member that's about to be used by a dependent load.

/be
Attachment #372829 - Attachment is obsolete: true
Attachment #372896 - Flags: review?(mrbkap)
Attachment #372829 - Flags: review?(mrbkap)

Updated

9 years ago
Attachment #372896 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 8

9 years ago
http://hg.mozilla.org/tracemonkey/rev/56d24e7d70a0

/be
Whiteboard: fixed-in-tracemonkey

Comment 9

9 years ago
http://hg.mozilla.org/mozilla-central/rev/56d24e7d70a0
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Verified fixed with testcase given in comment 0 on trunk and 1.9.1 with the
following debug builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090422 Minefield/3.6a1pre ID:20090422224452

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre)
Gecko/20090422 Shiretoko/3.5b4pre ID:20090422122043
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Target Milestone: mozilla1.9.1b4 → mozilla1.9.2a1
(Reporter)

Updated

9 years ago
Flags: in-testsuite?
Crash Signature: [@ js_ValueToString] [@ js_ValueToBoolean]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.