hard crash when executing VERY simple javascript

VERIFIED FIXED in mozilla0.9

Status

()

Core
JavaScript Engine
P1
critical
VERIFIED FIXED
17 years ago
16 years ago

People

(Reporter: Scott Kester, Assigned: brendan)

Tracking

({crash, js1.5})

Trunk
mozilla0.9
x86
All
crash, js1.5
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

17 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22 i586; en-US; 0.8) Gecko/20010220
BuildID:    2001022012

This very short javascript code causes a crash ( or hung browser) on both linux
and windows.  Also this problem was not in the Feb 15 build, it appears to have
shown up on the 16th or 17th.  I have noticed that with just a slight change to
the code no crash occurs.

http://216.227.33.173/mozilla_test/js_ok.html

I just removed the else condition, and it does not crash.This bug may be related
to 66046 but I don't think so, since this just showed up in the latest builds.

The URLs given point to my server at home, and my DSL is acting up, so if it
does not work the first time, try back later.  Thanks.

Reproducible: Always
Steps to Reproduce:
1.Go to above URL, thats it.
2.
3.

Actual Results:  Crash.

Expected Results:  Should not crash.

Here is the html of the test case. It does not do very much, this is a very
reduced case from the script I found the bug on.

<html>
<head>
<title> True/False Test Crash</title>
</head>
<body>
This is a test case that will cause a crash.<br>
<script type="text/javascript">

var test1;
var test2;
var test3;

if( false){
    test1 = 1;
}else{
    test2 = 0;
}
if( false){
    test3 = 0;
}
</script>
End of test case.
</body>
</html>

Comment 1

17 years ago
*** Bug 69608 has been marked as a duplicate of this bug. ***

Comment 2

17 years ago
Created attachment 25766 [details]
Scott's HTML testcase

Comment 3

17 years ago
Confirming on WinNT and Linux with builds from yesterday (2001-02-19).
Changing OS from "Linux"  --> "All".


Linux stack trace: 

#0  0x40240259 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2935
#1  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#2  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#3  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#4  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#5  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#6  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#7  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#8  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#9  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#10 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#11 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#12 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#13 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#14 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#15 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#16 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#17 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#18 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#19 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#20 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#21 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#22 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#23 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#24 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#25 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#26 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#27 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#28 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#29 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#30 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#31 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#32 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#33 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#34 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#35 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#36 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#37 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#38 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#39 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977
#40 0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977


                      etc.
                      etc.  



(gdb) p* cx
$1 = {links = {next = 0x86474f0, prev = 0x8480d38}, interpLevel = 0, 
version = JSVERSION_DEFAULT, jsop_eq = 18 '\022', 
jsop_ne = 19 '\023', runtime = 0x8110c10, 
stackPool = {first = {next = 0x0, base = 139146584, limit = 139146584, 
      avail = 139146584}, current = 0x84b3548, arenasize = 8192, mask = 3}, 
fp = 0xbfffe774, codePool = {first = {
      next = 0x882eca8, base = 139146616, limit = 139146616, avail = 139146616},
current = 0x882eca8, arenasize = 1024, mask = 0}, 
  notePool = {first = {next = 0x8660788, base = 139146644, limit = 139146644,
avail = 139146644}, current = 0x8660788, 
    arenasize = 256, mask = 0}, tempPool = {first = {next = 0x885c428, base =
139146672, limit = 139146672, avail = 139146672}, 
    current = 0x85679c0, arenasize = 1024, mask = 7}, globalObject = 0x84aa158,
newborn = {0x8553538, 0x8553e78, 0x0, 0x0, 0x0, 
    0x0, 0x0, 0x0}, regExpStatics = {input = 0x0, multiline = 0, parenCount = 0,
moreLength = 0, parens = {{length = 0, 
        chars = 0x0}, {length = 0, chars = 0x0}, {length = 0, chars = 0x0},
{length = 0, chars = 0x0}, {length = 0, chars = 0x0}, {
        length = 0, chars = 0x0}, {length = 0, chars = 0x0}, {length = 0, chars
= 0x0}, {length = 0, chars = 0x0}}, 
    moreParens = 0x0, lastMatch = {length = 0, chars = 0x402708e8}, lastParen =
{length = 0, chars = 0x402708e8}, leftContext = {
      length = 0, chars = 0x402708e8}, rightContext = {length = 0, chars =
0x402708e8}}, sharpObjectMap = {depth = 0, 
    sharpgen = 0, table = 0x0}, argumentFormatMap = 0x85568d8, lastMessage =
0x0, tracefp = 0x0, branchCallback = 0x40660208, 
  errorReporter = 0x4065f750, data = 0x851ce80, dormantFrameChain = 0x0, thread
= 134651448, requestDepth = 0, scopeToShare = 0x0, 
  rval2 = 0, rval2set = 0 '\000', throwing = 0 '\000', exception = 0, options =
0, scannerVersion = JSVERSION_DEFAULT, 
  localeCallbacks = 0x0, resolving = 0x0, stackHeaders = 0x0}


(gdb) p* pn
$2 = {pn_type = TOK_SEMI, pn_pos = {begin = {index = 12, lineno = 19}, end =
{index = 13, lineno = 19}}, pn_op = JSOP_NOP, 
  pn_offset = 0, pn_arity = PN_UNARY, pn_u = {func = {fun = 0x8567b00, body =
0x8567b30, flags = 1, tryCount = 1096349697}, 
    list = {head = 0x8567b00, tail = 0x8567b30, count = 1, extra = 1096349697},
ternary = {kid1 = 0x8567b00, kid2 = 0x8567b30, 
      kid3 = 0x1}, binary = {left = 0x8567b00, right = 0x8567b30, val = 1},
unary = {kid = 0x8567b00, num = 139885360}, name = {
      atom = 0x8567b00, expr = 0x8567b30, slot = 1, attrs = 1096349697}, dval =
1.7021718260471125e-268}, pn_next = 0x0}


(gdb) p* tc
$3 = {flags = 1, tryCount = 0, topStmt = 0x0, decls = {list = 0x85679f0, table =
0x0, count = 3}, nodeList = 0x0}

Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All

Comment 4

17 years ago
cc'ing Brendan and jband - 
Keywords: crash

Comment 5

17 years ago
Note the change in line number at the top of the stack:

#0  0x40240259 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2935
#1  0x40240635 in js_FoldConstants (cx=0x84b3530, pn=0x8567b00, tc=0xbfffe7ec)
at jsparse.c:2977

Comment 6

17 years ago
reassigning to brendan (whose been hacking in here and recycling nodes).

This blows the stack for me on NT with a JS engine I just updated from the tip.

This is an infinite recursion in: 

      case PN_UNARY:
        /* Our kid may be null (e.g. return; vs. return e;). */
        pn1 = pn->pn_kid;
        if (pn1 && !js_FoldConstants(cx, pn1, tc))
            return JS_FALSE;
        break;

pn->pn_kid is equal to pn so it just keeps going.

(as the dump above shows) pn_pos claims to be at line 19 index 12-13 - this 
seems to point to the space after "test3=". MSDEV won't show me the other end of 
the stack when the stack gets blown.
Assignee: rogerl → brendan
(Assignee)

Comment 7

17 years ago
Duh!  Shaver enabled a code path that exposed a bug latent since bug 33390's
patch went in.  It's an egregious error to recycle a JSParseNode twice.  Patch
coming right up.

/be
Status: NEW → ASSIGNED
Keywords: js1.5, mozilla0.9, patch, review
Priority: -- → P1
Target Milestone: --- → mozilla0.9
(Assignee)

Comment 8

17 years ago
Created attachment 25784 [details] [diff] [review]
proposed fix
Man, I really opened a can of worms with that ``easy one-liner'', didn't I?

r=shaver

Comment 10

17 years ago
sr=jband
(Assignee)

Comment 11

17 years ago
Fixed.

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED

Comment 12

17 years ago
Scott's testcase has been added to the JS testsuite as follows: 

             js/tests/js1_5/Regress/regress-69607.js 

Comment 13

17 years ago
Verified with standalone JS shell built on WinNT, Linux, and Mac. 
The above testcase passes on all three platforms.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.