Closed Bug 798834 Opened 13 years ago Closed 13 years ago

Error: RangeError: invalid array length

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
18 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla19
Tracking Flags:
Tracking Status
firefox17 --- unaffected
firefox18 + verified

People

(Reporter: alice0775, Assigned: nbp)

References

(
URL
)

Details

(Keywords: regression)

Attachments

(1 file, 1 obsolete file)

Remove reset of non-actual arguments for StackFrame.
9.08 KB, patch
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Build Identifier: http://hg.mozilla.org/mozilla-central/rev/2da1f2bde40e Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20121006030534 See http://forums.mozillazine.org/viewtopic.php?p=12351521 Steps to Reproduce: 1. Open http://www.khanacademy.org/math/algebra/algebra-functions/e/graphing_points Actual results: No graph is displayed Regression window(m-i) Good: http://hg.mozilla.org/mozilla-central/rev/fd724f194a1f Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20121005030609 Bad: http://hg.mozilla.org/mozilla-central/rev/3b458f4e0f42 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20121005035427 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fd724f194a1f&tochange=3b458f4e0f42 Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/1b66a4593f92 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20121004224027 Ba: http://hg.mozilla.org/integration/mozilla-inbound/rev/3b458f4e0f42 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20121004235827 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1b66a4593f92&tochange=3b458f4e0f42 Error: RangeError: invalid array length Source file: http://khan-academy.appspot.com/javascript/shared-package/hashed-75c7f5f3da29c93c6004514f8e486ea7.js Line: 7643 Expected results: graph is displayed
The bug appear in a range function which does not take all its arguments. The error message report one line below the actual error, but this is caused by arguments[2] when we don't have enough actual arguments. bz has posted a minimal test case of this issue in Bug 798852. Taking this bug and fixing it fast …
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Attachment #668999 - Flags: review?(luke)
For the record, the minimal testcase was Sylvain, not me.
I see this error on "Error Console" using Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20121008031745 when loading hulu.com Error: RangeError: invalid array length Source File: http://static.huluim.com/huluguru/application_core-a338c4421fd2bac2433abdcbbf368a33.js Line: 4112 Is it the same bug or a very similar one?
Comment on attachment 668999 [details] [diff] [review] Remove reset of non-actual arguments for StackFrame. Review of attachment 668999 [details] [diff] [review]: ----------------------------------------------------------------- Test-case please! ::: js/src/vm/ArgumentsObject.cpp @@ -54,5 @@ > end = src + (numActuals - numFormals); > while (src != end) > (dst++)->init(*src++); > } > - SetMissingFormalArgsToUndefined(dstBase, numActuals, numFormals); D'oh! With this use gone, can you inline SetMissingFormArgsToUndefined into the one remaining use in CopyStackIterArgs. @@ +131,5 @@ > template <typename CopyArgs> > /* static */ ArgumentsObject * > ArgumentsObject::create(JSContext *cx, HandleScript script, HandleFunction callee, CopyArgs &copy) > { > + RootedObject proto(cx, callee->global().getOrCreateObjectPrototype(cx)); Ooops; can you also remove script/callee/numActualArgs() from the two structs now that the template doesn't use them?
Attachment #668999 - Flags: review?(luke) → review+
Last version of the patch to be pushed on inbound soon.
Attachment #668999 - Attachment is obsolete: true
(In reply to alex_mayorga from comment #5) > I see this error on "Error Console" using Mozilla/5.0 (Windows NT 6.1; > Win64; x64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20121008031745 when loading > hulu.com > > Error: RangeError: invalid array length > Source File: > http://static.huluim.com/huluguru/application_core- > a338c4421fd2bac2433abdcbbf368a33.js > Line: 4112 > > Is it the same bug or a very similar one? Yes, this is the same bug. It breaks your JQuery/Sizzle JS.
Severity: normal → major
status-firefox19: --- → affected
https://hg.mozilla.org/mozilla-central/rev/4de56a4bfa5f
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Comment on attachment 669296 [details] [diff] [review] Remove reset of non-actual arguments for StackFrame. [Approval Request Comment] Bug caused by (feature/regressing bug #): 787813 User impact if declined: JQuery/Sizzle malfunction. Testing completed (on m-c, etc.): [???] landed Risk to taking this patch (and alternatives if risky): unknown yet, probably low. String or UUID changes made by this patch: none.
Attachment #669296 - Flags: approval-mozilla-aurora?
(In reply to Nicolas B. Pierron [:pierron] [:nbp] from comment #11) > Risk to taking this patch (and alternatives if risky): unknown yet, probably > low. Leaving in the triage queue to give a couple of days of bake time on m-c.
Comment on attachment 669296 [details] [diff] [review] Remove reset of non-actual arguments for StackFrame. Approving as it is baked for several days now
Attachment #669296 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/18.0 Firefox/18.0 Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/18.0 Firefox/18.0 Verified with Windows 7 and Ubuntu 12.04. on Firefox 18 beta 2. Graph displayed as expected.
status-firefox18: fixedverified
Keywords: verifyme
QA Contact: virgil.dicu
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: