Closed Bug 213841 Opened 22 years ago Closed 22 years ago

Crash on context destruction if 2 breakpoints set at same PC

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.5beta

People

(Reporter: eestievenart, Assigned: brendan)

References

Details

(Keywords: crash, js1.5)

Attachments

(1 file, 1 obsolete file)

less minimal patch, but more efficient ever so slightly
1.44 KB, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.11 [en] Build Identifier: SpiderMonkey 1.5-rc5a Calling JS_SetTrap() twice for the same program counter will generate a crash when the JSContext is freed during the call to JS_ClearAllTraps(). Reproducible: Always Steps to Reproduce: See details. I could provide a sample code if needed. In JS_SetTrap, if a trap is already found for the given pc, the existing trap structure is linked to itself in the rt->trapList linked list, thus generating a trap on either the context or runtime destruction. trap = FindTrap(rt, script, pc); if (trap) { /* Restore opcode at pc so it can be saved again. */ *pc = (jsbytecode)trap->op; } else { trap = (JSTrap *) JS_malloc(cx, sizeof *trap); if (!trap || !js_AddRoot(cx, &trap->closure, "trap->closure")) { if (trap) JS_free(cx, trap); return JS_FALSE; } } JS_APPEND_LINK(&trap->links, &rt->trapList); I propose to correct that in the following manner : - Always create another JSTrap (after all, the trap->closure information may be different for the 2 traps) e.g. : trap = FindTrap(rt, script, pc); if (trap) { /* Restore opcode at pc so it can be saved again. */ *pc = (jsbytecode)trap->op; } trap = (JSTrap *) JS_malloc(cx, sizeof *trap); if (!trap || !js_AddRoot(cx, &trap->closure, "trap->closure")) { if (trap) JS_free(cx, trap); return JS_FALSE; } JS_APPEND_LINK(&trap->links, &rt->trapList); ... That way thee is no risk of crash. The only problem is that if 2 breakpoints have been put at the same PC (generally after the bp relocation due to empty source lines) it is not easy to retrieve them individually.
Keywords: crash
cc'ing Brendan, Mike -
Assignee: rogerl → khanson
Status: UNCONFIRMED → NEW
Ever confirmed: true
Thanks for the bug. Are you using jsdbgapi.h directly? Just curious. The trap API was not designed to support more than one trap per pc, and more than a very few traps (5 or 10) per runtime. /be
Assignee: khanson → brendan
Priority: -- → P1
Target Milestone: --- → mozilla1.5beta
Yes, I'm using jsdbgapi.h directly. Of course the engine is not designed to report more than one trap per pc (would require to pass a list as parameter of the debug hook) but this is not a really important issue. Regarding the 5-10 trap limit per runtime, what does cause that limit ? Performance issues when doing the lookup in the trap list ? (which does not seem a real issue for me) or something else I have missed ? Thanks - Eric
If the engine were to support more than one trap per pc, then each trap's handler would be called in a deterministic order -- there would not be a list of traps passed to one handler. The 10 limit is just to avoid O(n^2) growth adding to and searching a list showing up for traps in inner loops. Patch soon. /be
Status: NEW → ASSIGNED
Keywords: js1.5
Attached patch trivial patch (obsolete) — Splinter Review
No need to create unreachable traps. Just don't double-append. /be
The 10 limit is just a design limit, it's not enforced. Eric, if you could test this patch I'd be grateful. /be
This is the patch I'm going to land today. It works for me in the js shell: js> function f(a){var b=a*a; return b*a} js> f function f(a) { var b = a * a; return b * a; } js> dis(f) main: 00000: getarg 0 00003: getarg 0 00006: mul 00007: setvar 0 00010: pop 00011: getvar 0 00014: getarg 0 00017: mul 00018: return Source notes: 0: 7 [ 7] var js> trap(f, 10, "print('hi')") js> f(4) hi 64 js> trap(f, 10, "print('bye')") js> f(4) bye 64 js> quit() /be
Attachment #128913 - Attachment is obsolete: true
Fixed. /be
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Rubber-stamp vrfy
Status: RESOLVED → VERIFIED
*** Bug 227261 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: