Closed Bug 292949 Opened 20 years ago Closed 20 years ago

crash [@ js_SetClassPrototype] because proto isn't rooted in js_InitExceptionClasses across call to js_DefineFunction

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: timeless, Assigned: timeless)

Details

(Keywords: crash, js1.5)

Crash Data

Attachments

(1 obsolete file)

my tree isn't entirely current, but i'm fairly certain this isn't fixed yet. i can update early next week. I'm abusing too_much_gc by restricting the jsenvironment to about 20k. steps: (build with support for JS_RUNTIME_SIZE) set JS_RUNTIME_SIZE=20 winembed.exe death is very simple: /* Make the prototype for the current constructor name. */ protos[i] = js_NewObject(cx, &ExceptionClass, (protoIndex != JSEXN_NONE) ? protos[protoIndex] : NULL, obj); /* creates a happy proto with a map != 0; */ if (!protos[i]) return NULL; /* So exn_finalize knows whether to destroy private data. */ OBJ_SET_SLOT(cx, protos[i], JSSLOT_PRIVATE, JSVAL_VOID); atom = js_Atomize(cx, exceptions[i].name, strlen(exceptions[i].name), 0); if (!atom) return NULL; /* Make a constructor function for the current name. */ fun = js_DefineFunction(cx, obj, atom, exceptions[i].native, 3, 0); /* destroyed the proto, presumably because it wasn't rooted */ the call to: if (!js_SetClassPrototype(cx, fun->object, protos[i], JSPROP_READONLY | JSPROP_PERMANENT)) { crashes at: return OBJ_DEFINE_PROPERTY(cx, proto, ATOM_TO_JSID(cx->runtime->atomState .constructorAtom), OBJECT_TO_JSVAL(ctor), JS_PropertyStub, JS_PropertyStub, 0, NULL); because: + proto->map 0x00000000 {nrefs=??? ops=??? nslots=??? ...} JSObjectMap * and obj_define_property wants to use (proto)->map->ops->defineProperty which isn't very reachable js3250.dll!js_SetClassPrototype(JSContext * cx=0x00ab9878, JSObject * ctor=0x00b35368, JSObject * proto=0x00b35360, unsigned int attrs=0x00000006) Line 3668 + 0x2c C > js3250.dll!js_InitExceptionClasses(JSContext * cx=0x00ab9878, JSObject * obj=0x00b34ab0) Line 860 + 0x1a C js3250.dll!JS_InitStandardClasses(JSContext * cx=0x00ab9878, JSObject * obj=0x00b34ab0) Line 1204 + 0xc1 C jsd3250.dll!_newJSDContext(JSRuntime * jsrt=0x00aa9028, JSD_UserCallbacks * callbacks=0x00000000, void * user=0x00000000) Line 144 + 0x14 C jsd3250.dll!jsd_DebuggerOnForUser(JSRuntime * jsrt=0x00aa9028, JSD_UserCallbacks * callbacks=0x00000000, void * user=0x00000000) Line 199 + 0x11 C jsd3250.dll!JSD_DebuggerOnForUser(JSRuntime * jsrt=0x00aa9028, JSD_UserCallbacks * callbacks=0x00000000, void * user=0x00000000) Line 52 + 0x11 C jsd3250.dll!jsdService::OnForRuntime(JSRuntime * rt=0x00aa9028) Line 2506 + 0xd C++ jsd3250.dll!jsdASObserver::Observe(nsISupports * aSubject=0x00000000, const char * aTopic=0x00345190, const unsigned short * aData=0x0035105c) Line 3333 + 0x1b C++ xpcom_core.dll!NS_CreateServicesFromCategory(const char * category=0x00345198, nsISupports * origin=0x00000000, const char * observerTopic=0x00345190) Line 827 C++ xpcom_core.dll!nsComponentManagerImpl::AutoRegisterImpl(int when=0x00000000, nsIFile * inDirSpec=0x00000000, int fileIsCompDir=0x00000001) Line 3194 + 0x11 C++ xpcom_core.dll!nsComponentManagerImpl::AutoRegister(nsIFile * aSpec=0x00000000) Line 3417 + 0x13 C++ xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x003dd8d8, unsigned int methodIndex=0x00000003, unsigned int paramCount=0x00000001, nsXPTCVariant * params=0x0012ead0) Line 102 C++ xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, XPCWrappedNative::CallMode mode=CALL_METHOD) Line 2068 + 0x1e C++ xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x00b32598, JSObject * obj=0x00b349a8, unsigned int argc=0x00000001, long * argv=0x00b60528, long * vp=0x0012eda4) Line 1311 + 0xb C++ js3250.dll!js_Invoke(JSContext * cx=0x00b32598, unsigned int argc=0x00000001, unsigned int flags=0x00000000) Line 1320 + 0x20 C js3250.dll!js_Interpret(JSContext * cx=0x00b32598, unsigned char * pc=0x00b57eaf, long * result=0x0012f890) Line 3614 + 0xf C js3250.dll!js_Invoke(JSContext * cx=0x00b32598, unsigned int argc=0x00000003, unsigned int flags=0x00000002) Line 1340 + 0x13 C xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x00b50bf0, unsigned short methodIndex=0x0003, const nsXPTMethodInfo * info=0x00b63640, nsXPTCMiniVariant * nativeParams=0x0012fba4) Line 1413 + 0x14 C++ xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=0x0003, const nsXPTMethodInfo * info=0x00b63640, nsXPTCMiniVariant * params=0x0012fba4) Line 450 C++ xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x00b50bf0, unsigned int methodIndex=0x00000003, unsigned int * args=0x0012fc6c, unsigned int * stackBytesToPop=0x0012fc5c) Line 117 + 0x1c C++ xpcom_core.dll!SharedStub() Line 147 C++ xpcom_core.dll!NS_CreateServicesFromCategory(const char * category=0x0032dbc0, nsISupports * origin=0x00000000, const char * observerTopic=0x0032dbb0) Line 827 C++ xpcom_core.dll!NS_InitXPCOM2_P(nsIServiceManager * * result=0x00414b90, nsIFile * binDirectory=0x00000000, nsIDirectoryServiceProvider * appFileLocationProvider=0x00000000) Line 683 + 0x11 C++ xpcom.dll!NS_InitXPCOM2(nsIServiceManager * * result=0x00414b90, nsIFile * binDirectory=0x00000000, nsIDirectoryServiceProvider * dirProvider=0x00000000) Line 120 + 0x12 C++ winEmbed.exe!NS_InitEmbedding(nsILocalFile * mozBinDirectory=0x00000000, nsIDirectoryServiceProvider * appFileLocProvider=0x00000000) Line 102 + 0x13 C++ winEmbed.exe!main(int argc=0x00000001, char * * argv=0x003d9668) Line 168 + 0x9 C++ winEmbed.exe!mainCRTStartup() Line 398 + 0x11 C kernel32.dll!_BaseProcessStart@4() + 0x23
Assignee: general → timeless
Status: NEW → ASSIGNED
Attachment #182647 - Flags: review?(brendan)
Comment on attachment 182647 [details] [diff] [review] i don't think there's anything to root proto ><HTML><HEAD><STYLE>u { text-decoration:none!important; font-style:italic!important; }</STYLE></HEAD><BODY><PRE>Index: jsexn.c >=================================================================== >RCS file: /cvsroot/mozilla/js/src/jsexn.c,v >retrieving revision 3.47 >diff -u -p -7 -r3.47 jsexn.c >--- jsexn.c 7 Jan 2005 03:35:36 -0000 3.47 >+++ jsexn.c 5 May 2005 03:34:53 -0000 >@@ -818,66 +818,73 @@ static JSFunctionSpec exception_methods[ > {0,0,0,0,0} > }; > > JSObject * > js_InitExceptionClasses(JSContext *cx, JSObject *obj) > { > int i; >+ JSBool ok = JS_FALSE; This looks unused, nuke it. > } Extra blank line here. >+ js_LeaveLocalRootScope(cx); >+ if (exceptions[i].name) >+ return NULL; r+a=me with those changes. /be
Attachment #182647 - Flags: review?(brendan)
Attachment #182647 - Flags: review+
Attachment #182647 - Flags: approval1.8b2+
Comment on attachment 182647 [details] [diff] [review] i don't think there's anything to root proto mozilla/js/src/jsexn.c 3.48
Attachment #182647 - Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Flags: testcase-
Crash Signature: [@ js_SetClassPrototype]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: