Closed
Bug 31862
Opened 26 years ago
Closed 26 years ago
crash when attempting to call NodeList as function
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dbaron, Assigned: rogerl)
Details
(Keywords: crash)
Attachments
(1 file)
|
734 bytes,
text/html
|
Details |
DESCRIPTION: The test case I'm about to attach crashes my debug build from a
day or two ago. The stack trace is deep in JS code, so I'm filing it on
JavaScript Engine, although that may or may not be the source of the bug.
STEPS TO REPRODUCE:
* load attached test case
* hit button
ACTUAL RESULTS:
* crash:
Assertion failure: atom, at jsopcode.c:1707
Program received signal SIGABRT, Aborted.
0x404a0111 in ?? () from /lib/libc.so.6
[ loading shared libraries cut... ]
(gdb) bt
#0 0x404a0111 in __kill ()
#1 0x40259f7b in raise (sig=6) at signals.c:63
#2 0x404a1447 in abort () at ../sysdeps/generic/abort.c:88
#3 0x400e483b in JS_Assert (s=0x400efc58 "atom",
file=0x400efa03 "jsopcode.c", ln=1707) at jsutil.c:146
#4 0x400c0540 in Decompile (ss=0xbfffd2cc, pc=0x86bcbf3 "T", nb=6)
at jsopcode.c:1707
#5 0x400c1d41 in js_DecompileCode (jp=0x8687db0, script=0x86bcba0,
pc=0x86bcbf3 "T", len=6) at jsopcode.c:2168
#6 0x400c26a1 in js_DecompileValueGenerator (cx=0x85adf98, checkStack=1,
v=140568840, fallback=0x8182028) at jsopcode.c:2441
#7 0x4009310a in js_ReportIsNotFunction (cx=0x85adf98, vp=0x86859f0,
constructing=0) at jsfun.c:1695
#8 0x400ba39e in js_Call (cx=0x85adf98, obj=0x860e900, argc=1,
argv=0x86859f8, rval=0xbfffd45c) at jsobj.c:2588
#9 0x400968d7 in js_Invoke (cx=0x85adf98, argc=1, flags=0) at jsinterp.c:665
#10 0x400a6c83 in js_Interpret (cx=0x85adf98, result=0xbfffde24)
at jsinterp.c:2292
#11 0x40096935 in js_Invoke (cx=0x85adf98, argc=1, flags=0) at jsinterp.c:681
#12 0x400a6c83 in js_Interpret (cx=0x85adf98, result=0xbfffe81c)
at jsinterp.c:2292
#13 0x40096935 in js_Invoke (cx=0x85adf98, argc=1, flags=2) at jsinterp.c:681
#14 0x40096c6c in js_InternalInvoke (cx=0x85adf98, obj=0x860e8c0,
fval=140568784, flags=0, argc=1, argv=0xbfffea98, rval=0xbfffe98c)
at jsinterp.c:754
#15 0x4006aac7 in JS_CallFunctionValue (cx=0x85adf98, obj=0x860e8c0,
fval=140568784, argc=1, argv=0xbfffea98, rval=0xbfffe98c) at jsapi.c:2790
#16 0x4031fdc9 in nsJSContext::CallEventHandler (this=0x85ac0c8,
aTarget=0x860e8c0, aHandler=0x860e8d0, argc=1, argv=0xbfffea98,
aBoolResult=0xbfffe9e8) at nsJSEnvironment.cpp:562
#17 0x4035a6a9 in nsJSEventListener::HandleEvent (this=0x86751d8,
aEvent=0x87a727c) at nsJSEventListener.cpp:128
#18 0x40fac9e1 in nsEventListenerManager::HandleEventSubType (this=0x86c49f8,
aListenerStruct=0x87a62c0, aDOMEvent=0x87a727c, aSubType=4, aPhaseFlags=7)
at nsEventListenerManager.cpp:698
#19 0x40facfce in nsEventListenerManager::HandleEvent (this=0x86c49f8,
aPresContext=0x85ae150, aEvent=0xbfffeedc, aDOMEvent=0xbfffee40, aFlags=7,
aEventStatus=0xbffff360) at nsEventListenerManager.cpp:838
#20 0x412365f8 in nsGenericElement::HandleDOMEvent (this=0x875f508,
aPresContext=0x85ae150, aEvent=0xbfffeedc, aDOMEvent=0xbfffee40, aFlags=1,
aEventStatus=0xbffff360) at nsGenericElement.cpp:1009
#21 0x410672fd in nsHTMLInputElement::HandleDOMEvent (this=0x875f4e0,
aPresContext=0x85ae150, aEvent=0xbfffeedc, aDOMEvent=0x0, aFlags=1,
aEventStatus=0xbffff360) at nsHTMLInputElement.cpp:842
#22 0x40fb5634 in nsEventStateManager::CheckForAndDispatchClick (
this=0x85c2fa0, aPresContext=0x85ae150, aEvent=0xbffff464,
aStatus=0xbffff360) at nsEventStateManager.cpp:1705
#23 0x40fb3178 in nsEventStateManager::PostHandleEvent (this=0x85c2fa0,
aPresContext=0x85ae150, aEvent=0xbffff464, aTargetFrame=0x86006c0,
aStatus=0xbffff360, aView=0x85ff7b8) at nsEventStateManager.cpp:885
#24 0x41009952 in PresShell::HandleEvent (this=0x86de670, aView=0x85ff7b8,
aEvent=0xbffff464, aEventStatus=0xbffff360, aHandled=@0xbffff304)
at nsPresShell.cpp:3083
etc...
EXPECTED RESULTS:
* no crash
DOES NOT WORK CORRECTLY ON:
* Linux mozilla, my debug build from 2000-03-13
ADDITIONAL INFORMATION:
In my optimized build, it doesn't crash, but it doesn't do anything either.
|
Reporter | |
Comment 1•26 years ago
|
||
|
|
Reporter | |
Comment 2•26 years ago
|
||
The crash was triggered by a typo of mine: I wrote element.childNodes(i)
instead of element.childNodes.item(i) . Retitling appropriately.
But it's probably good I made that typo...
Summary: crash in JS code → crash when attempting to call NodeList as function
|
Assignee | |
Comment 3•26 years ago
|
||
The decompiler is attempting to use ARGS from the previous function, but fails
since the scope field in the printer is left null as the fp->fun is not set.
Here's a proposed patch for jsfun.c, (js_ReportIsNotFunction) :
@@ -1720,9 +1726,11 @@
fp = cx->fp;
if (fp) {
jsval *sp = fp->sp;
+ JSFunction *fun = fp->fun;
fp->sp = vp;
str = js_DecompileValueGenerator(cx, JS_TRUE, *vp, fallback);
fp->sp = sp;
+ fp->fun = fun;
} else {
str = js_DecompileValueGenerator(cx, JS_TRUE, *vp, fallback);
}
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 4•26 years ago
|
||
urgh. Never mind that. Here's the real patch to jsobj.c (js_Call):
@@ -2594,7 +2606,18 @@
clasp = OBJ_GET_CLASS(cx, JSVAL_TO_OBJECT(argv[-2]));
if (!clasp->call) {
+ /*
+ * The decompiler may need to access the args of the function
+ * in progress, so we switch the function pointer in the
+ * frame to the function below us, rather than the one we had
+ * hoped to call.
+ */
+ JSStackFrame *fp = cx->fp;
+ JSFunction *fun = fp->fun;
+ if (fp->down) /* guaranteed ? */
+ fp->fun = fp->down->fun;
js_ReportIsNotFunction(cx, &argv[-2], JS_FALSE);
+ fp->fun = fun;
return JS_FALSE;
}
return clasp->call(cx, obj, argc, argv, rval);
|
|
Assignee | |
Updated•26 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 5•26 years ago
|
||
Fix checked in.
You need to log in
before you can comment on or make changes to this bug.
Description
•