Closed
Bug 510091
Opened 15 years ago
Closed 15 years ago
Fennec crash on mousedown on an iframe
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9.2a1
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
fennec | 1.0b3+ | --- |
People
(Reporter: vingtetun, Assigned: jorendorff)
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files, 3 obsolete files)
71 bytes,
text/html
|
Details | |
1.56 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
Go to the attachment with Fennec and try to click on the iframe. Actual results: Crash by hitting an assert dragStart got element Assertion failure: pc < endpc, at /scratchbox/users/steakdepapillon/home/steakdepapillon/mozilla-central/js/src/jsobj.cpp:2291 Expected results: Nothing special
Reporter | ||
Updated•15 years ago
|
Summary: Fennec crash onmousedown on an iframe → Fennec crash on mousedown on an iframe
Assignee | ||
Comment 1•15 years ago
|
||
Taking. Stuart's going to help me build Fennec tomorrow.
Assignee: nobody → jorendorff
Comment 2•15 years ago
|
||
output from js_DumpScript(cx, script) from call to Detecting main: 00000: 64 zero 00001: 64 setlocal 0 00004: 64 pop 00005: 64 goto 29 (24) 00008: 64 loop 00009: 64 callname "" 00012: 64 arguments 00013: 64 getlocal 0 00016: 64 getelem 00017: 64 string "false" 00020: 64 add 00021: 64 call 1 00024: 64 pop 00025: 64 localinc 0 00028: 64 pop 00029: 64 getlocal 0 00032: 64 argcnt 00033: 64 lt 00034: 64 ifne 8 (-26) 00037: 65 callname "" 00040: 65 string "true" 00043: 65 call 1 00046: 65 pop 00047: 65 stop
Comment 3•15 years ago
|
||
Inside Detecting, script->code is 0x34c37dc, yet the pc value passed in is 0x5fc89910.
ntdll.dll!777e8b2e()
[Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll]
js3250.dll!JS_Assert(const char * s=0x5fc2bc90, const char * file=0x5fc2bc68, int ln=0x000008f3) Line 65 C++
> js3250.dll!Detecting(JSContext * cx=0x034b7d20, unsigned char * pc=0x5fc89910) Line 2291 + 0x1e bytes C++
js3250.dll!js_GetPropertyHelper(JSContext * cx=0x034b7d20, JSObject * obj=0x04363680, int id=0x01d23244, int cacheResult=0x00000001, int * vp=0x002bd05c) Line 4298 + 0xd bytes C++
js3250.dll!js_Interpret(JSContext * cx=0x034b7d20) Line 4506 + 0x23 bytes C++
js3250.dll!js_Invoke(JSContext * cx=0x034b7d20, unsigned int argc=0x00000001, int * vp=0x0374e228, unsigned int flags=0x00000000) Line 1379 + 0x9 bytes C++
....
Comment 4•15 years ago
|
||
The failure it earlier... the reason Detecting is called is because op is read from pc as JSOP_GETPROP. That opcode isn't in the script disassembly.
Assignee | ||
Comment 5•15 years ago
|
||
Interesting. Building fennec now, so I'll be there in a bit. The code for the script in comment #2 doesn't make sense to me. Maybe brendan can shed some light on the meaning of `callname ""`. But, it's like, function () { for (var i = 0; i < arguments.length; i++) ???(arguments[x] + "false"); ???("true"); }
Assignee | ||
Comment 6•15 years ago
|
||
Brendan, what can cause this code: >63 dumpLn: function dumpLn() { >64 for (var i = 0; i < arguments.length; i++) { dump(arguments[i] + ' '); } >65 dump("\n"); >66 } to look like the disassembly in comment 2? The source is from: http://mxr.mozilla.org/mobile-browser/source/chrome/content/Util.js#63 I'm debugging with bcombee right now...
Comment 7•15 years ago
|
||
The callsite for dumpLn in this case is http://mxr.mozilla.org/mobile-browser/source/chrome/content/browser.js#1253
Assignee | ||
Comment 8•15 years ago
|
||
The assertion is bogus when we're in an imacro. Reproducing this requires strict mode and an object that doesn't have a .valueOf method (anything that has Object.prototype on its prototype chain will have the default one). This reproduces sporadically because we're only asserting the upper bound ("don't walk off the end of the script") and not the lower one--so the assertion may pass even though pc is nowhere near the script code. So, the first hunk fixes the assertion. But we probably shouldn't emit warnings for imacro bytecode, hmm? So the second hunk takes care of that.
Attachment #394345 -
Flags: review?(jwalden+bmo)
Assignee | ||
Comment 9•15 years ago
|
||
v2 has the advantage of actually compiling. You could even theoretically run it.
Attachment #394345 -
Attachment is obsolete: true
Attachment #394349 -
Flags: review?(jwalden+bmo)
Attachment #394345 -
Flags: review?(jwalden+bmo)
Assignee | ||
Comment 10•15 years ago
|
||
Attachment #394349 -
Attachment is obsolete: true
Attachment #394352 -
Flags: review?(jwalden+bmo)
Attachment #394349 -
Flags: review?(jwalden+bmo)
Assignee | ||
Updated•15 years ago
|
Attachment #394349 -
Attachment description: v2 → v2 - Now with 50% fewer humiliating errors!
Updated•15 years ago
|
Flags: wanted-fennec1.0?
Assignee | ||
Comment 11•15 years ago
|
||
Thanks to Waldo for the review.
Attachment #394352 -
Attachment is obsolete: true
Attachment #394360 -
Flags: review?(jwalden+bmo)
Attachment #394352 -
Flags: review?(jwalden+bmo)
Assignee | ||
Updated•15 years ago
|
Attachment #394349 -
Attachment description: v2 - Now with 50% fewer humiliating errors! → v2 - Now with 33% fewer humiliating errors!
Comment 12•15 years ago
|
||
Comment on attachment 394360 [details] [diff] [review] v5 - now perfect in every way and then some o/~ Oh Lord, it's hard to be humble when you're perfect in every way o/~
Attachment #394360 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Comment 13•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/b8b9d78f12d2
Whiteboard: fixed-in-tracemonkey
Comment 14•15 years ago
|
||
v5 patch fixes the issue I saw in Fennec.
Comment 15•15 years ago
|
||
Got behind on bugmail, sorry -- glad you figured it all out. Boy, do we need to get rid of bytecode inspection from the VM. /be
Comment 16•15 years ago
|
||
(JS bug, not Fennec bug, just the latter happened to trigger it)
Component: General → JavaScript Engine
Product: Fennec → Core
QA Contact: general → general
Target Milestone: --- → mozilla1.9.2a1
Updated•15 years ago
|
tracking-fennec: ? → 1.0b3+
Flags: wanted-fennec1.0? → blocking1.9.2+
Comment 17•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/b8b9d78f12d2
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•15 years ago
|
Priority: -- → P1
Comment 18•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e784431dfa61
status1.9.2:
--- → beta1-fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•