Closed Bug 584882 Opened 14 years ago Closed 14 years ago

TM: Attempts to compute this for dummy frames

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bzbarsky, Assigned: adrake)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Fix.
1.89 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review 
In a debug build, I get a fatal assertion instead:

Assertion failure: isObject(), at /Users/bzbarsky/mozilla/moo-branch/mozilla/js/src/jsvalue.h:531

(gdb) frame 1
#1  0x00500577 in js::Value::toObject (this=0x158c5020) at jsvalue.h:531
531             JS_ASSERT(isObject());
(gdb) p *this
$1 = {
  data = {
    asBits = 18446462607322775552, 
    s = {
      payload = {
        i32 = 0, 
        u32 = 0, 
        boo = 0, 
        str = 0x0, 
        obj = 0x0, 
        ptr = 0x0, 
        why = JS_ARRAY_HOLE
      }, 
      tag = JSVAL_TAG_UNDEFINED
    }, 
    asDouble = -nan(0xf000200000000)
  }
}
(gdb) bt
#0  0x00646e01 in JS_Assert (s=0x755554 "isObject()", file=0x755518 "/Users/bzbarsky/mozilla/moo-branch/mozilla/js/src/jsvalue.h", ln=531) at /Users/bzbarsky/mozilla/moo-branch/mozilla/js/src/jsutil.cpp:81
#1  0x00500577 in js::Value::toObject (this=0x158c5020) at jsvalue.h:531
#2  0x005963f6 in ComputeGlobalThis (cx=0x11cc400, argv=0x158c5030) at jsinterp.cpp:272
#3  0x0059804d in js::ComputeThisFromArgv (cx=0x11cc400, argv=0x158c5030) at jsinterp.cpp:304
#4  0x00598131 in JSStackFrame::computeThisObject (this=0x158c5030, cx=0x11cc400) at jsinterp.cpp:285
#5  0x0052c626 in JSStackFrame::getThisObject (this=0x158c5030, cx=0x11cc400) at jsinterp.h:526
#6  0x00529914 in JS_GetFrameThis (cx=0x11cc400, fp=0x158c5030) at /Users/bzbarsky/mozilla/moo-branch/mozilla/js/src/jsdbgapi.cpp:1262
#7  0x11e09491 in jsd_NewThreadState (jsdc=0x16c98fc0, cx=0x11cc400) at /Users/bzbarsky/mozilla/moo-branch/mozilla/js/jsd/jsd_stak.c:134
#8  0x11e06105 in jsd_CallExecutionHook (jsdc=0x16c98fc0, cx=0x11cc400, type=4, hook=0x11e15482 <jsds_ExecutionHookProc(JSDContext*, JSDThreadState*, unsigned int, void*, jsval_layout*)>, hookData=0x0, rval=0xbfffad80) at /Users/bzbarsky/mozilla/moo-branch/mozilla/js/jsd/jsd_hook.c:165
#9  0x11e060b8 in jsd_ThrowHandler (cx=0x11cc400, script=0x1370000, pc=0x13701ca "5", rval=0xbfffad80, closure=0x16c98fc0) at /Users/bzbarsky/mozilla/moo-branch/mozilla/js/jsd/jsd_hook.c:148
#10 0x00593358 in js::Interpret (cx=0x11cc400, entryFrame=0x158c50d0, inlineCallCount=4) at /Users/bzbarsky/mozilla/moo-branch/mozilla/js/src/jsinterp.cpp:6982
#11 0x00598474 in js::RunScript (cx=0x11cc400, script=0x1f0721e0, fun=0x15e8f990, scopeChain=0x15e875a0) at jsinterp.cpp:469
#12 0x0059938a in js::InvokeCommon<int (*)(JSContext*, JSObject*, unsigned int, js::Value*, js::Value*)> (cx=0x11cc400, fun=0x15e8f990, script=0x1f0721e0, native=0, args=@0xbfffbc50, flags=0) at jsinterp.cpp:636
#13 0x00599faf in js::Invoke (cx=0x11cc400, args=@0xbfffbc50, flags=0) at jsinterp.cpp:761
#14 0x0059a5c2 in js::InternalInvoke (cx=0x11cc400, thisv=@0xbfffbca8, fval=@0xbfffbce8, flags=0, argc=1, argv=0x16e0c10, rval=0xbfffbdb0) at jsinterp.cpp:801
#15 0x004e6a2d in js::InternalCall (cx=0x11cc400, obj=0x15e875a0, fval=@0xbfffbce8, argc=1, argv=0x16e0c10, rval=0xbfffbdb0) at jsinterp.h:373
#16 0x004ea65f in JS_CallFunctionValue (cx=0x11cc400, obj=0x15e875a0, fval={asBits = 18446462629165194960, s = {payload = {i32 = 367582928, u32 = 367582928, boo = 367582928, str = 0x15e8ded0, obj = 0x15e8ded0, ptr = 0x15e8ded0, why = 367582928}, tag = JSVAL_TAG_OBJECT}, asDouble = -nan(0xf000715e8ded0)}, argc=1, argv=0x16e0c10, rval=0xbfffbdb0) at /Users/bzbarsky/mozilla/moo-branch/mozilla/js/src/jsapi.cpp:4835
JSD is walking the stack and attempts to do JS_GetFrameThis on a dummy frame, which incorrectly attempts to compute this from argv. Patch forthcoming to add an assert for this case in JSStackFrame::getThisObject, and a check in JS_GetFrameThis to return NULL in this case, but I am told isDummyFrame() will incorrectly return true for callable non-functions.

This doesn't manifest on TM readily in part because the browser crashes due to https://bugzilla.mozilla.org/show_bug.cgi?id=584912 first.
Assignee: general → adrake
Status: NEW → ASSIGNED
OS: Mac OS X → All
Hardware: x86 → All
Summary: Crash on startup when starting moo-branch browser with firebug in the profile → TM: Attempts to compute this for dummy frames
Attached patch Fix.Splinter Review 
Solves the problem by adding a JSFRAME_DUMMY flag, and setting/checking this where appropriate. Also adds an assertion so we don't try to compute this on dummy frames.
Attachment #463463 - Flags: review?(jorendorff)
Attachment #463463 - Flags: review?(jorendorff) → review+
http://hg.mozilla.org/tracemonkey/rev/e03e1ce32f82
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/e03e1ce32f82
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: