Closed
Bug 139316
Opened 22 years ago
Closed 22 years ago
Crash involving js_ReportIsNotDefined()
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: pschwartau, Assigned: brendan)
Details
(Keywords: crash, js1.5, Whiteboard: [driver:asa])
Attachments
(3 files, 3 obsolete files)
4.66 KB,
patch
|
Details | Diff | Splinter Review | |
703 bytes,
text/plain
|
Details | |
1.89 KB,
patch
|
rginda
:
review+
shaver
:
superreview+
asa
:
approval+
|
Details | Diff | Splinter Review |
Reported by rginda. Crash occurs while using the /eval command in Chatzilla. Will try to obtain a debug stack trace and exact steps to reproduce. In the meantime, here are two stack traces from Talkback: --------------------------- Incident ID 5239571 --------------------------- 0x00000000 JS_DefineProperty() InitExceptionObject() js_ErrorToException() ReportError() js_ReportErrorNumberVA() JS_ReportErrorNumber() js_ReportIsNotDefined() js_Interpret() js_Execute() obj_eval() js_Invoke() js_Interpret() js_Invoke() js_Interpret() js_Invoke() js_Interpret() js_Execute() JS_EvaluateUCScriptForPrincipals() nsJSContext::EvaluateString() GlobalWindowImpl::RunTimeout() GlobalWindowImpl::TimerCallback() nsTimerImpl::Fire() handleTimerEvent() PL_HandleEvent() PL_ProcessPendingEvents() nsEventQueueImpl::ProcessPendingEvents() event_processor_callback() our_gdk_io_invoke() libglib-1.2.so.0 + 0xff9e (0x4038df9e) libglib-1.2.so.0 + 0x11773 (0x4038f773) libglib-1.2.so.0 + 0x11d39 (0x4038fd39) libglib-1.2.so.0 + 0x11eec (0x4038feec) libgtk-1.2.so.0 + 0x94333 (0x402aa333) nsAppShell::Run() nsAppShellService::Run() main1() main() libc.so.6 + 0x1c507 (0x404d5507) --------------------------- Incident ID 5493893 --------------------------- JS_DefineProperty() InitExceptionObject() js_ErrorToException() ReportError() js_ReportErrorNumberVA() JS_ReportErrorNumber() js_ReportIsNotDefined() js_Interpret() js_Execute() obj_eval() js_Invoke() js_Interpret() js_Invoke() js_Interpret() js_Invoke() js_Interpret() js_Execute() JS_EvaluateUCScriptForPrincipals() nsJSContext::EvaluateString() GlobalWindowImpl::RunTimeout() GlobalWindowImpl::TimerCallback() nsTimerImpl::Fire() handleTimerEvent() PL_HandleEvent() PL_ProcessPendingEvents() nsEventQueueImpl::ProcessPendingEvents() event_processor_callback() our_gdk_io_invoke() libglib-1.2.so.0 + 0xff9e (0x4038df9e) libglib-1.2.so.0 + 0x11773 (0x4038f773) libglib-1.2.so.0 + 0x11d39 (0x4038fd39) libglib-1.2.so.0 + 0x11eec (0x4038feec) libgtk-1.2.so.0 + 0x94333 (0x402aa333) nsAppShell::Run() nsAppShellService::Run() main1() main() libc.so.6 + 0x1c507 (0x404d5507)
Reporter | ||
Updated•22 years ago
|
Comment 1•22 years ago
|
||
I think this is still out there, and it's a lame one. We take a *very* long time to create exception objects at best, and in the worst case, we crash. I'm spinning a new debug build now to try to get a stack with line numbers.
Keywords: mozilla1.0
Comment 2•22 years ago
|
||
Looks to me like jsexn.c:436 is trying to call toSource on every parameter. This large objects easily make the problem apparent... In chatzilla... /eval try { foo } catch (e) { dumpObjectTree (e) } + message (string) 'foo is not defined' + fileName (string) 'chrome://chatzilla/content/handlers.js' + lineNumber (number) 1789 + stack (string) 48831 chars + name (string) 'ReferenceError' *
Comment 3•22 years ago
|
||
proposed patch for string arguments, use string source if the string is less than 75 characters, otherwise use "%u chars". for function arguments, use the function name, or "anonymous function". for all other arguments, use argument converted to a string.
Comment 4•22 years ago
|
||
test file for the js shell (sorry phil, not a "real" testcase.) This outputs: makeError(function c, anonymous function, [object Object], null, undefined, 1.7976931348623157e+308, 0, 1, "hello world", 217 chars, newstring, true, false, Thu May 02 2002 02:54:09 GMT-0700 (PDT))@exntest.js:8 anonymous function()@exntest.js:24 __toplevel__@exntest.js:28 notice that the parameter with the value of |new String("newstring")| is printed without the surrounding quotes. This doesn't bother me too much, some might even consider it a feature :)
Assignee | ||
Comment 5•22 years ago
|
||
Let me take a swing at this, I have a better idea. /be
Assignee: khanson → brendan
Target Milestone: --- → mozilla1.0
Comment 6•22 years ago
|
||
> Let me take a swing at this, I have a better idea.
Care to expand on that?
I'd really hate to see RC2 go out with this problem. I use chatzilla as a js
scratchpad all the time, and crashing mozilla instead of displaying an error
message is hardly acceptable.
Can we check this in, and switch to your better idea post RC2?
Assignee | ||
Comment 7•22 years ago
|
||
Use js_ValueToString, not js_ValueToSource. I have a big patch for 1.1alpha that limits the number of characters in the js_ValueToLimitedSource result string (and #defines js_ValueToSource in terms of that new internal function -- same for js_ValueTo{,Limited}String). But for 1.0 I think we want to do as little as possible. I don't think the special casing in the other patch is desirable in the short or long run. /be
Assignee | ||
Comment 8•22 years ago
|
||
Looking for fast r= and sr= for the 1.0 branch only -- cc'ing asa so he can track this one. /be
Whiteboard: [driver:asa]
Comment 9•22 years ago
|
||
I don't mind the small patch for the short term, but I would like to defend the long term benefits of (some of) the special casing in my previous patch... Printing the entire function content isn't going to help anyone, and is going to cloud the *real* information in noise. Not printing a name for toplevel and anonymous functions makes the output hard to parse. Especially for human readers, who are looking for that chunk of text before the open paren as a visual marker for the beginning of a stack frame.
Comment 10•22 years ago
|
||
Comment on attachment 82301 [details] [diff] [review] brendan's proposed 1.0 branch fix r=rginda
Attachment #82301 -
Flags: review+
Assignee | ||
Comment 11•22 years ago
|
||
rginda helped debug and we found the source of the talkback crashes. The errObject newborn in js_ErrorToException was not rooted or locked, and its cx->newborn root pigeon-hole could get overwritten by some other object birth under InitExceptionObject (no doubt from a toString or toSource call of some sort that allocates objects in the course of doing its work). As a hack with which we will not keep compatibility, also based on rob's feedback, I made a special case for function argument pretty-printing in the exception stack property -- the identifier for named functions is used by itself instead of its decompiled, pretty-printed with indentation and newlines, function declaration (what comes back from Function.prototype.toString). Still a small patch, and I crave rginda's r= and shaver's sr= for 1.0. /be
Attachment #82301 -
Attachment is obsolete: true
Assignee | ||
Comment 12•22 years ago
|
||
Rob, where did any version of the code fail to print the name for top-level functions? You wrote "[n]ot printing a name for toplevel and anonymous functions ..." but I don't see how top-level functions (which are named by definition) can lack an identifier. I'm hoping you will r= the latest patch. It special-cases named function arguments by printing only the function identifier, and uses toSource (which does not pretty-print, so no newlines) for anonymous functions. I think that's reasonable for now -- anonymous functions are otherwise hard to distinguish, and I don't think the chars in "anonymous function" are worth their weight in any scenario. /be
Status: NEW → ASSIGNED
Comment 13•22 years ago
|
||
Comment on attachment 82307 [details] [diff] [review] brendan's proposed 1.0 branch fix, v2 You'll need to convert |v| to a function to use it with |JS_GetFunctionId|. r=rginda with that change. Anonyomous functions and top level *scripts* (sorry, I meant to say scripts, not functions) are still printed without any identifier in the "frame name" portion of the output, as in the follwing 3 frame call stack... makeError(c,(function () {}),[object Object],null,undefined,1.7976931348623157e+308,0,1,hello world,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,newstring,tru e,false,Sat May 04 2002 15:36:06 GMT-0700 (PDT))@exntest.js:8 <- frame 0 ()@exntest.js:24 <- frame 1 @exntest.js:28 <- frame 2 I find this makes it harder to read the output. Just a thought.
Assignee | ||
Comment 14•22 years ago
|
||
Duh -- fixed to use JS_ValueToFunction per rginda's review. Shaver, can you sr=? I'm a less-is-more Unix kind of guy, so an empty string before the @ seems better to me than "top-level-script" or some such string. You'll get used to it ;-). /be
Attachment #82307 -
Attachment is obsolete: true
Assignee | ||
Comment 15•22 years ago
|
||
Rather than spend space and time (and risk OOM failures) with a GC-thing lock, why not JS_SetPendingException early, which roots errObject by definition? /be
Attachment #82540 -
Attachment is obsolete: true
Comment 16•22 years ago
|
||
Comment on attachment 82553 [details] [diff] [review] brendan's proposed 1.0 branch fix, v4 (smaller) r=rginda
Attachment #82553 -
Flags: review+
Comment on attachment 82553 [details] [diff] [review] brendan's proposed 1.0 branch fix, v4 (smaller) sr=shaver.
Attachment #82553 -
Flags: superreview+
Assignee | ||
Comment 18•22 years ago
|
||
Fixed in trunk. Asking drivers for approval for 1.0. /be
Comment 19•22 years ago
|
||
Comment on attachment 82553 [details] [diff] [review] brendan's proposed 1.0 branch fix, v4 (smaller) a=asa (on behalf of drivers) for checkin to the 1.0 branch
Attachment #82553 -
Flags: approval+
Assignee | ||
Comment 20•22 years ago
|
||
Fix in branch too. /be
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 21•22 years ago
|
||
Verified on trunk and branch per discussion with rginda: the reported crash no longer occurs. Adding fixed1.0.0 and verified1.0.0 keywords.
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.0,
verified1.0.0
Updated•19 years ago
|
Flags: testcase?
Comment 22•19 years ago
|
||
Checking in regress-139316.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-139316.js,v <-- regress-139316.js initial revision: 1.1
Flags: testcase? → testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•