Closed
Bug 153979
Opened 22 years ago
Closed 22 years ago
[msvc6] crash in opt profile build [@js_DecompileFunction]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
INVALID
People
(Reporter: timeless, Assigned: khanson)
References
()
Details
(Keywords: crash, Whiteboard: warning: link is pr0n (it came via email))
Crash Data
Attachments
(2 files)
12.21 KB,
text/plain
|
Details | |
1.14 KB,
patch
|
Details | Diff | Splinter Review |
viewer's crash: [stack is identical in winembed] js_DecompileFunction(JSPrinter * 0x00000000, JSFunction * 0x00b6cd30) line 2383 + 24 bytes JS_DecompileFunction(JSContext * 0x01bb8338, JSFunction * 0x00b6cd30, unsigned int 0) line 3242 + 10 bytes fun_toString_sub(JSContext * 0x01bb8338, JSObject * 0x01b6a588, unsigned long 0, unsigned int 0, long * 0x01bcdc78, long * 0x0012f220) line 1394 + 10 bytes fun_toString(JSContext * 0x01bb8338, JSObject * 0x01b6a588, unsigned int 0, long * 0x01bcdc78, long * 0x0012f220) line 1404 + 22 bytes js_Invoke(JSContext * 0x00000001, unsigned int 0, unsigned int 2) line 848 + 17 bytes js_InternalInvoke(JSContext * 0x01bb8360, JSObject * 0x01b6a588, long 28746776, unsigned int 0, unsigned int 0, long * 0x00000000, long * 0x0012f368) line 940 + 13 bytes js_TryMethod(JSContext * 0x01b6a418, JSObject * 0x01b6a588, JSAtom * 0x00abeae8, unsigned int 0, long * 0x00000000, long * 0x0012f368) line 3356 + 21 bytes js_DefaultValue(JSContext * 0x01bb8338, JSObject * 0x01b6a588, int 3, long * 0x0012f384) line 2869 + 24 bytes js_ValueToString(JSContext * 0x01bb8338, long 28747144) line 2569 + 16 bytes nsJSContext::EvaluateString(nsJSContext * const 0x00000000, const nsAString & {...}, void * 0x01b6a3f0, nsIPrincipal * 0x01bc48d4, const char * 0x0012f4a8, unsigned int 38, const char * 0x00328284 `string', nsAString & {...}, int * 0x0012f4e8) line 714 + 12 bytes nsScriptLoader::EvaluateScript(nsScriptLoader * const 0x00000008, nsScriptLoadRequest * 0x01bcd7b8, const nsAFlatString & {...}) line 570 nsScriptLoader::ProcessRequest(nsScriptLoader * const 0x00000008, nsScriptLoadRequest * 0x01bcd7b8) line 477 + 9 bytes nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x01ba9168, nsIDOMHTMLScriptElement * 0x01ba91ac, nsIScriptLoaderObserver * 0x01bc7db4) line 420 + 12 bytes nsHTMLScriptElement::SetDocument(nsHTMLScriptElement * const 0x01bc7d88, nsIDocument * 0x01ba5e30, int 0, int 29004136) line 158 nsGenericContainerElement::AppendChildTo(nsGenericContainerElement * const 0x01bc1a78, nsIContent * 0x01bc7d88, int 0, int 0) line 3726 HTMLContentSink::ProcessSCRIPTTag(HTMLContentSink * const 0x00000008, const nsIParserNode & {...}) line 4959 HTMLContentSink::AddLeaf(HTMLContentSink * const 0x01bad998, const nsIParserNode & {...}) line 3262 CNavDTD::AddLeaf(CNavDTD * const 0x00000008, const nsIParserNode * 0x01bc8318) line 3804 + 13 bytes CNavDTD::AddHeadLeaf(CNavDTD * const 0x00000008, nsIParserNode * 0x01bc8318) line 3867 + 8 bytes CNavDTD::HandleStartToken(CNavDTD * const 0x00000008, CToken * 0x00000053) line 1750 + 10 bytes CNavDTD::HandleToken(CNavDTD * const 0x00b6ceb8, CToken * 0x00000053, nsIParser * 0x01ad4348) line 908 + 8 bytes CNavDTD::BuildModel(CNavDTD * const 0x00b6ceb8, nsIParser * 0x01ad4348, nsITokenizer * 0x01bc5a58, nsITokenObserver * 0x00000000, nsIContentSink * 0x01bad998) line 519 + 10 bytes nsParser::BuildModel(nsParser * const 0x00000008) line 1875 nsParser::ResumeParse(nsParser * const 0x00000008, int 1, int 0, int 1) line 1737 + 7 bytes nsParser::OnDataAvailable(nsParser * const 0x000007cc, nsIRequest * 0x01bbbdc0, nsISupports * 0x00000000, nsIInputStream * 0x01bc5ab0, unsigned int 0, unsigned int 1996) line 2371 + 13 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x01bbc300, nsIRequest * 0x01bbbdc0, nsISupports * 0x00000000, nsIInputStream * 0x01bc5ab0, unsigned int 0, unsigned int 1996) line 245 nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x01bc5ab0, nsIRequest * 0x01bbbdc0, nsISupports * 0x00000000, nsIInputStream * 0x00000000, unsigned int 0, unsigned int 1996) line 97 + 24 bytes nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x01bbbdc4, nsIRequest * 0x01bbc5a4, nsISupports * 0x00000000, nsIInputStream * 0x01bbc534, unsigned int 0, unsigned int 1996) line 2983 nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x00000008) line 193 + 24 bytes PL_HandleEvent(PLEvent * 0x01ba4864) line 597 PL_ProcessPendingEvents(PLEventQueue * 0x00263527) line 526 + 6 bytes _md_EventReceiverProc(HWND__ * 0x77f82bea, unsigned int 2147348480, unsigned int 4279001, long 1) line 1078 main(int 1, char * * 0x00432ed8) line 158 + 7 bytes VIEWER! mainCRTStartup + 227 bytes KERNEL32! 77e8d326() for (i = 0; i < nargs; i++) => js_printf(jp, (i > 0 ? ", %s" : "%s"), ATOM_BYTES(params[i])); i 0 + jp 0x00000000 <= problem nargs 1 Ok. more detailed information 1. this does reproduce if you save the file to disk --15:16:34-- http://209.203.174.9:80/pink/index2.php?aid=228819&p= => `index2.php@aid=228819&p=' 2. the printer is being called for a function named "click" on line 44 of the file. 3. this doesn't happen in a debug build 4. it looks like yet another bad optimization by msvc6 here's the limited bits of asm 2382: for (i = 0; i < nargs; i++) 0030C3A5 and dword ptr [jp],0 0030C3A9 cmp dword ptr [nargs],0 0030C3AD jbe js_DecompileFunction+16Dh (0030c3ea) 2383: js_printf(jp, (i > 0 ? ", %s" : "%s"), ATOM_BYTES(params[i])); jp was fine until that loop started to execute once it starts, i think js_printf is guaranteed to die, i'm not certain and there's a storm coming, so here's the bug. -- i really should power down and setup my ups.
Keywords: crash
Whiteboard: warning: link is pr0n (it came via email)
Comment 1•22 years ago
|
||
timeless: are you crashing just by loading the given URL, or are there further steps to reproduce? The frame containing the click() function is http://209.203.174.9/pink/index2.php?aid=228819&p=%22 where we have: document.onmousedown=click; function click(e) { if (document.all) { if (event.button == 2) { alert(message); return false; } } if (document.layers) { if (e.which == 3) { alert(message); return false; } } }
Assignee: rogerl → khanson
just loading :) if there's ever something which requires more interaction, i'll be sure to mention it.
2383: js_printf(jp, (i > 0 ? ", %s" : "%s"), ATOM_BYTES(params[i])); 0030C3AF mov eax,dword ptr [jp] 0030C3B2 mov dword ptr [ebp-8],offset string ", %s" (0032caac) 0030C3B9 test eax,eax 0030C3BB ja js_DecompileFunction+147h (0030c3c4) 0030C3BD mov dword ptr [ebp-8],offset string "%s" (0032c7a4) 0030C3C4 mov eax,dword ptr [ebx+eax*4] 0030C3C7 mov eax,dword ptr [eax+8] <= actual death is here
i applied that, built, ran, didn't crash, backed it out, built, ran, didn't crash.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
Comment 6•22 years ago
|
||
timeless: I'll take your word for it and verify this as invalid, but I don't understand your last comment. Are you running a locally modified version of jsopcode.c that caused this crash? Or is the crash non-reproducible? Why is this bug report invalid?
Status: RESOLVED → VERIFIED
i don't know. there weren't any cvs diffs in the jseng (i checked before filing). it's possible that my js eng dll wasn't up to date, but that doesn't make any sense. anyway now my opt profile build works fine with or without the patch. sorry.
Updated•13 years ago
|
Crash Signature: [@js_DecompileFunction]
You need to log in
before you can comment on or make changes to this bug.
Description
•