If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

[msvc6] crash in opt profile build [@js_DecompileFunction]

VERIFIED INVALID

Status

()

Core
JavaScript Engine
--
critical
VERIFIED INVALID
16 years ago
16 years ago

People

(Reporter: timeless, Assigned: Kenton Hanson (gone))

Tracking

({crash})

Trunk
x86
Windows 2000
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: warning: link is pr0n (it came via email), crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

16 years ago
viewer's crash: [stack is identical in winembed]
js_DecompileFunction(JSPrinter * 0x00000000, JSFunction * 0x00b6cd30) line 2383 
+ 24 bytes
JS_DecompileFunction(JSContext * 0x01bb8338, JSFunction * 0x00b6cd30, unsigned 
int 0) line 3242 + 10 bytes
fun_toString_sub(JSContext * 0x01bb8338, JSObject * 0x01b6a588, unsigned long 
0, unsigned int 0, long * 0x01bcdc78, long * 0x0012f220) line 1394 + 10 bytes
fun_toString(JSContext * 0x01bb8338, JSObject * 0x01b6a588, unsigned int 0, 
long * 0x01bcdc78, long * 0x0012f220) line 1404 + 22 bytes
js_Invoke(JSContext * 0x00000001, unsigned int 0, unsigned int 2) line 848 + 17 
bytes
js_InternalInvoke(JSContext * 0x01bb8360, JSObject * 0x01b6a588, long 28746776, 
unsigned int 0, unsigned int 0, long * 0x00000000, long * 0x0012f368) line 940 
+ 13 bytes
js_TryMethod(JSContext * 0x01b6a418, JSObject * 0x01b6a588, JSAtom * 
0x00abeae8, unsigned int 0, long * 0x00000000, long * 0x0012f368) line 3356 + 
21 bytes
js_DefaultValue(JSContext * 0x01bb8338, JSObject * 0x01b6a588, int 3, long * 
0x0012f384) line 2869 + 24 bytes
js_ValueToString(JSContext * 0x01bb8338, long 28747144) line 2569 + 16 bytes
nsJSContext::EvaluateString(nsJSContext * const 0x00000000, const nsAString & 
{...}, void * 0x01b6a3f0, nsIPrincipal * 0x01bc48d4, const char * 0x0012f4a8, 
unsigned int 38, const char * 0x00328284 `string', nsAString & {...}, int * 
0x0012f4e8) line 714 + 12 bytes
nsScriptLoader::EvaluateScript(nsScriptLoader * const 0x00000008, 
nsScriptLoadRequest * 0x01bcd7b8, const nsAFlatString & {...}) line 570
nsScriptLoader::ProcessRequest(nsScriptLoader * const 0x00000008, 
nsScriptLoadRequest * 0x01bcd7b8) line 477 + 9 bytes
nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x01ba9168, 
nsIDOMHTMLScriptElement * 0x01ba91ac, nsIScriptLoaderObserver * 0x01bc7db4) 
line 420 + 12 bytes
nsHTMLScriptElement::SetDocument(nsHTMLScriptElement * const 0x01bc7d88, 
nsIDocument * 0x01ba5e30, int 0, int 29004136) line 158
nsGenericContainerElement::AppendChildTo(nsGenericContainerElement * const 
0x01bc1a78, nsIContent * 0x01bc7d88, int 0, int 0) line 3726
HTMLContentSink::ProcessSCRIPTTag(HTMLContentSink * const 0x00000008, const 
nsIParserNode & {...}) line 4959
HTMLContentSink::AddLeaf(HTMLContentSink * const 0x01bad998, const 
nsIParserNode & {...}) line 3262
CNavDTD::AddLeaf(CNavDTD * const 0x00000008, const nsIParserNode * 0x01bc8318) 
line 3804 + 13 bytes
CNavDTD::AddHeadLeaf(CNavDTD * const 0x00000008, nsIParserNode * 0x01bc8318) 
line 3867 + 8 bytes
CNavDTD::HandleStartToken(CNavDTD * const 0x00000008, CToken * 0x00000053) line 
1750 + 10 bytes
CNavDTD::HandleToken(CNavDTD * const 0x00b6ceb8, CToken * 0x00000053, nsIParser 
* 0x01ad4348) line 908 + 8 bytes
CNavDTD::BuildModel(CNavDTD * const 0x00b6ceb8, nsIParser * 0x01ad4348, 
nsITokenizer * 0x01bc5a58, nsITokenObserver * 0x00000000, nsIContentSink * 
0x01bad998) line 519 + 10 bytes
nsParser::BuildModel(nsParser * const 0x00000008) line 1875
nsParser::ResumeParse(nsParser * const 0x00000008, int 1, int 0, int 1) line 
1737 + 7 bytes
nsParser::OnDataAvailable(nsParser * const 0x000007cc, nsIRequest * 0x01bbbdc0, 
nsISupports * 0x00000000, nsIInputStream * 0x01bc5ab0, unsigned int 0, unsigned 
int 1996) line 2371 + 13 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x01bbc300, 
nsIRequest * 0x01bbbdc0, nsISupports * 0x00000000, nsIInputStream * 0x01bc5ab0, 
unsigned int 0, unsigned int 1996) line 245
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x01bc5ab0, 
nsIRequest * 0x01bbbdc0, nsISupports * 0x00000000, nsIInputStream * 0x00000000, 
unsigned int 0, unsigned int 1996) line 97 + 24 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x01bbbdc4, nsIRequest * 
0x01bbc5a4, nsISupports * 0x00000000, nsIInputStream * 0x01bbc534, unsigned int 
0, unsigned int 1996) line 2983
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x00000008) 
line 193 + 24 bytes
PL_HandleEvent(PLEvent * 0x01ba4864) line 597
PL_ProcessPendingEvents(PLEventQueue * 0x00263527) line 526 + 6 bytes
_md_EventReceiverProc(HWND__ * 0x77f82bea, unsigned int 2147348480, unsigned 
int 4279001, long 1) line 1078
main(int 1, char * * 0x00432ed8) line 158 + 7 bytes
VIEWER! mainCRTStartup + 227 bytes
KERNEL32! 77e8d326()

        for (i = 0; i < nargs; i++)
=>            js_printf(jp, (i > 0 ? ", %s" : "%s"), ATOM_BYTES(params[i]));

	i	0
+	jp	0x00000000 <= problem
	nargs	1

Ok. more detailed information
1. this does reproduce if you save the file to disk
--15:16:34--  http://209.203.174.9:80/pink/index2.php?aid=228819&p=
           => `index2.php@aid=228819&p='
2. the printer is being called for a function named "click" on line 44 of the 
file.
3. this doesn't happen in a debug build
4. it looks like yet another bad optimization by msvc6
here's the limited bits of asm
2382:         for (i = 0; i < nargs; i++)
0030C3A5   and         dword ptr [jp],0
0030C3A9   cmp         dword ptr [nargs],0
0030C3AD   jbe         js_DecompileFunction+16Dh (0030c3ea)
2383:             js_printf(jp, (i > 0 ? ", %s" : "%s"), 
ATOM_BYTES(params[i]));

jp was fine until that loop started to execute
once it starts, i think js_printf is guaranteed to die, i'm not certain and 
there's a storm coming, so here's the bug. -- i really should power down and 
setup my ups.
(Reporter)

Updated

16 years ago
Keywords: crash
Whiteboard: warning: link is pr0n (it came via email)

Comment 1

16 years ago
timeless: are you crashing just by loading the given URL, or are
there further steps to reproduce? 

The frame containing the click() function is
  http://209.203.174.9/pink/index2.php?aid=228819&p=%22
where we have:


document.onmousedown=click;

function click(e) 
{
  if (document.all) 
  {
    if (event.button == 2)
    {
      alert(message);
      return false;
    }
  }

  if (document.layers)
  {
    if (e.which == 3)
    {
      alert(message);
      return false;
    }
  }
}
Assignee: rogerl → khanson
(Reporter)

Comment 2

16 years ago
just loading :) if there's ever something which requires more interaction, i'll 
be sure to mention it.
(Reporter)

Comment 3

16 years ago
Created attachment 88972 [details]
function disassembly

2383:		  js_printf(jp, (i > 0 ? ", %s" : "%s"),
ATOM_BYTES(params[i]));
0030C3AF   mov	       eax,dword ptr [jp]
0030C3B2   mov	       dword ptr [ebp-8],offset string ", %s" (0032caac)
0030C3B9   test        eax,eax
0030C3BB   ja	       js_DecompileFunction+147h (0030c3c4)
0030C3BD   mov	       dword ptr [ebp-8],offset string "%s" (0032c7a4)
0030C3C4   mov	       eax,dword ptr [ebx+eax*4]
0030C3C7   mov	       eax,dword ptr [eax+8] <= actual death is here
(Reporter)

Comment 4

16 years ago
Created attachment 89007 [details] [diff] [review]
roc suggested i use this to debug
(Reporter)

Comment 5

16 years ago
i applied that, built, ran, didn't crash, backed it out, built, ran, didn't 
crash.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → INVALID

Comment 6

16 years ago
timeless: I'll take your word for it and verify this as invalid,
but I don't understand your last comment. Are you running a locally
modified version of jsopcode.c that caused this crash? Or is the
crash non-reproducible? Why is this bug report invalid?
Status: RESOLVED → VERIFIED
(Reporter)

Comment 7

16 years ago
i don't know. there weren't any cvs diffs in the jseng (i checked before 
filing). it's possible that my js eng dll wasn't up to date, but that doesn't 
make any sense. anyway now my opt profile build works fine with or without the 
patch. sorry.
Crash Signature: [@js_DecompileFunction]
You need to log in before you can comment on or make changes to this bug.