Closed
Bug 153979
Opened 22 years ago
Closed 22 years ago
[msvc6] crash in opt profile build [@js_DecompileFunction]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
INVALID
People
(Reporter: timeless, Assigned: khanson)
References
()
Details
(Keywords: crash, Whiteboard: warning: link is pr0n (it came via email))
Crash Data
Attachments
(2 files)
|
12.21 KB,
text/plain
|
Details | |
|
1.14 KB,
patch
|
Details | Diff | Splinter Review |
viewer's crash: [stack is identical in winembed]
js_DecompileFunction(JSPrinter * 0x00000000, JSFunction * 0x00b6cd30) line 2383
+ 24 bytes
JS_DecompileFunction(JSContext * 0x01bb8338, JSFunction * 0x00b6cd30, unsigned
int 0) line 3242 + 10 bytes
fun_toString_sub(JSContext * 0x01bb8338, JSObject * 0x01b6a588, unsigned long
0, unsigned int 0, long * 0x01bcdc78, long * 0x0012f220) line 1394 + 10 bytes
fun_toString(JSContext * 0x01bb8338, JSObject * 0x01b6a588, unsigned int 0,
long * 0x01bcdc78, long * 0x0012f220) line 1404 + 22 bytes
js_Invoke(JSContext * 0x00000001, unsigned int 0, unsigned int 2) line 848 + 17
bytes
js_InternalInvoke(JSContext * 0x01bb8360, JSObject * 0x01b6a588, long 28746776,
unsigned int 0, unsigned int 0, long * 0x00000000, long * 0x0012f368) line 940
+ 13 bytes
js_TryMethod(JSContext * 0x01b6a418, JSObject * 0x01b6a588, JSAtom *
0x00abeae8, unsigned int 0, long * 0x00000000, long * 0x0012f368) line 3356 +
21 bytes
js_DefaultValue(JSContext * 0x01bb8338, JSObject * 0x01b6a588, int 3, long *
0x0012f384) line 2869 + 24 bytes
js_ValueToString(JSContext * 0x01bb8338, long 28747144) line 2569 + 16 bytes
nsJSContext::EvaluateString(nsJSContext * const 0x00000000, const nsAString &
{...}, void * 0x01b6a3f0, nsIPrincipal * 0x01bc48d4, const char * 0x0012f4a8,
unsigned int 38, const char * 0x00328284 `string', nsAString & {...}, int *
0x0012f4e8) line 714 + 12 bytes
nsScriptLoader::EvaluateScript(nsScriptLoader * const 0x00000008,
nsScriptLoadRequest * 0x01bcd7b8, const nsAFlatString & {...}) line 570
nsScriptLoader::ProcessRequest(nsScriptLoader * const 0x00000008,
nsScriptLoadRequest * 0x01bcd7b8) line 477 + 9 bytes
nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x01ba9168,
nsIDOMHTMLScriptElement * 0x01ba91ac, nsIScriptLoaderObserver * 0x01bc7db4)
line 420 + 12 bytes
nsHTMLScriptElement::SetDocument(nsHTMLScriptElement * const 0x01bc7d88,
nsIDocument * 0x01ba5e30, int 0, int 29004136) line 158
nsGenericContainerElement::AppendChildTo(nsGenericContainerElement * const
0x01bc1a78, nsIContent * 0x01bc7d88, int 0, int 0) line 3726
HTMLContentSink::ProcessSCRIPTTag(HTMLContentSink * const 0x00000008, const
nsIParserNode & {...}) line 4959
HTMLContentSink::AddLeaf(HTMLContentSink * const 0x01bad998, const
nsIParserNode & {...}) line 3262
CNavDTD::AddLeaf(CNavDTD * const 0x00000008, const nsIParserNode * 0x01bc8318)
line 3804 + 13 bytes
CNavDTD::AddHeadLeaf(CNavDTD * const 0x00000008, nsIParserNode * 0x01bc8318)
line 3867 + 8 bytes
CNavDTD::HandleStartToken(CNavDTD * const 0x00000008, CToken * 0x00000053) line
1750 + 10 bytes
CNavDTD::HandleToken(CNavDTD * const 0x00b6ceb8, CToken * 0x00000053, nsIParser
* 0x01ad4348) line 908 + 8 bytes
CNavDTD::BuildModel(CNavDTD * const 0x00b6ceb8, nsIParser * 0x01ad4348,
nsITokenizer * 0x01bc5a58, nsITokenObserver * 0x00000000, nsIContentSink *
0x01bad998) line 519 + 10 bytes
nsParser::BuildModel(nsParser * const 0x00000008) line 1875
nsParser::ResumeParse(nsParser * const 0x00000008, int 1, int 0, int 1) line
1737 + 7 bytes
nsParser::OnDataAvailable(nsParser * const 0x000007cc, nsIRequest * 0x01bbbdc0,
nsISupports * 0x00000000, nsIInputStream * 0x01bc5ab0, unsigned int 0, unsigned
int 1996) line 2371 + 13 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x01bbc300,
nsIRequest * 0x01bbbdc0, nsISupports * 0x00000000, nsIInputStream * 0x01bc5ab0,
unsigned int 0, unsigned int 1996) line 245
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x01bc5ab0,
nsIRequest * 0x01bbbdc0, nsISupports * 0x00000000, nsIInputStream * 0x00000000,
unsigned int 0, unsigned int 1996) line 97 + 24 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x01bbbdc4, nsIRequest *
0x01bbc5a4, nsISupports * 0x00000000, nsIInputStream * 0x01bbc534, unsigned int
0, unsigned int 1996) line 2983
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x00000008)
line 193 + 24 bytes
PL_HandleEvent(PLEvent * 0x01ba4864) line 597
PL_ProcessPendingEvents(PLEventQueue * 0x00263527) line 526 + 6 bytes
_md_EventReceiverProc(HWND__ * 0x77f82bea, unsigned int 2147348480, unsigned
int 4279001, long 1) line 1078
main(int 1, char * * 0x00432ed8) line 158 + 7 bytes
VIEWER! mainCRTStartup + 227 bytes
KERNEL32! 77e8d326()
for (i = 0; i < nargs; i++)
=> js_printf(jp, (i > 0 ? ", %s" : "%s"), ATOM_BYTES(params[i]));
i 0
+ jp 0x00000000 <= problem
nargs 1
Ok. more detailed information
1. this does reproduce if you save the file to disk
--15:16:34-- http://209.203.174.9:80/pink/index2.php?aid=228819&p=
=> `index2.php@aid=228819&p='
2. the printer is being called for a function named "click" on line 44 of the
file.
3. this doesn't happen in a debug build
4. it looks like yet another bad optimization by msvc6
here's the limited bits of asm
2382: for (i = 0; i < nargs; i++)
0030C3A5 and dword ptr [jp],0
0030C3A9 cmp dword ptr [nargs],0
0030C3AD jbe js_DecompileFunction+16Dh (0030c3ea)
2383: js_printf(jp, (i > 0 ? ", %s" : "%s"),
ATOM_BYTES(params[i]));
jp was fine until that loop started to execute
once it starts, i think js_printf is guaranteed to die, i'm not certain and
there's a storm coming, so here's the bug. -- i really should power down and
setup my ups.
Keywords: crash
Whiteboard: warning: link is pr0n (it came via email)
|
||
Comment 1•22 years ago
|
||
timeless: are you crashing just by loading the given URL, or are there further steps to reproduce? The frame containing the click() function is http://209.203.174.9/pink/index2.php?aid=228819&p=%22 where we have: document.onmousedown=click; function click(e) { if (document.all) { if (event.button == 2) { alert(message); return false; } } if (document.layers) { if (e.which == 3) { alert(message); return false; } } }
Assignee: rogerl → khanson
just loading :) if there's ever something which requires more interaction, i'll be sure to mention it.
2383: js_printf(jp, (i > 0 ? ", %s" : "%s"), ATOM_BYTES(params[i])); 0030C3AF mov eax,dword ptr [jp] 0030C3B2 mov dword ptr [ebp-8],offset string ", %s" (0032caac) 0030C3B9 test eax,eax 0030C3BB ja js_DecompileFunction+147h (0030c3c4) 0030C3BD mov dword ptr [ebp-8],offset string "%s" (0032c7a4) 0030C3C4 mov eax,dword ptr [ebx+eax*4] 0030C3C7 mov eax,dword ptr [eax+8] <= actual death is here
i applied that, built, ran, didn't crash, backed it out, built, ran, didn't crash.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
|
|
||
Comment 6•22 years ago
|
||
timeless: I'll take your word for it and verify this as invalid, but I don't understand your last comment. Are you running a locally modified version of jsopcode.c that caused this crash? Or is the crash non-reproducible? Why is this bug report invalid?
Status: RESOLVED → VERIFIED
i don't know. there weren't any cvs diffs in the jseng (i checked before filing). it's possible that my js eng dll wasn't up to date, but that doesn't make any sense. anyway now my opt profile build works fine with or without the patch. sorry.
|
||
Updated•13 years ago
|
Crash Signature: [@js_DecompileFunction]
You need to log in
before you can comment on or make changes to this bug.
Description
•