Closed Bug 165179 Opened 22 years ago Closed 22 years ago

javascript debugger can be crashed in the interactive session [@ 0x00000000][@ js_Interpret]

Categories

(Other Applications Graveyard :: Venkman JS Debugger, defect)

Product:
Other Applications Graveyard
Component:
Venkman JS Debugger
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: henry.hippo, Assigned: rginda)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

Stack Trace
671 bytes, text/plain
Details
stack from debug build
5.64 KB, text/plain
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Build Identifier: Mozilla 1.1 final Entering a mix of invalid and correct evaluation values in the interactive session window's input area crashed Mozilla. The crash seems to be reproducible after a fresh start of the debugger. Reproducible: Sometimes Steps to Reproduce: 1. Start Mozilla (I used quick launch). 2. Start Venkman 3. Enter the following lines to the interactive session's input area: a) i=1; b) i=i+1: c) i=1+1; d) i: (Sometimes steps c & d are needed to be repeated) ie. a,b,c,d,c,d -> crash Actual Results: Mozilla crashed. Expected Results: Ignore the erroneus input. Talkback has been submitted but I don't know the TB id.
Keywords: crash
Attached file Stack Trace
Here is the reporter's stack. Unfortunately, it does not have full resolution. (BTW, Reporter, to find your Talkback incident ID's run ~/mozilla/components/talkback.exe.)
I'm seeing the same with linux 1.1 release. worksforme with trunk build 20020722
OS: Windows 2000 → All
> (BTW, Reporter, to find your Talkback incident ID's run ~/mozilla/components/talkback.exe.) Thanks for the tip. Here are the Talkback ID's: TB9983060W (The original crash report) TB10031445Z (Just tested this again. Mozilla crashed after entering lines a and b.)
Incident #10031445 ------------------- 0x00000000 js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2232] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 856] fun_apply [c:/builds/seamonkey/mozilla/js/src/jsfun.c, line 1555] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 840] js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2792] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 856] js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2792] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 856] js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 931] JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3430] nsJSContext::CallEventHandler [c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1044] nsJSEventListener::HandleEvent [c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 184] nsEventListenerManager::HandleEventSubType [c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line 1275] nsEventListenerManager::HandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line 1736] nsXULElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 3465] nsXULElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 3484] nsGenericElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1867] nsHTMLInputElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1456] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6108] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6031] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2052] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 306] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1909] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1038] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1055] nsWindow::DispatchKeyEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 2886] nsWindow::OnChar [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 3066] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 3712] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1304] USER32.DLL + 0x1b60 (0x77e11b60) USER32.DLL + 0x1cca (0x77e11cca) USER32.DLL + 0x83f1 (0x77e183f1) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 452] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1534] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1881] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1899] WinMainCRTStartup() KERNEL32.DLL + 0xd326 (0x77e8d326) Since Andrew is also seeing it on the 1.1 release -> NEW
Summary: javascript debugger can be crashed in the interactive session → javascript debugger can be crashed in the interactive session [@ 0x00000000][@ js_Interpret]
-> NEW
Status: UNCONFIRMED → NEW
Ever confirmed: true
> Since Andrew is also seeing it on the 1.1 release 1.1 branch is dead, right?
*** Bug 165933 has been marked as a duplicate of this bug. ***
This looks like a js engine issue with function.apply.
Someone needs to reproduce this under a debugger and say where exactly in js_Interpret, and on what null pointer, the program is crashing. /be
Attached file stack from debug build
I can't get this to crash in a debug build, but it takes a long time to report the error. If I break during the pause, I get this stack. This appears similar to the toSource crash caused by err.stack.
Here's the top of the stack I crash with using 0901 trunk which looks basically the same: cdcdcdcd() js_Interpret(JSContext * 0x03f362e8, long * 0x0012cd04) line 2242 + 151 bytes js_Invoke(JSContext * 0x03f362e8, unsigned int 2, unsigned int 2) line 856 + 13 bytes fun_apply(JSContext * 0x03f362e8, JSObject * 0x04b5b390, unsigned int 2, long * 0x0781b33c, long * 0x0012ce2c) line 1552 + 15 bytes js_Invoke(JSContext * 0x03f362e8, unsigned int 2, unsigned int 0) line 839 + 23 bytes js_Interpret(JSContext * 0x03f362e8, long * 0x0012d748) line 2803 + 15 bytes js_Invoke(JSContext * 0x03f362e8, unsigned int 3, unsigned int 0) line 856 + 13 bytes js_Interpret(JSContext * 0x03f362e8, long * 0x0012e018) line 2803 + 15 bytes js_Invoke(JSContext * 0x03f362e8, unsigned int 1, unsigned int 2) line 856 + 13 bytes js_InternalInvoke(JSContext * 0x03f362e8, JSObject * 0x06e67420, long 92672800, unsigned int 0, unsigned int 1, long * 0x0012e278, long * 0x0012e148) line 931 + 20 bytes JS_CallFunctionValue(JSContext * 0x03f362e8, JSObject * 0x06e67420, long 92672800, unsigned int 1, long * 0x0012e278, long * 0x0012e148) line 3431 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x053c8a60, void * 0x06e67420, void * 0x05861320, unsigned int 1, void * 0x0012e278, int * 0x0012e27c, int 0) line 1041 + 33 bytes It's in the middle of VALUE_TO_PRIMITIVE so I can't get the exact crash site. It looks like it's trying to do ((JSObject *) (rval & 0xFFFFFFF8))->map->ops- >defaultValue when it goes? This stuff is too thick for me to follow. Disassembly from the start of the macro to the crash is: 2242: VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_VOID, &rtmp); 701109860 mov ecx,dword ptr [rval] 01109866 and ecx,7 01109869 test ecx,ecx 0110986B jne $L10903+0E6h (01109876) 0110986D cmp dword ptr [rval],0 01109874 jne $L10903+0F7h (01109887) 01109876 mov edx,dword ptr [rval] 0110987C mov dword ptr [rtmp],edx 01109882 jmp $L10903+17Eh (0110990e) 01109887 mov eax,dword ptr [fp] 0110988D cmp dword ptr [eax+0Ch],0 01109891 jne $L10903+134h (011098c4) 01109893 mov ecx,dword ptr [fp] 01109899 cmp dword ptr [ecx+40h],0 0110989D je $L10903+134h (011098c4) 0110989F mov edx,dword ptr [fp] 011098A5 mov eax,dword ptr [sp] 011098A8 cmp eax,dword ptr [edx+40h] 011098AB je $L10903+134h (011098c4) 011098AD push 8C2h 011098B2 push offset prop_iterator_class+3014h (011836b4) 011098B7 push offset prop_iterator_class+3034h (011836d4) 011098BC call @ILT+3460(_JS_Assert) (010c1d89) 011098C1 add esp,0Ch 011098C4 mov ecx,dword ptr [fp] 011098CA mov edx,dword ptr [sp] 011098CD mov dword ptr [ecx+3Ch],edx 011098D0 lea eax,[rtmp] 011098D6 push eax 011098D7 push 0 011098D9 mov ecx,dword ptr [rval] 011098DF and ecx,0FFFFFFF8h 011098E2 push ecx 011098E3 mov edx,dword ptr [cx] 011098E6 push edx 011098E7 mov eax,dword ptr [rval] 011098ED and al,0F8h 011098EF mov ecx,dword ptr [eax] 011098F1 mov edx,dword ptr [ecx+4] 011098F4 call dword ptr [edx+24h] ^----- crash 011098F7 add esp,10h 011098FA mov dword ptr [ok],eax 01109900 cmp dword ptr [ok],0 01109907 jne $L10903+17Eh (0110990e) 01109909 jmp out (011157fb) 0110990E xor eax,eax 01109910 test eax,eax 01109912 jne $L10903+0D0h (01109860) 2243: if ((cond = JSVAL_IS_STRING(ltmp)) || JSVAL_IS_STRING(rtmp)) { rval cast to a JSObject looks like this which is definitely not right: - (JSObject *) (rval & 0xFFFFFFF8) 0x076d6870 - map 0x076d6878 nrefs 0x076d6880 - ops 0x076d4fbf newObjectMap 0x10101010 destroyObjectMap 0x00000000 lookupProperty 0x00000000 defineProperty 0x00000000 getProperty 0x00000000 setProperty 0x10101000 getAttributes 0x10101010 setAttributes 0x10101010 deleteProperty 0xcdcdcd01 defaultValue 0xcdcdcdcd enumerate 0xcdcdcdcd checkAccess 0xcdcdcdcd thisObject 0xcdcdcdcd dropProperty 0xcdcdcdcd call 0xcdcdcdcd construct 0xcdcdcdcd xdrObject 0x6d5000cd hasInstance 0x6d4cb007 setProto 0x6d501007 setParent 0x6d4cb107 mark 0x6d501807 clear 0x6d4cb207 getRequiredSlot 0x6d502007 setRequiredSlot 0x6d4cb307 nslots 0x076d6888 freeslot 0x076d4fc0 - slots 0x076d4fbe 0x10101010
this was a problem with exception.stack getting too large, fixed a while ago.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Product: Core → Other Applications
Crash Signature: [@ 0x00000000] [@ js_Interpret]
Product: Other Applications → Other Applications Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: