Closed
Bug 165179
Opened 22 years ago
Closed 22 years ago
javascript debugger can be crashed in the interactive session [@ 0x00000000][@ js_Interpret]
Categories
(Other Applications Graveyard :: Venkman JS Debugger, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: henry.hippo, Assigned: rginda)
References
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Build Identifier: Mozilla 1.1 final
Entering a mix of invalid and correct evaluation values in the interactive
session window's input area crashed Mozilla. The crash seems to be reproducible
after a fresh start of the debugger.
Reproducible: Sometimes
Steps to Reproduce:
1. Start Mozilla (I used quick launch).
2. Start Venkman
3. Enter the following lines to the interactive session's input area:
a) i=1;
b) i=i+1:
c) i=1+1;
d) i:
(Sometimes steps c & d are needed to be repeated) ie. a,b,c,d,c,d -> crash
Actual Results:
Mozilla crashed.
Expected Results:
Ignore the erroneus input.
Talkback has been submitted but I don't know the TB id.
Here is the reporter's stack. Unfortunately, it does not have full resolution.
(BTW, Reporter, to find your Talkback incident ID's run
~/mozilla/components/talkback.exe.)
Comment 2•22 years ago
|
||
I'm seeing the same with linux 1.1 release.
worksforme with trunk build 20020722
OS: Windows 2000 → All
Reporter | ||
Comment 3•22 years ago
|
||
> (BTW, Reporter, to find your Talkback incident ID's run
~/mozilla/components/talkback.exe.)
Thanks for the tip. Here are the Talkback ID's:
TB9983060W (The original crash report)
TB10031445Z (Just tested this again. Mozilla crashed after entering lines a and b.)
Incident #10031445
-------------------
0x00000000
js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2232]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 856]
fun_apply [c:/builds/seamonkey/mozilla/js/src/jsfun.c, line 1555]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 840]
js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2792]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 856]
js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2792]
js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 856]
js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 931]
JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3430]
nsJSContext::CallEventHandler
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1044]
nsJSEventListener::HandleEvent
[c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 184]
nsEventListenerManager::HandleEventSubType
[c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line
1275]
nsEventListenerManager::HandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line
1736]
nsXULElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 3465]
nsXULElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 3484]
nsGenericElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1867]
nsHTMLInputElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 1456]
PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6108]
PresShell::HandleEvent
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6031]
nsViewManager::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2052]
nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 306]
nsViewManager::DispatchEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1909]
HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83]
nsWindow::DispatchEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1038]
nsWindow::DispatchWindowEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1055]
nsWindow::DispatchKeyEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 2886]
nsWindow::OnChar [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp,
line 3066]
nsWindow::ProcessMessage
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 3712]
nsWindow::WindowProc
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1304]
USER32.DLL + 0x1b60 (0x77e11b60)
USER32.DLL + 0x1cca (0x77e11cca)
USER32.DLL + 0x83f1 (0x77e183f1)
nsAppShellService::Run
[c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 452]
main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1534]
main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1881]
WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1899]
WinMainCRTStartup()
KERNEL32.DLL + 0xd326 (0x77e8d326)
Since Andrew is also seeing it on the 1.1 release -> NEW
Summary: javascript debugger can be crashed in the interactive session → javascript debugger can be crashed in the interactive session [@ 0x00000000][@ js_Interpret]
Comment 6•22 years ago
|
||
> Since Andrew is also seeing it on the 1.1 release
1.1 branch is dead, right?
Assignee | ||
Comment 7•22 years ago
|
||
*** Bug 165933 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 8•22 years ago
|
||
This looks like a js engine issue with function.apply.
Comment 9•22 years ago
|
||
Someone needs to reproduce this under a debugger and say where exactly in
js_Interpret, and on what null pointer, the program is crashing.
/be
Assignee | ||
Comment 10•22 years ago
|
||
I can't get this to crash in a debug build, but it takes a long time to report
the error. If I break during the pause, I get this stack. This appears
similar to the toSource crash caused by err.stack.
Comment 11•22 years ago
|
||
Here's the top of the stack I crash with using 0901 trunk which looks basically
the same:
cdcdcdcd()
js_Interpret(JSContext * 0x03f362e8, long * 0x0012cd04) line 2242 + 151 bytes
js_Invoke(JSContext * 0x03f362e8, unsigned int 2, unsigned int 2) line 856 + 13
bytes
fun_apply(JSContext * 0x03f362e8, JSObject * 0x04b5b390, unsigned int 2, long *
0x0781b33c, long * 0x0012ce2c) line 1552 + 15 bytes
js_Invoke(JSContext * 0x03f362e8, unsigned int 2, unsigned int 0) line 839 + 23
bytes
js_Interpret(JSContext * 0x03f362e8, long * 0x0012d748) line 2803 + 15 bytes
js_Invoke(JSContext * 0x03f362e8, unsigned int 3, unsigned int 0) line 856 + 13
bytes
js_Interpret(JSContext * 0x03f362e8, long * 0x0012e018) line 2803 + 15 bytes
js_Invoke(JSContext * 0x03f362e8, unsigned int 1, unsigned int 2) line 856 + 13
bytes
js_InternalInvoke(JSContext * 0x03f362e8, JSObject * 0x06e67420, long 92672800,
unsigned int 0, unsigned int 1, long * 0x0012e278, long * 0x0012e148) line 931
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x03f362e8, JSObject * 0x06e67420, long
92672800, unsigned int 1, long * 0x0012e278, long * 0x0012e148) line 3431 + 31
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x053c8a60, void *
0x06e67420, void * 0x05861320, unsigned int 1, void * 0x0012e278, int *
0x0012e27c, int 0) line 1041 + 33 bytes
It's in the middle of VALUE_TO_PRIMITIVE so I can't get the exact crash site.
It looks like it's trying to do ((JSObject *) (rval & 0xFFFFFFF8))->map->ops-
>defaultValue when it goes? This stuff is too thick for me to follow.
Disassembly from the start of the macro to the crash is:
2242: VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_VOID, &rtmp);
701109860 mov ecx,dword ptr [rval]
01109866 and ecx,7
01109869 test ecx,ecx
0110986B jne $L10903+0E6h (01109876)
0110986D cmp dword ptr [rval],0
01109874 jne $L10903+0F7h (01109887)
01109876 mov edx,dword ptr [rval]
0110987C mov dword ptr [rtmp],edx
01109882 jmp $L10903+17Eh (0110990e)
01109887 mov eax,dword ptr [fp]
0110988D cmp dword ptr [eax+0Ch],0
01109891 jne $L10903+134h (011098c4)
01109893 mov ecx,dword ptr [fp]
01109899 cmp dword ptr [ecx+40h],0
0110989D je $L10903+134h (011098c4)
0110989F mov edx,dword ptr [fp]
011098A5 mov eax,dword ptr [sp]
011098A8 cmp eax,dword ptr [edx+40h]
011098AB je $L10903+134h (011098c4)
011098AD push 8C2h
011098B2 push offset prop_iterator_class+3014h (011836b4)
011098B7 push offset prop_iterator_class+3034h (011836d4)
011098BC call @ILT+3460(_JS_Assert) (010c1d89)
011098C1 add esp,0Ch
011098C4 mov ecx,dword ptr [fp]
011098CA mov edx,dword ptr [sp]
011098CD mov dword ptr [ecx+3Ch],edx
011098D0 lea eax,[rtmp]
011098D6 push eax
011098D7 push 0
011098D9 mov ecx,dword ptr [rval]
011098DF and ecx,0FFFFFFF8h
011098E2 push ecx
011098E3 mov edx,dword ptr [cx]
011098E6 push edx
011098E7 mov eax,dword ptr [rval]
011098ED and al,0F8h
011098EF mov ecx,dword ptr [eax]
011098F1 mov edx,dword ptr [ecx+4]
011098F4 call dword ptr [edx+24h]
^----- crash
011098F7 add esp,10h
011098FA mov dword ptr [ok],eax
01109900 cmp dword ptr [ok],0
01109907 jne $L10903+17Eh (0110990e)
01109909 jmp out (011157fb)
0110990E xor eax,eax
01109910 test eax,eax
01109912 jne $L10903+0D0h (01109860)
2243: if ((cond = JSVAL_IS_STRING(ltmp)) || JSVAL_IS_STRING(rtmp)) {
rval cast to a JSObject looks like this which is definitely not right:
- (JSObject *) (rval & 0xFFFFFFF8) 0x076d6870
- map 0x076d6878
nrefs 0x076d6880
- ops 0x076d4fbf
newObjectMap 0x10101010
destroyObjectMap 0x00000000
lookupProperty 0x00000000
defineProperty 0x00000000
getProperty 0x00000000
setProperty 0x10101000
getAttributes 0x10101010
setAttributes 0x10101010
deleteProperty 0xcdcdcd01
defaultValue 0xcdcdcdcd
enumerate 0xcdcdcdcd
checkAccess 0xcdcdcdcd
thisObject 0xcdcdcdcd
dropProperty 0xcdcdcdcd
call 0xcdcdcdcd
construct 0xcdcdcdcd
xdrObject 0x6d5000cd
hasInstance 0x6d4cb007
setProto 0x6d501007
setParent 0x6d4cb107
mark 0x6d501807
clear 0x6d4cb207
getRequiredSlot 0x6d502007
setRequiredSlot 0x6d4cb307
nslots 0x076d6888
freeslot 0x076d4fc0
- slots 0x076d4fbe
0x10101010
Assignee | ||
Comment 12•22 years ago
|
||
this was a problem with exception.stack getting too large, fixed a while ago.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Updated•20 years ago
|
Product: Core → Other Applications
Updated•14 years ago
|
Crash Signature: [@ 0x00000000]
[@ js_Interpret]
Updated•6 years ago
|
Product: Other Applications → Other Applications Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•