Closed Bug 240050 Opened 21 years ago Closed 13 years ago

crash [@ js_Interpret], null fun

Categories

(Core :: JavaScript Engine, defect, P5)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: timeless, Assigned: timeless)

Details

(Keywords: crash)

Crash Data

crashing code: case JSOP_DEFFUN: { uintN flags; atom = GET_ATOM(cx, script, pc); obj = ATOM_TO_OBJECT(atom); fun = (JSFunction *) JS_GetPrivate(cx, obj); > id = (jsid) fun->atom; call stack: > js3250.dll!js_Interpret(JSContext * cx=0x0510d8a0, long * result=0x0012f4f8) Line 3598 + 0x3 C js3250.dll!js_Execute(JSContext * cx=0x0510d8a0, JSObject * chain=0x05031990, JSScript * script=0x02d783f0, JSStackFrame * down=0x00000000, unsigned int special=0, long * result=0x0012f4f8) Line 1155 + 0xd C js3250.dll!JS_ExecuteScript(JSContext * cx=0x0510d8a0, JSObject * obj=0x05031990, JSScript * script=0x02d783f0, long * rval=0x0012f4f8) Line 3434 + 0x19 C jsdom.dll!nsJSContext::ExecuteScript(void * aScriptObject=0x02560d28, void * aScopeObject=0x05031990, nsAString * aRetValue=0x00000000, int * aIsUndefined=0x00000000) Line 1033 + 0x2a C++ gklayout.dll!nsXULDocument::ExecuteScript(JSObject * aScriptObject=0x02560d28) Line 3287 + 0x15 C++ gklayout.dll!nsXULDocument::LoadScript(nsXULPrototypeScript * aScriptProto=0x050ae708, int * aBlock=0x0012f69c) Line 3060 + 0xf C++ gklayout.dll!nsXULDocument::ResumeWalk() Line 2825 + 0x13 C++ gklayout.dll! nsXULDocument::CachedChromeStreamListener::OnStopRequest(nsIRequest * request=0x032d3cc8, nsISupports * aContext=0x00000000, unsigned int aStatus=0) Line 4181 C++ docshell.dll!nsDocumentOpenInfo::OnStopRequest(nsIRequest * request=0x032d3cc8, nsISupports * aCtxt=0x00000000, unsigned int aStatus=0) Line 353 C++ chrome.dll!nsCachedChromeChannel::HandleStopLoadEvent(PLEvent * aEvent=0x02e32ff8) Line 477 C++ xpcom.dll!PL_HandleEvent(PLEvent * self=0x02e32ff8) Line 671 + 0xa C xpcom.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x009bb2b0) Line 606 + 0x9 C xpcom.dll!nsEventQueueImpl::ProcessPendingEvents() Line 391 + 0xc C++ gkwidget.dll!nsWindow::DispatchPendingEvents() Line 3640 C++ gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=512, unsigned int wParam=0, long lParam=7078278, long * aRetValue=0x0012fb90) Line 3986 C++ gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x000b0262, unsigned int msg=512, unsigned int wParam=0, long lParam=7078278) Line 1346 + 0x1b C++ user32.dll!_InternalCallWinProc@20() + 0x1b user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 user32.dll!_DispatchMessageWorker@8() + 0xd8 user32.dll!_DispatchMessageW@4() + 0xb gkwidget.dll!nsAppShell::Run() Line 135 C++ appshell.dll!nsAppShellService::Run() Line 484 C++ mozilla.exe!main1(int argc=1, char * * argv=0x002a4df8, nsISupports * nativeApp=0x0097af88) Line 1291 + 0x20 C++ mozilla.exe!main(int argc=1, char * * argv=0x002a4df8) Line 1678 + 0x25 C++ mozilla.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ * __formal=0x00400000, char * args=0x00152317, HINSTANCE__ * __formal=0x00400000) Line 1702 + 0x17 C++ mozilla.exe!WinMainCRTStartup() Line 390 + 0x1b C kernel32.dll!_BaseProcessStart@4() + 0x23 Local variables: flags 0 unsigned int + cx 0x0510d8a0 {links={next=0x0503cb70 {next=0x009abe38 {next=0x00966fb0 prev=0x0503cb70 } prev=0x0510d8a0 {next=0x0503cb70 prev=0x02f65c68 } } prev=0x02f65c68 {next=0x0510d8a0 {next=0x0503cb70 prev=0x02f65c68 } prev=0x033df610 {next=0x02f65c68 prev=0x02f869d8 } } } interpLevel=1 stackLimit=0 ...} JSContext * + result 0x0012f4f8 long * depth 3 long + atom 0x04f5ae80 {entry={next=0x00000005 {next=??? keyHash=??? key=??? ...} keyHash=37531160 key=0x023cae18 ...} flags=0 number=2147483649 } JSAtom * + prop 0x0012f33c {id=85136264 } JSProperty * + str 0x1001ae56 {length=721962379 chars=0x4589fc45 <Bad Ptr> } JSString * j 1242012 long setter 0x0012f388 int (JSContext *, JSObject *, long, long *)* op JSOP_DEFFUN JSOp + obj 0x023cae18 {map=0x0240a678 {nrefs=3323 ops=0x00b198e0 _js_ObjectOps nslots=27 ...} slots=0x0240afac } JSObject * mark 0x0510d8cc void * d 2.6354169586438051e-308 double low 11321998 long interruptHandler 0x00000000 JSTrapStatus (JSContext *, JSScript *, unsigned char *, long *, void *)* iter_state 47678448 long + str2 0x0510b800 {length=42727864 chars=0x00b5e0fc <Bad Ptr> } JSString * match 25667280 int slot 38413512 unsigned int + vp 0x3002d1f8 long * rtmp 10367436 long + sprop 0x0012f384 {id=3 getter=0x014336fb setter=0x009e31b0 ...} JSScopeProperty * + newsp 0x04f63b08 long * + propobj 0x009e31cc {map=0x00168d70 {nrefs=0 ops=0x009e31cc {newObjectMap=0x00168d70 destroyObjectMap=0xffffffff lookupProperty=0x00000000 ...} nslots=1478048 ...} slots=0xffffffff } JSObject * stackDummy 47678448 int + rt 0x009abc48 {state=JSRTS_UP gcArenaPool={first= {next=0x0095f9b0 {next=0x00a15008 base=9828800 limit=9838023 ...} base=10140768 limit=10140768 ...} current=0x05165008 {next=0x00000000 {next=??? base=??? limit=??? ...} base=85348376 limit=85357599 ...} arenasize=9216 ...} gcRootsHash={ops=0x00b0f320 stub_ops data=0x00000000 hashShift=21 ...} ...} JSRuntime * + script 0x02d783f0 {code=0x02d78420 "" length=120 main=0x02d78453 ";" ...} JSScript * op2 2774376 JSOp onbranch 0x016f3fa0 nsJSContext::DOMBranchCallback (JSContext *, JSScript *) int (JSContext *, JSScript *)* len 3 long lval 21182203 long + parent 0x009e31b0 {map=0x009e31b0 {nrefs=10367408 ops=0x009e31b0 {newObjectMap=0x009e31b0 destroyObjectMap=0x009e31b0 lookupProperty=0x00000000 ...} nslots=0 ...} slots=0x009e31b0 } JSObject * + origobj 0x002a5568 {map=0x00000002 {nrefs=??? ops=??? nslots=??? ...} slots=0x00000001 } JSObject * d2 1.4110283626202184e-302 double + funclasp 0x009e3198 {name=0x00000000 <Bad Ptr> flags=10367408 addProperty=0x00000000 ...} JSClass * cond 1242084 int + pc 0x02d78426 "}" unsigned char * + clasp 0x00990970 {name=0x7a6f6d40 <Bad Ptr> flags=1634495593 addProperty=0x67726f2e ...} JSClass * getter 0x0172fed4 int (JSContext *, JSObject *, long, long *)* + cs 0x00b0fed0 {name=0x00b19f68 "deffun" token=0x00000000 <Bad Ptr> length=3 '&#9219;' ...} const JSCodeSpec * + withobj 0x009ed8cc {map=0x00168e38 {nrefs=0 ops=0x009ed8cc {newObjectMap=0x00168e38 destroyObjectMap=0xffffffff lookupProperty=0x00000000 ...} nslots=1478248 ...} slots=0xffffffff } JSObject * off 1242072 long + fp 0x0012f424 {callobj=0x00000000 {map=??? slots=??? } argsobj=0x00000000 {map=??? slots=??? } varobj=0x05031990 {map=0x057727d0 {nrefs=1 ops=0x00a8cb80 XPC_WN_NoCall_JSOps nslots=27 ...} slots=0x02f03144 } ...} JSStackFrame * inlineCallCount 0 unsigned int attrs 5 unsigned int type 47678448 JSType + obj2 0x050503e8 {map=0x009e314c {nrefs=10530776 ops=0x050503e8 {newObjectMap=0x009e314c destroyObjectMap=0x030c1730 lookupProperty=0x009e30d8 ...} nslots=10370368 ...} slots=0x030c1730 } JSObject * originalVersion JSVERSION_DEFAULT JSVersion ok 1 int + sp 0x04f63b14 long * rval 84990112 long ltmp 1242148 long i 1 long + proto 0x00000000 {map=??? slots=??? } JSObject * + pc2 0x00000000 <Bad Ptr> unsigned char * + endpc 0x02d78498 "¸'글" unsigned char * argc 0 unsigned int + fun 0x00000000 {nrefs=??? object=??? native=??? ...} JSFunction * high 10367192 long currentVersion JSVERSION_DEFAULT JSVersion id 84603128 long npairs 84990112 long points of interest (by frame) > js3250.dll!js_Interpret(JSContext * cx=0x0510d8a0, long * result=0x0012f4f8) Line 3598 + 0x3 C - cx->fp->script 0x02d783f0 {code=0x02d78420 "" length=120 main=0x02d78453 ";" ...} JSScript * + code 0x02d78420 "" unsigned char * length 120 unsigned long + main 0x02d78453 ";" unsigned char * version JSVERSION_DEFAULT JSVersion + atomMap {vector=0x04ca25f8 length=29 } JSAtomMap + filename 0x050ae76d "chrome://global/content/console.js" const char * lineno 1 unsigned int depth 3 unsigned int + trynotes 0x00000000 {start=??? length=??? catchStart=??? } JSTryNote * + principals 0x009bd63c {codebase=0x009bd660 "[System Principal]" getPrincipalArray=0x00b237f0 nsGetPrincipalArray(JSContext *, JSPrincipals *) globalPrivilegesEnabled=0x00b23800 nsGlobalPrivilegesEnabled (JSContext *, JSPrincipals *) ...} JSPrincipals * + object 0x02560d28 {map=0x04b32f00 {nrefs=2 ops=0x00b198e0 _js_ObjectOps nslots=12 ...} slots=0x023a5524 } JSObject * > docshell.dll!nsDocumentOpenInfo::OnStopRequest(nsIRequest * request=0x032d3cc8, nsISupports * aCtxt=0x00000000, unsigned int aStatus=0) Line 353 C++ + {,,necko.dll}(*(nsStr*)(&(*(nsStandardURL*){*}((nsIFileURL*) {,,chrome.dll}((*(nsCOMPtr_base*)(&(*(nsCachedChromeChannel*){*} request).mURI))).mRawPtr)).mSpec)).mStr 0x032334b0 "chrome://global/content/console.xul" char * This is reproducable in our special code, but unfortunately it happens after 135 or some (rather specific, but fairly large number) iteration of a certain task through a certain site. I just need to figure out what is sticking null into this private field which clearly shouldn't be null
Maybe the object was finalized? Add some logging to see whether GC is running, and more logging to match finalized addresses, if you can get them to replay the same from run to run. /be
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
QA Contact: pschwartau → general
Crash Signature: [@ js_Interpret]
No STR, all this code has changed massively.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.