Closed
Bug 240521
Opened 20 years ago
Closed 20 years ago
Crash [@ jsd_NewThreadState] when script is null
Categories
(Other Applications Graveyard :: Venkman JS Debugger, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: timeless, Assigned: timeless)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file, 3 obsolete files)
2.56 KB,
patch
|
dmosedale
:
superreview+
|
Details | Diff | Splinter Review |
This is a fun crash
+ jsdc 0x00e086f8 {links={next=0x015dc010 __jsd_context_list prev=0x015dc010
__jsd_context_list } inited=0x00000001 data=0x00000000 ...} JSDContext *
+ cx 0x032bd4b8 {links={next=0x032c0a78 {next=0x02d00728 {next=0x02e0b6c8
prev=0x032c0a78 } prev=0x032bd4b8 {next=0x032c0a78 prev=0x02559c18 } }
prev=0x02559c18 {next=0x032bd4b8 {next=0x032c0a78 prev=0x02559c18 }
prev=0x02e2e978 {next=0x02559c18 prev=0x02ec9078 } } } interpLevel=0x00000004
stackLimit=0x000af764 ...} JSContext *
+ iter 0x0012dc40 {callobj=0x00000000 {map=??? slots=??? } argsobj=0x00000000
{map=??? slots=??? } varobj=0x00000000 {map=??? slots=??? } ...} JSStackFrame *
script 0x00000000 JSScript *
pc 0x00000000 unsigned long
The problem is that script is null
JSScript* script = JS_GetFrameScript(cx, fp);
/* not sure why this is null, but it is */
jsuword pc = (jsuword) JS_GetFramePC(cx, fp);
if (JS_GetFrameThis(cx, fp) &&
((jsdc->flags & JSD_INCLUDE_NATIVE_FRAMES) ||
!JS_IsNativeFrame(cx, fp)))
{
JSDStackFrameInfo *frame;
frame = _addNewFrame( jsdc, jsdthreadstate, script, pc, fp );
/* constructs a non null frame with null script */
if ((jsdthreadstate->stackDepth == 0 && !frame) ||
(jsdthreadstate->stackDepth == 1 && frame &&
/* based on code i reached, jsdthreadstate->stackDepth == 1
* according to the ZR flag, frame was non null */
!JSD_IS_DEBUG_ENABLED(jsdc, frame->jsdscript)))
/* this macro crashes because frame->jsdscript is null and the expansion is: */
#define JSD_IS_DEBUG_ENABLED(jsdc,jsdscript) \
(!(((jsdc->flags & JSD_DEBUG_WHEN_SET) ? 1 : 0) ^ \
((jsdscript->flags & JSD_SCRIPT_DEBUG_BIT) ? 1 : 0)))
/* ^^^^^^^^^^^^^^^ dereferenced null script. */
015D2EBC mov ecx,dword ptr [esi+18h]
015D2EBF add esp,10h
015D2EC2 test ecx,ecx
015D2EC4 jne jsd_NewThreadState+98h (15D2ECAh)
015D2EC6 test eax,eax
015D2EC8 je jsd_NewThreadState+0DCh (15D2F0Eh)
015D2ECA cmp ecx,1 ; jsdthreadstate->stackDepth == 1
015D2ECD jne jsd_NewThreadState+0B5h (15D2EE7h)
015D2ECF test eax,eax ; frame
015D2ED1 je jsd_NewThreadState+0B5h (15D2EE7h)
015D2ED3 mov ecx,dword ptr [jsdc]
015D2ED6 mov eax,dword ptr [eax+0Ch] ; frame->jsdscript
015D2ED9 mov ecx,dword ptr [ecx+10h]
; crashed here:
015D2EDC mov eax,dword ptr [eax+28h] ; jsdscript->flags
015D2EDF shr ecx,1
015D2EE1 xor eax,ecx
015D2EE3 test al,2
015D2EE5 jne jsd_NewThreadState+0DCh (15D2F0Eh)
> jsd3250.dll!jsd_NewThreadState(JSDContext * jsdc=0x00e086f8, JSContext *
cx=0x032bd4b8) Line 143 + 0x20 C
jsd3250.dll!jsd_CallExecutionHook(JSDContext * jsdc=0x00e086f8, JSContext *
cx=0x032bd4b8, unsigned int type=0x00000001, unsigned int (JSDContext *,
JSDThreadState *, unsigned int, void *, long *)* hook=0x015d7dcf, void *
hookData=0x00000000, long * rval=0x0012cbec) Line 165 + 0x1e C
jsd3250.dll!jsd_DebugErrorHook(JSContext * cx=0x032bd4b8, const char *
message=0x04da00f0, JSErrorReport * report=0x0012cc04, void *
closure=0x00e086f8) Line 365 + 0x11 C
js3250.dll!ReportError(JSContext * cx=0x03346180, const char *
message=0x04da00f0, JSErrorReport * reportp=0x0012dc40) Line 340 + 0xe C
js3250.dll!js_ReportErrorNumberVA(JSContext * cx=0x032bd4b8, unsigned int
flags=0x04da00f0, const JSErrorFormatString * (void *, const char *, const
unsigned int)* callback=0x00fb8be3, void * userRef=0x00000000, const unsigned
int errorNumber=0x00000026, int charArgs=0x00000001, char * ap=0x0012cc6c)
Line 632 C
js3250.dll!JS_ReportErrorNumber(JSContext * cx=0x032bd4b8, const
JSErrorFormatString * (void *, const char *, const unsigned int)*
errorCallback=0x00fb8be3, void * userRef=0x00000000, const unsigned int
errorNumber=0x00000026, ...) Line 3862 + 0x19 C
js3250.dll!js_DefaultValue(JSContext * cx=0x032bd4b8, JSObject *
obj=0x0472d758, JSType hint=JSTYPE_STRING, long * vp=0x0012ccb0) Line 3094 + 0x2d C
js3250.dll!js_ValueToString(JSContext * cx=0x032bd4b8, long v=0x0472d758)
Line 2655 + 0x10 C
xpc3250.dll!XPCConvert::JSValToXPCException(XPCCallContext & ccx={...}, long
s=0x0472d758, const char * ifaceName=0x02539998, const char *
methodName=0x0253a3e8, nsIException * * exceptn=0x0012ce60) Line 1242 + 0x8 C++
xpc3250.dll!nsXPCWrappedJSClass::CheckForException(XPCCallContext & ccx={...},
const char * aPropertyName=0x00ffc868, const char * anInterfaceName=0x02451bf5)
Line 826 + 0x18 C++
xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *
wrapper=0x032bd4b8, unsigned short methodIndex=0xd758, const nsXPTMethodInfo *
info=0x00ffc868, nsXPTCMiniVariant * nativeParams=0x02451bf5) Line 1370 + 0x18 C++
xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=0x0004,
const nsXPTMethodInfo * info=0x0253a380, nsXPTCMiniVariant * params=0x0012d008)
Line 450 C++
xpcom.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x00000000, unsigned int
methodIndex=0x00000004, unsigned int * args=0x0012d0c0, unsigned int *
stackBytesToPop=0x0012d0b0) Line 117 + 0x12 C++
xpcom.dll!SharedStub() Line 147 C++
prmtsrvc.dll!hsPromptServiceImpl::Alert(nsIDOMWindow * aParent=0x03044e2c,
const unsigned short * aDialogTitle=0x00000000, const unsigned short *
aText=0x0012d27c) Line 56 + 0x36 C++
embedcomponents.dll!nsPrompt::Alert(const unsigned short *
dialogTitle=0x00000000, const unsigned short * text=0x0012d27c) Line 124 C++
docshell.dll!nsDocShell::DisplayLoadError(unsigned int aError=0x0472d758,
nsIURI * aURI=0x00ffc868, const unsigned short * aURL=0x02451bf5) Line 2657 C++
docshell.dll!nsDocShell::InternalLoad(nsIURI * aURI=0x05aa3448, nsIURI *
aReferrer=0x00000000, nsISupports * aOwner=0x00000000, int
aInheritOwner=0x00000000, const unsigned short * aWindowTarget=0x00000000, const
char * aTypeHint=0x00000000, nsIInputStream * aPostData=0x00000000,
nsIInputStream * aHeadersData=0x00000000, unsigned int aLoadType=0x00000001,
nsISHEntry * aSHEntry=0x00000000, int firstParty=0x00000001, nsIDocShell * *
aDocShell=0x00000000, nsIRequest * * aRequest=0x00000000) Line 5268 C++
docshell.dll!nsDocShell::LoadURI(nsIURI * aURI=0x05aa3448, nsIDocShellLoadInfo
* aLoadInfo=0x00000000, unsigned int aLoadFlags=0x00000001, int
firstParty=0x00000001) Line 735 + 0x31 C++
docshell.dll!nsDocShell::LoadURI(const unsigned short * aURI=0x04da00f0,
unsigned int aLoadFlags=0x032bd4b8, nsIURI * aReferringURI=0x0472d758,
nsIInputStream * aPostStream=0x00ffc868, nsIInputStream *
aHeaderStream=0x02451bf5) Line 2487 C++
xpcom.dll!XPTC_InvokeByIndex(nsISupports * that=0x032bf9c0, unsigned int
methodIndex=0x00000008, unsigned int paramCount=0x00000005, nsXPTCVariant *
params=0x0012da00) Line 102 C++
xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...},
XPCWrappedNative::CallMode mode=CALL_METHOD) Line 2027 + 0x16 C++
xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x032bd4b8, JSObject *
obj=0x0472d700, unsigned int argc=0x00000005, long * argv=0x04506444, long *
vp=0x0012dc60) Line 1287 + 0xa C++
js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5) Line 941 + 0x11 C
js3250.dll!js_Interpret(JSContext * cx=0x00ffc868, long * result=0x02451bf5)
Line 2964 C
js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5) Line 958 + 0xa C
js3250.dll!js_Interpret(JSContext * cx=0x00ffc868, long * result=0x02451bf5)
Line 2964 C
js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5) Line 958 + 0xa C
js3250.dll!js_Interpret(JSContext * cx=0x00ffc868, long * result=0x02451bf5)
Line 2964 C
js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5) Line 958 + 0xa C
js3250.dll!fun_apply(JSContext * cx=0x032bd4b8, JSObject * obj=0x023b2390,
unsigned int argc=0x00000002, long * argv=0x04b22f7c, long * rval=0x0012e334)
Line 1569 C
js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5) Line 941 + 0x11 C
js3250.dll!js_Interpret(JSContext * cx=0x00ffc868, long * result=0x02451bf5)
Line 2964 C
js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5) Line 958 + 0xa C
js3250.dll!js_InternalInvoke(JSContext * cx=0x032bd4e4, JSObject *
obj=0x023b2390, long fval=0x046b8d28, unsigned int flags=0x00000000, unsigned
int argc=0x00000001, long * argv=0x0012e74c, long * rval=0x0012e770) Line
1035 + 0xe C
js3250.dll!JS_CallFunctionValue(JSContext * cx=0x032bd4b8, JSObject *
obj=0x023b2390, long fval=0x046b8d28, unsigned int argc=0x00000001, long *
argv=0x0012e74c, long * rval=0x0012e770) Line 3590 + 0x1a C
gklayout.dll!nsJSContext::CallEventHandler(JSObject * aTarget=0x023b2390,
JSObject * aHandler=0x046b8d28, unsigned int argc=0x00000001, long *
argv=0x0012e74c, long * rval=0x0012e770) Line 1294 + 0x18 C++
gklayout.dll!nsJSEventListener::HandleEvent(nsIDOMEvent * aEvent=0x042fa530)
Line 184 + 0x37 C++
gklayout.dll!nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver *
aReceiver=0x00ffc868, nsIDOMEvent * aEvent=0x02451bf5) Line 461 C++
gklayout.dll!nsXBLKeyEventHandler::HandleEvent(nsIDOMEvent *
aEvent=0x0499ed38) Line 146 + 0xc C++
gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct *
aListenerStruct=0x02550aa8, nsIDOMEvent * aDOMEvent=0x042fa530,
nsIDOMEventTarget * aCurrentTarget=0x0499ed38, unsigned int aSubType=0x042fa53c,
unsigned int aPhaseFlags=0x00000004) Line 1434 + 0xb C++
gklayout.dll!nsEventListenerManager::HandleEvent(nsIPresContext *
aPresContext=0x00000000, nsEvent * aEvent=0x0012f998, nsIDOMEvent * *
aDOMEvent=0x0012f674, nsIDOMEventTarget * aCurrentTarget=0x0499ed38, unsigned
int aFlags=0x00000004, nsEventStatus * aEventStatus=0x0012f908) Line 1527 +
0x21 C++
gklayout.dll!nsXULElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x040bdde8, nsEvent * aEvent=0x0499ed38, nsIDOMEvent * *
aDOMEvent=0x0012f674, unsigned int aFlags=0x00000004, nsEventStatus *
aEventStatus=0x0012f908) Line 2852 C++
gklayout.dll!nsXULElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x040bdde8, nsEvent * aEvent=0x042e0db8, nsIDOMEvent * *
aDOMEvent=0x0012f674, unsigned int aFlags=0x00000004, nsEventStatus *
aEventStatus=0x0012f908) Line 2832 C++
gklayout.dll!nsXULElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x040bdde8, nsEvent * aEvent=0x0012f998, nsIDOMEvent * *
aDOMEvent=0x0012f674, unsigned int aFlags=0x00000004, nsEventStatus *
aEventStatus=0x0012f908) Line 2832 C++
gklayout.dll!nsGenericElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x04da00f0, nsEvent * aEvent=0x032bd4b8, nsIDOMEvent * *
aDOMEvent=0x0472d758, unsigned int aFlags=0x00ffc868, nsEventStatus *
aEventStatus=0x02451bf5) Line 1912 C++
gklayout.dll!nsHTMLInputElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x040bdde8, nsEvent * aEvent=0x0000000e, nsIDOMEvent * *
aDOMEvent=0x00000000, unsigned int aFlags=0x00000001, nsEventStatus *
aEventStatus=0x0012f908) Line 1399 C++
gklayout.dll!PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f998,
nsIView * aView=0x02c5d3a8, unsigned int aFlags=0x00000001, nsEventStatus *
aStatus=0x0012f908) Line 6023 + 0x11 C++
gklayout.dll!PresShell::HandleEvent(nsIView * aView=0x02c5d3a8, nsGUIEvent *
aEvent=0x0012f998, nsEventStatus * aEventStatus=0x0012f908, int
aForceHandle=0x00000001, int & aHandled=0x00000001) Line 5916 + 0x11 C++
gklayout.dll!nsViewManager::HandleEvent(nsView * aView=0x0472d758, nsGUIEvent
* aEvent=0x00ffc868, int aCaptured=0x02451bf5) Line 2239 C++
gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x3d888889,
nsEventStatus * aStatus=0x0012f95c) Line 2025 + 0x14 C++
gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012f998) Line 79 C++
gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f998,
nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1067 + 0x3 C++
gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x00000000)
Line 1088 C++
gkwidget.dll!nsWindow::DispatchKeyEvent(unsigned int aEventType=0x00000083,
unsigned short aCharCode=0x0000, unsigned int aVirtualCharCode=0x0000000d, long
aKeyData=0x00000000) Line 2978 + 0xe C++
gkwidget.dll!nsWindow::OnChar(unsigned int mbcsCharCode=0x0000000d, unsigned
int virtualKeyCode=0x0000000d, bool isMultiByte=false) Line 3162 + 0x11 C++
gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=0x00000102, unsigned
int wParam=0x0000000d, long lParam=0x001c0001, long * aRetValue=0x0012fc88)
Line 3878 C++
gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x0024021e, unsigned int
msg=0x00000102, unsigned int wParam=0x0000000d, long lParam=0x02cf0f0c) Line
1349 + 0x10 C++
user32.dll!77d43a50()
user32.dll!77d43b1f()
user32.dll!TranslateMessage() + 0xef
user32.dll!GetMessageW() + 0x125
user32.dll!DispatchMessageW() + 0xb
appshell.dll!nsAppShellService::Run() Line 524 C++
mozilla.exe!main1(int argc=0x00ffc868, char * * argv=0x02451bf5, nsISupports *
nativeApp=0x00000000) Line 1303 + 0x9 C++
mozilla.exe!main(int argc=0x00000001, char * * argv=0x002a40f8) Line 1777 +
0x16 C++
mozilla.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ *
__formal=0x00400000, char * args=0x00152303, HINSTANCE__ * __formal=0x00400000)
Line 1805 + 0x17 C++
mozilla.exe!WinMainCRTStartup() Line 392 + 0xf C
kernel32.dll!GetCurrentDirectoryW() + 0x44
The build is cvs from this weekend. I was playing with some silly helperapp
dialogs and tracing in venkman.
I think the bug is in _addNewFrame, the logic does this:
if (!JS_IsNativeFrame(jsdthreadstate->context, fp)) {
if (!jsdscript) return NULL;
}
/* no check for !jsdscript in the IsNativeFrame case */
the two other callers of the macro make sure the second parameter is non null before invoking the macro. this makes this third and final caller consistent with them.
Attachment #146124 -
Flags: superreview?(brendan)
Attachment #146124 -
Flags: review?(rginda)
Comment 2•20 years ago
|
||
Comment on attachment 146124 [details] [diff] [review] if there's no script at the top then the top frame is not enabled for debugging => enter condition I will wait for rginda to r= -- the logic around the diff (more context please, and use -p too!) seems overcomplicated. /be
The comment says "if the top frame is not enabled for debugging then fail the entire thread state", I think that the top frame not being javascript means that it isn't enabled for debugging and therefore we should fail the entire thread state (by continuing into the conditional code).
Comment 4•20 years ago
|
||
This would fail the threadstate for any stack that had a script-less frame in
it. Native frames are the only kind that are script-less IIRC, so it would fail
any stack with a native frame in it.
> I think that the top frame not being javascript means that it isn't
> enabled for debugging
I think it means something has gone wrong. There shouldn't be a way to hit this
code with a native frame at the top of the stack.
Attachment #146124 -
Flags: superreview?(brendan)
Attachment #146124 -
Flags: review?(rginda)
Attachment #146124 -
Attachment is obsolete: true
Attachment #146244 -
Attachment is obsolete: true
Attachment #146518 -
Flags: superreview?(brendan)
Attachment #146518 -
Flags: review?(rginda)
Comment 6•20 years ago
|
||
Comment on attachment 146518 [details] [diff] [review] you can still debug in this case, so erroring was the wrong choice test frame->jsdscript instead of script, and r=rginda
Attachment #146518 -
Flags: review?(rginda) → review+
Comment 7•20 years ago
|
||
Comment on attachment 146518 [details] [diff] [review] you can still debug in this case, so erroring was the wrong choice Can I see a new patch? Thanks. /be
Attachment #146518 -
Flags: superreview?(brendan)
Attachment #146518 -
Attachment is obsolete: true
Attachment #150502 -
Flags: superreview?(brendan)
Comment 9•20 years ago
|
||
Comment on attachment 150502 [details] [diff] [review] same as attachment 146518 [details] [diff] [review] except using the unaliased variable sr=dmose
Attachment #150502 -
Flags: superreview?(brendan) → superreview+
Assignee | ||
Comment 10•20 years ago
|
||
mozilla/js/jsd/jsd_stak.c 3.21
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Summary: Crash [@ jsd_NewThreadState] → Crash [@ jsd_NewThreadState] when script is null
Updated•20 years ago
|
Product: Core → Other Applications
Assignee | ||
Comment 11•19 years ago
|
||
*** Bug 294092 has been marked as a duplicate of this bug. ***
Updated•13 years ago
|
Crash Signature: [@ jsd_NewThreadState]
Updated•6 years ago
|
Product: Other Applications → Other Applications Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•