Closed Bug 240521 Opened 20 years ago Closed 20 years ago

Crash [@ jsd_NewThreadState] when script is null

Categories

(Other Applications Graveyard :: Venkman JS Debugger, defect)

x86
Windows XP
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: timeless, Assigned: timeless)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file, 3 obsolete files)

This is a fun crash

+	jsdc	0x00e086f8 {links={next=0x015dc010 __jsd_context_list prev=0x015dc010
__jsd_context_list } inited=0x00000001 data=0x00000000 ...}	JSDContext *
+	cx	0x032bd4b8 {links={next=0x032c0a78 {next=0x02d00728 {next=0x02e0b6c8
prev=0x032c0a78 } prev=0x032bd4b8 {next=0x032c0a78 prev=0x02559c18 } }
prev=0x02559c18 {next=0x032bd4b8 {next=0x032c0a78 prev=0x02559c18 }
prev=0x02e2e978 {next=0x02559c18 prev=0x02ec9078 } } } interpLevel=0x00000004
stackLimit=0x000af764 ...}	JSContext *
+	iter	0x0012dc40 {callobj=0x00000000 {map=??? slots=??? } argsobj=0x00000000
{map=??? slots=??? } varobj=0x00000000 {map=??? slots=??? } ...}	JSStackFrame *
	script	0x00000000	JSScript *
	pc	0x00000000	unsigned long

The problem is that script is null

        JSScript* script = JS_GetFrameScript(cx, fp);
/* not sure why this is null, but it is */
        jsuword  pc = (jsuword) JS_GetFramePC(cx, fp);

        if (JS_GetFrameThis(cx, fp) &&
            ((jsdc->flags & JSD_INCLUDE_NATIVE_FRAMES) ||
             !JS_IsNativeFrame(cx, fp)))
        {
            JSDStackFrameInfo *frame;

            frame = _addNewFrame( jsdc, jsdthreadstate, script, pc, fp );
/* constructs a non null frame with null script */

            if ((jsdthreadstate->stackDepth == 0 && !frame) ||
                (jsdthreadstate->stackDepth == 1 && frame &&
/* based on code i reached, jsdthreadstate->stackDepth == 1
 * according to the ZR flag, frame was non null */
                 !JSD_IS_DEBUG_ENABLED(jsdc, frame->jsdscript)))
/* this macro crashes because frame->jsdscript is null and the expansion is: */

#define JSD_IS_DEBUG_ENABLED(jsdc,jsdscript)                                   \
(!(((jsdc->flags & JSD_DEBUG_WHEN_SET) ? 1 : 0)  ^                     \
((jsdscript->flags & JSD_SCRIPT_DEBUG_BIT) ?  1 : 0)))
/* ^^^^^^^^^^^^^^^ dereferenced null script. */

015D2EBC  mov         ecx,dword ptr [esi+18h] 
015D2EBF  add         esp,10h 
015D2EC2  test        ecx,ecx 
015D2EC4  jne         jsd_NewThreadState+98h (15D2ECAh) 
015D2EC6  test        eax,eax 
015D2EC8  je          jsd_NewThreadState+0DCh (15D2F0Eh) 
015D2ECA  cmp         ecx,1 ; jsdthreadstate->stackDepth == 1
015D2ECD  jne         jsd_NewThreadState+0B5h (15D2EE7h) 
015D2ECF  test        eax,eax ; frame
015D2ED1  je          jsd_NewThreadState+0B5h (15D2EE7h) 
015D2ED3  mov         ecx,dword ptr [jsdc] 
015D2ED6  mov         eax,dword ptr [eax+0Ch] ; frame->jsdscript
015D2ED9  mov         ecx,dword ptr [ecx+10h] 
; crashed here:
015D2EDC  mov         eax,dword ptr [eax+28h] ; jsdscript->flags
015D2EDF  shr         ecx,1 
015D2EE1  xor         eax,ecx 
015D2EE3  test        al,2 
015D2EE5  jne         jsd_NewThreadState+0DCh (15D2F0Eh) 


>	jsd3250.dll!jsd_NewThreadState(JSDContext * jsdc=0x00e086f8, JSContext *
cx=0x032bd4b8)  Line 143 + 0x20	C
 	jsd3250.dll!jsd_CallExecutionHook(JSDContext * jsdc=0x00e086f8, JSContext *
cx=0x032bd4b8, unsigned int type=0x00000001, unsigned int (JSDContext *,
JSDThreadState *, unsigned int, void *, long *)* hook=0x015d7dcf, void *
hookData=0x00000000, long * rval=0x0012cbec)  Line 165 + 0x1e	C
 	jsd3250.dll!jsd_DebugErrorHook(JSContext * cx=0x032bd4b8, const char *
message=0x04da00f0, JSErrorReport * report=0x0012cc04, void *
closure=0x00e086f8)  Line 365 + 0x11	C
 	js3250.dll!ReportError(JSContext * cx=0x03346180, const char *
message=0x04da00f0, JSErrorReport * reportp=0x0012dc40)  Line 340 + 0xe	C
 	js3250.dll!js_ReportErrorNumberVA(JSContext * cx=0x032bd4b8, unsigned int
flags=0x04da00f0, const JSErrorFormatString * (void *, const char *, const
unsigned int)* callback=0x00fb8be3, void * userRef=0x00000000, const unsigned
int errorNumber=0x00000026, int charArgs=0x00000001, char * ap=0x0012cc6c) 
Line 632	C
 	js3250.dll!JS_ReportErrorNumber(JSContext * cx=0x032bd4b8, const
JSErrorFormatString * (void *, const char *, const unsigned int)*
errorCallback=0x00fb8be3, void * userRef=0x00000000, const unsigned int
errorNumber=0x00000026, ...)  Line 3862 + 0x19	C
 	js3250.dll!js_DefaultValue(JSContext * cx=0x032bd4b8, JSObject *
obj=0x0472d758, JSType hint=JSTYPE_STRING, long * vp=0x0012ccb0)  Line 3094 + 0x2d	C
 	js3250.dll!js_ValueToString(JSContext * cx=0x032bd4b8, long v=0x0472d758) 
Line 2655 + 0x10	C
 	xpc3250.dll!XPCConvert::JSValToXPCException(XPCCallContext & ccx={...}, long
s=0x0472d758, const char * ifaceName=0x02539998, const char *
methodName=0x0253a3e8, nsIException * * exceptn=0x0012ce60)  Line 1242 + 0x8	C++
 	xpc3250.dll!nsXPCWrappedJSClass::CheckForException(XPCCallContext & ccx={...},
const char * aPropertyName=0x00ffc868, const char * anInterfaceName=0x02451bf5)
 Line 826 + 0x18	C++
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *
wrapper=0x032bd4b8, unsigned short methodIndex=0xd758, const nsXPTMethodInfo *
info=0x00ffc868, nsXPTCMiniVariant * nativeParams=0x02451bf5)  Line 1370 + 0x18	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=0x0004,
const nsXPTMethodInfo * info=0x0253a380, nsXPTCMiniVariant * params=0x0012d008)
 Line 450	C++
 	xpcom.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x00000000, unsigned int
methodIndex=0x00000004, unsigned int * args=0x0012d0c0, unsigned int *
stackBytesToPop=0x0012d0b0)  Line 117 + 0x12	C++
 	xpcom.dll!SharedStub()  Line 147	C++
 	prmtsrvc.dll!hsPromptServiceImpl::Alert(nsIDOMWindow * aParent=0x03044e2c,
const unsigned short * aDialogTitle=0x00000000, const unsigned short *
aText=0x0012d27c)  Line 56 + 0x36	C++
 	embedcomponents.dll!nsPrompt::Alert(const unsigned short *
dialogTitle=0x00000000, const unsigned short * text=0x0012d27c)  Line 124	C++
 	docshell.dll!nsDocShell::DisplayLoadError(unsigned int aError=0x0472d758,
nsIURI * aURI=0x00ffc868, const unsigned short * aURL=0x02451bf5)  Line 2657	C++
 	docshell.dll!nsDocShell::InternalLoad(nsIURI * aURI=0x05aa3448, nsIURI *
aReferrer=0x00000000, nsISupports * aOwner=0x00000000, int
aInheritOwner=0x00000000, const unsigned short * aWindowTarget=0x00000000, const
char * aTypeHint=0x00000000, nsIInputStream * aPostData=0x00000000,
nsIInputStream * aHeadersData=0x00000000, unsigned int aLoadType=0x00000001,
nsISHEntry * aSHEntry=0x00000000, int firstParty=0x00000001, nsIDocShell * *
aDocShell=0x00000000, nsIRequest * * aRequest=0x00000000)  Line 5268	C++
 	docshell.dll!nsDocShell::LoadURI(nsIURI * aURI=0x05aa3448, nsIDocShellLoadInfo
* aLoadInfo=0x00000000, unsigned int aLoadFlags=0x00000001, int
firstParty=0x00000001)  Line 735 + 0x31	C++
 	docshell.dll!nsDocShell::LoadURI(const unsigned short * aURI=0x04da00f0,
unsigned int aLoadFlags=0x032bd4b8, nsIURI * aReferringURI=0x0472d758,
nsIInputStream * aPostStream=0x00ffc868, nsIInputStream *
aHeaderStream=0x02451bf5)  Line 2487	C++
 	xpcom.dll!XPTC_InvokeByIndex(nsISupports * that=0x032bf9c0, unsigned int
methodIndex=0x00000008, unsigned int paramCount=0x00000005, nsXPTCVariant *
params=0x0012da00)  Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...},
XPCWrappedNative::CallMode mode=CALL_METHOD)  Line 2027 + 0x16	C++
 	xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x032bd4b8, JSObject *
obj=0x0472d700, unsigned int argc=0x00000005, long * argv=0x04506444, long *
vp=0x0012dc60)  Line 1287 + 0xa	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5)  Line 941 + 0x11	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00ffc868, long * result=0x02451bf5) 
Line 2964	C
 	js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5)  Line 958 + 0xa	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00ffc868, long * result=0x02451bf5) 
Line 2964	C
 	js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5)  Line 958 + 0xa	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00ffc868, long * result=0x02451bf5) 
Line 2964	C
 	js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5)  Line 958 + 0xa	C
 	js3250.dll!fun_apply(JSContext * cx=0x032bd4b8, JSObject * obj=0x023b2390,
unsigned int argc=0x00000002, long * argv=0x04b22f7c, long * rval=0x0012e334)
 Line 1569	C
 	js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5)  Line 941 + 0x11	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00ffc868, long * result=0x02451bf5) 
Line 2964	C
 	js3250.dll!js_Invoke(JSContext * cx=0x0472d758, unsigned int argc=0x00ffc868,
unsigned int flags=0x02451bf5)  Line 958 + 0xa	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x032bd4e4, JSObject *
obj=0x023b2390, long fval=0x046b8d28, unsigned int flags=0x00000000, unsigned
int argc=0x00000001, long * argv=0x0012e74c, long * rval=0x0012e770)  Line
1035 + 0xe	C
 	js3250.dll!JS_CallFunctionValue(JSContext * cx=0x032bd4b8, JSObject *
obj=0x023b2390, long fval=0x046b8d28, unsigned int argc=0x00000001, long *
argv=0x0012e74c, long * rval=0x0012e770)  Line 3590 + 0x1a	C
 	gklayout.dll!nsJSContext::CallEventHandler(JSObject * aTarget=0x023b2390,
JSObject * aHandler=0x046b8d28, unsigned int argc=0x00000001, long *
argv=0x0012e74c, long * rval=0x0012e770)  Line 1294 + 0x18	C++
 	gklayout.dll!nsJSEventListener::HandleEvent(nsIDOMEvent * aEvent=0x042fa530) 
Line 184 + 0x37	C++
 	gklayout.dll!nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver *
aReceiver=0x00ffc868, nsIDOMEvent * aEvent=0x02451bf5)  Line 461	C++
 	gklayout.dll!nsXBLKeyEventHandler::HandleEvent(nsIDOMEvent *
aEvent=0x0499ed38)  Line 146 + 0xc	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct *
aListenerStruct=0x02550aa8, nsIDOMEvent * aDOMEvent=0x042fa530,
nsIDOMEventTarget * aCurrentTarget=0x0499ed38, unsigned int aSubType=0x042fa53c,
unsigned int aPhaseFlags=0x00000004)  Line 1434 + 0xb	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsIPresContext *
aPresContext=0x00000000, nsEvent * aEvent=0x0012f998, nsIDOMEvent * *
aDOMEvent=0x0012f674, nsIDOMEventTarget * aCurrentTarget=0x0499ed38, unsigned
int aFlags=0x00000004, nsEventStatus * aEventStatus=0x0012f908)  Line 1527 +
0x21	C++
 	gklayout.dll!nsXULElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x040bdde8, nsEvent * aEvent=0x0499ed38, nsIDOMEvent * *
aDOMEvent=0x0012f674, unsigned int aFlags=0x00000004, nsEventStatus *
aEventStatus=0x0012f908)  Line 2852	C++
 	gklayout.dll!nsXULElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x040bdde8, nsEvent * aEvent=0x042e0db8, nsIDOMEvent * *
aDOMEvent=0x0012f674, unsigned int aFlags=0x00000004, nsEventStatus *
aEventStatus=0x0012f908)  Line 2832	C++
 	gklayout.dll!nsXULElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x040bdde8, nsEvent * aEvent=0x0012f998, nsIDOMEvent * *
aDOMEvent=0x0012f674, unsigned int aFlags=0x00000004, nsEventStatus *
aEventStatus=0x0012f908)  Line 2832	C++
 	gklayout.dll!nsGenericElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x04da00f0, nsEvent * aEvent=0x032bd4b8, nsIDOMEvent * *
aDOMEvent=0x0472d758, unsigned int aFlags=0x00ffc868, nsEventStatus *
aEventStatus=0x02451bf5)  Line 1912	C++
 	gklayout.dll!nsHTMLInputElement::HandleDOMEvent(nsIPresContext *
aPresContext=0x040bdde8, nsEvent * aEvent=0x0000000e, nsIDOMEvent * *
aDOMEvent=0x00000000, unsigned int aFlags=0x00000001, nsEventStatus *
aEventStatus=0x0012f908)  Line 1399	C++
 	gklayout.dll!PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f998,
nsIView * aView=0x02c5d3a8, unsigned int aFlags=0x00000001, nsEventStatus *
aStatus=0x0012f908)  Line 6023 + 0x11	C++
 	gklayout.dll!PresShell::HandleEvent(nsIView * aView=0x02c5d3a8, nsGUIEvent *
aEvent=0x0012f998, nsEventStatus * aEventStatus=0x0012f908, int
aForceHandle=0x00000001, int & aHandled=0x00000001)  Line 5916 + 0x11	C++
 	gklayout.dll!nsViewManager::HandleEvent(nsView * aView=0x0472d758, nsGUIEvent
* aEvent=0x00ffc868, int aCaptured=0x02451bf5)  Line 2239	C++
 	gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x3d888889,
nsEventStatus * aStatus=0x0012f95c)  Line 2025 + 0x14	C++
 	gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012f998)  Line 79	C++
 	gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f998,
nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1067 + 0x3	C++
 	gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x00000000) 
Line 1088	C++
 	gkwidget.dll!nsWindow::DispatchKeyEvent(unsigned int aEventType=0x00000083,
unsigned short aCharCode=0x0000, unsigned int aVirtualCharCode=0x0000000d, long
aKeyData=0x00000000)  Line 2978 + 0xe	C++
 	gkwidget.dll!nsWindow::OnChar(unsigned int mbcsCharCode=0x0000000d, unsigned
int virtualKeyCode=0x0000000d, bool isMultiByte=false)  Line 3162 + 0x11	C++
 	gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=0x00000102, unsigned
int wParam=0x0000000d, long lParam=0x001c0001, long * aRetValue=0x0012fc88) 
Line 3878	C++
 	gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x0024021e, unsigned int
msg=0x00000102, unsigned int wParam=0x0000000d, long lParam=0x02cf0f0c)  Line
1349 + 0x10	C++
 	user32.dll!77d43a50() 	
 	user32.dll!77d43b1f() 	
 	user32.dll!TranslateMessage()  + 0xef	
 	user32.dll!GetMessageW()  + 0x125	
 	user32.dll!DispatchMessageW()  + 0xb	
 	appshell.dll!nsAppShellService::Run()  Line 524	C++
 	mozilla.exe!main1(int argc=0x00ffc868, char * * argv=0x02451bf5, nsISupports *
nativeApp=0x00000000)  Line 1303 + 0x9	C++
 	mozilla.exe!main(int argc=0x00000001, char * * argv=0x002a40f8)  Line 1777 +
0x16	C++
 	mozilla.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ *
__formal=0x00400000, char * args=0x00152303, HINSTANCE__ * __formal=0x00400000)
 Line 1805 + 0x17	C++
 	mozilla.exe!WinMainCRTStartup()  Line 392 + 0xf	C
 	kernel32.dll!GetCurrentDirectoryW()  + 0x44	

The build is cvs from this weekend. I was playing with some silly helperapp
dialogs and tracing in venkman.

I think the bug is in _addNewFrame, the logic does this:
if (!JS_IsNativeFrame(jsdthreadstate->context, fp)) {
if (!jsdscript) return NULL;
}
/* no check for !jsdscript in the IsNativeFrame case */
the two other callers of the macro make sure the second parameter is non null
before invoking the macro. this makes this third and final caller consistent
with them.
Attachment #146124 - Flags: superreview?(brendan)
Attachment #146124 - Flags: review?(rginda)
Comment on attachment 146124 [details] [diff] [review]
if there's no script at the top then the top frame is not enabled for debugging => enter condition

I will wait for rginda to r= -- the logic around the diff (more context please,
and use -p too!) seems overcomplicated.

/be
Attached patch same patch -u34 (obsolete) — Splinter Review
The comment says "if the top frame is not enabled for debugging then fail the
entire thread state", I think that the top frame not being javascript means
that it isn't enabled for debugging and therefore we should fail the entire
thread state (by continuing into the conditional code).
This would fail the threadstate for any stack that had a script-less frame in
it.  Native frames are the only kind that are script-less IIRC, so it would fail
any stack with a native frame in it.

> I think that the top frame not being javascript means that it isn't
> enabled for debugging

I think it means something has gone wrong.  There shouldn't be a way to hit this
code with a native frame at the top of the stack.
Attachment #146124 - Flags: superreview?(brendan)
Attachment #146124 - Flags: review?(rginda)
Attachment #146124 - Attachment is obsolete: true
Attachment #146244 - Attachment is obsolete: true
Attachment #146518 - Flags: superreview?(brendan)
Attachment #146518 - Flags: review?(rginda)
Comment on attachment 146518 [details] [diff] [review]
you can still debug in this case, so erroring was the wrong choice

test frame->jsdscript instead of script, and r=rginda
Attachment #146518 - Flags: review?(rginda) → review+
Comment on attachment 146518 [details] [diff] [review]
you can still debug in this case, so erroring was the wrong choice

Can I see a new patch?	Thanks.

/be
Attachment #146518 - Flags: superreview?(brendan)
Attachment #146518 - Attachment is obsolete: true
Attachment #150502 - Flags: superreview?(brendan)
Comment on attachment 150502 [details] [diff] [review]
same as attachment 146518 [details] [diff] [review] except using the unaliased variable

sr=dmose
Attachment #150502 - Flags: superreview?(brendan) → superreview+
mozilla/js/jsd/jsd_stak.c 	3.21
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Summary: Crash [@ jsd_NewThreadState] → Crash [@ jsd_NewThreadState] when script is null
Product: Core → Other Applications
*** Bug 294092 has been marked as a duplicate of this bug. ***
Crash Signature: [@ jsd_NewThreadState]
Product: Other Applications → Other Applications Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: