Closed Bug 264995 Opened 20 years ago Closed 20 years ago

SAVE_SP is too late [@ nsXPCComponents_Interfaces::NewResolve]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8alpha5

People

(Reporter: timeless, Assigned: brendan)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

fix
1.71 KB, patch
brendan
: review+
brendan
: approval-aviary+
brendan
: approval1.7.5+
Details | Diff | Splinter Review 
cdcdcdcd()	
 	xpc3250.dll!nsXPCComponents_Interfaces::NewResolve(nsIXPConnectWrappedNative *
wrapper=0x015e81d8, JSContext * cx=0x010ac918, JSObject * obj=0x015e81f8, long
id=0x010a3c90, unsigned int flags=0x00000001, JSObject * * objp=0x0012e484, int
* _retval=0x0012e488)  Line 267 + 0x31	C++
 	xpc3250.dll!XPC_WN_Helper_NewResolve(JSContext * cx=0x015e81f8, JSObject *
obj=0x015e81f8, long idval=0x015f07b8, unsigned int flags=0x00000000, JSObject *
* objp=0x015f0818)  Line 929	C++
 	js3250.dll!_js_LookupProperty(JSContext * cx=0x010ac918, JSObject *
obj=0x015e81f8, long id=0x010a3c90, JSObject * * objp=0x0012e5f0, JSProperty * *
propp=0x0012e5dc, const char * file=0x1006a7e0, unsigned int line=0x00000704) 
Line 2406 + 0x16	C
>	js3250.dll!js_Interpret(JSContext * cx=0x00000000, long * result=0x015f0818) 
Line 1796 + 0x25	C
 	js3250.dll!js_Invoke(JSContext * cx=0x015f07b8, unsigned int argc=0x00000000,
unsigned int flags=0x015f0818)  Line 958 + 0xa	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00000000, long * result=0x015f0818) 
Line 2965	C
 	js3250.dll!js_Invoke(JSContext * cx=0x015f07b8, unsigned int argc=0x00000000,
unsigned int flags=0x015f0818)  Line 958 + 0xa	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00000000, long * result=0x015f0818) 
Line 2965	C
 	js3250.dll!js_Execute(JSContext * cx=0x010751d8, JSObject * chain=0x0105e440,
JSScript * script=0x0162e8b0, JSStackFrame * down=0x00000000, unsigned int
special=0x00000000, long * result=0x0012eb00)  Line 1157	C
 	js3250.dll!JS_ExecuteScript(JSContext * cx=0x010ac918, JSObject *
obj=0x0105e440, JSScript * script=0x0162e8b0, long * rval=0x0012eb00)  Line
3432 + 0x1a	C
 	xpcshell.exe!Load(JSContext * cx=0x010ac918, JSObject * obj=0x0105e440,
unsigned int argc=0x00000001, long * argv=0x010c404c, long * rval=0x0012eb4c)
 Line 229	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x015f07b8, unsigned int argc=0x00000000,
unsigned int flags=0x015f0818)  Line 941 + 0x11	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00000000, long * result=0x015f0818) 
Line 2965	C
 	js3250.dll!js_Execute(JSContext * cx=0x010751d8, JSObject * chain=0x0105e440,
JSScript * script=0x010c1930, JSStackFrame * down=0x00000000, unsigned int
special=0x00000000, long * result=0x0012fec4)  Line 1157	C
 	js3250.dll!JS_ExecuteScript(JSContext * cx=0x010ac918, JSObject *
obj=0x0105e440, JSScript * script=0x010c1930, long * rval=0x0012fec4)  Line
3432 + 0x1a	C
 	xpcshell.exe!ProcessFile(JSContext * cx=0x015e81f8, JSObject * obj=0x0105e440,
const char * filename=0x00000000, _iobuf * file=0x1027a838)  Line 618 + 0xf	C++
 	xpcshell.exe!Process(JSContext * cx=0x015e78d9, JSObject * obj=0x0105e440,
const char * filename=0x00ff35a0)  Line 671 + 0xb	C++
 	xpcshell.exe!ProcessArgs(JSContext * cx=0x010ac918, JSObject * obj=0x0105e440,
char * * argv=0x00427bf4, int argc=0x00000002)  Line 798 + 0xe	C++
 	xpcshell.exe!main(int argc=0x00000003, char * * argv=0x00427bf0, char * *
envp=0x004230d0)  Line 1082	C++
 	xpcshell.exe!mainCRTStartup()  Line 400 + 0x11	C
 	kernel32.dll!TermsrvAppInstallMode()  + 0x269	


#if JS_HAS_IN_OPERATOR
          case JSOP_IN:
            rval = FETCH_OPND(-1);
            if (JSVAL_IS_PRIMITIVE(rval)) {
                str = js_DecompileValueGenerator(cx, -1, rval, NULL);
                if (str) {
                    JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
                                         JSMSG_IN_NOT_OBJECT,
                                         JS_GetStringBytes(str));
                }
                ok = JS_FALSE;
                goto out;
            }
            sp--;
            obj = JSVAL_TO_OBJECT(rval);
            FETCH_ELEMENT_ID(-1, id);
            SAVE_SP(fp);
            ok = OBJ_LOOKUP_PROPERTY(cx, obj, id, &obj2, &prop);

+	obj	0x00000000 {map=??? slots=??? }	JSObject *
	rval	0x015e81f8	long

obj=rval for the frames above js_Interpret

-	obj	0x015e81f8 {map=0x015e8208 {nrefs=0x015e8210 ops=0x015e78d9
{newObjectMap=0x10101010 destroyObjectMap=0xcd001000 lookupProperty=0xcdcdcdcd
...} nslots=0x015e8218 ...} slots=0x015e78d7 }	JSObject *
Another good catch for the branches!

/be
Status: NEW → ASSIGNED
Flags: blocking1.7.x+
Flags: blocking-aviary1.0+
Keywords: js1.5
OS: Windows XP → All
Hardware: PC → All
Target Milestone: --- → mozilla1.8alpha5
Attached patch fixSplinter Review 
This will conflict with part of the patch in bug 263285.  I'll attach a new
patch there after this lands.

/be
Comment on attachment 162541 [details] [diff] [review]
fix

rs=shaver@mozilla.org, self-approving.

/be
Attachment #162541 - Flags: review+
Attachment #162541 - Flags: approval1.7.x+
Attachment #162541 - Flags: approval-aviary+
Fixed everywhere.

/be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Keywords: fixed-aviary1.0, fixed1.7.x
Resolution: --- → FIXED
Flags: testcase-
Crash Signature: [@ nsXPCComponents_Interfaces::NewResolve]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: