Closed Bug 279606 Opened 20 years ago Closed 20 years ago

crash @ js_Interpret

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: csthomas, Unassigned)

References

(
URL
)

Details

Attachments

(2 files)

local variables
1.53 KB, text/plain
Details
another crash, another set of locals
1.67 KB, text/plain
Details 
I'm experiencing frequent crashes at the same location in jsinterp.c.  I can
reproduce the crashes fairly well by running "mozilla -mail" or while using
venkman, and sometimes it happens randomly.
Thanks.  I've had time to analyze only the first attachment.

The executing script is for the method declared (body starting at) line 800 in
chrome://global/content/autocomplete.xml -- whose source is
http://lxr.mozilla.org/mozilla/source/xpfe/components/autocomplete/resources/content/autocomplete.xml#800

    <method name="convertIndexToSession">
      <parameter name="aIndex"/>
      <body><![CDATA[
        var idx = 0;
        for (var name in this.mLastResults) {
          if (this.mLastResults[name]) {
            if ((idx+this.mLastResults[name].items.Count())-1 >= aIndex) {
              return {session: name, index: aIndex-idx};
            }
            idx += this.mLastResults[name].items.Count();
          }
        }
        return null;
      ]]></body>
    </method>

The interpreter's pc is 49 bytes into this method, the "add" op as confirmed by
*pc (27, JSOP_ADD).

00000:  zero
00001:  setvar 0
00004:  pop
00005:  push
00006:  this
00007:  getprop "mLastResults"
00010:  toobject
00011:  forvar 1
00014:  ifeq 112 (98)
00017:  this
00018:  getprop "mLastResults"
00021:  getvar 1
00024:  getelem
00025:  ifeq 109 (84)
00028:  getvar 0
00031:  this
00032:  getprop "mLastResults"
00035:  getvar 1
00038:  getelem
00039:  getprop "items"
00042:  getprop "Count"
00045:  pushobj
00046:  call 0
00049:  add
00050:  group

Including the "group" instruction that follows the "add", the expression leading
up to the crash is (idx+this.mLastResults[name].items.Count()).  This is an int
jsval addition expression -- no string concatenation in sight.  According to the
local variables attachment, lval is 1 (int 0 tagged as a jsval) and rval is 423
(int 211 tagged as a jsval).

So what I need to know, what is not reported here, is the machine pc (a.k.a. the
eip register on x86) where the crash occurs, the 40 or so instructions leading
up to this crash point, and the bad address (and what variable it came from if
possible).  Try to catch me on IRC, but in any case please get as much of this
machine state recorded here as you can.

Anyone else seeing this crash?

/be
Status: UNCONFIRMED → NEW
Ever confirmed: true
I have stopped experiencing this crash... if I don't see it again in the next
few days, I'll mark the bug wfm.
I haven't been able to reproduce this, marking WORKSFORME.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: