Closed Bug 286407 Opened 20 years ago Closed 17 years ago

winembed - crash [@ UnmarkedGCThingFlags]

Categories

(Core :: JavaScript Engine, defect, P5)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 322045

People

(Reporter: timeless, Assigned: timeless)

Details

(Keywords: crash)

Crash Data

my build of js dates to 3/2, no object file in js/src is older than 2/22. jsgc.c dates to 3/2 and jsgc.obj was built minutes after jsgc.c was updated. EAX = 00002038 EBX = 00000000 ECX = 00002038 EDX = 00002038 ESI = 002D44C0 EDI = 0012FE1C EIP = 00C85742 ESP = 0012DFFC EBP = 0012E004 EFL = 00000206 > js3250.dll!UnmarkedGCThingFlags(void * thing=0x0012f9c0, void * arg=0x0012e14c) Line 1018 + 0x3 C js3250.dll!js_MarkGCThing(JSContext * cx=0x06eb6760, void * thing=0x0012f9c0, void * arg=0x0012e14c) Line 1422 + 0xd C js3250.dll!js_GC(JSContext * cx=0x06eb6760, unsigned int gcflags=0) Line 1705 + 0x4b C js3250.dll!js_ForceGC(JSContext * cx=0x06eb6760, unsigned int gcflags=0) Line 1489 + 0xd C js3250.dll!JS_GC(JSContext * cx=0x06eb6760) Line 1752 + 0xb C js3250.dll!JS_MaybeGC(JSContext * cx=0x06eb6760) Line 1771 + 0x9 C gklayout.dll!nsJSContext::DOMBranchCallback(JSContext * cx=0x06eb6760, JSScript * script=0x075f1270) Line 507 + 0xa C++ static uint8 * UNMARKED_GC_THING_FLAGS(void *thing, void *arg) { 00C85720 push ebp 00C85721 mov ebp,esp 00C85723 sub esp,8 uint8 flags, *flagp; if (!thing) 00C85726 cmp dword ptr [thing],0 00C8572A jne UnmarkedGCThingFlags+10h (0C85730h) return NULL; 00C8572C xor eax,eax 00C8572E jmp UnmarkedGCThingFlags+82h (0C857A2h) flagp = js_GetGCThingFlags(thing); 00C85730 mov eax,dword ptr [thing] 00C85733 push eax 00C85734 call @ILT+2505(_js_GetGCThingFlags) (0C419CEh) 00C85739 add esp,4 00C8573C mov dword ptr [flagp],eax flags = *flagp; 00C8573F mov ecx,dword ptr [flagp] 00C85742 mov dl,byte ptr [ecx] 00C85744 mov byte ptr [flags],dl JS_ASSERT(flags != GCF_FINAL); 00C85747 movzx eax,byte ptr [flags] 00C8574B cmp eax,20h 00C8574E je UnmarkedGCThingFlags+32h (0C85752h) 00C85750 jmp UnmarkedGCThingFlags+49h (0C85769h) 00C85752 push 3FBh 00C85757 push 0D30B00h 00C8575C push 0D30B1Ch 00C85761 call @ILT+3950(_JS_Assert) (0C41F73h) 00C85766 add esp,0Ch #ifdef GC_MARK_DEBUG if (js_LiveThingToFind == thing) 00C85769 mov ecx,dword ptr [_js_LiveThingToFind (0D4DAA4h)] 00C8576F cmp ecx,dword ptr [thing] 00C85772 jne UnmarkedGCThingFlags+72h (0C85792h) gc_dump_thing(thing, flags, arg, stderr); 00C85774 mov edx,dword ptr [__imp___iob (0D4E2B8h)] 00C8577A add edx,40h 00C8577D push edx 00C8577E mov eax,dword ptr [arg] 00C85781 push eax 00C85782 mov cl,byte ptr [flags] 00C85785 push ecx 00C85786 mov edx,dword ptr [thing] 00C85789 push edx 00C8578A call gc_dump_thing (0C857D0h) 00C8578F add esp,10h #endif if (flags & GCF_MARK) 00C85792 movzx eax,byte ptr [flags] 00C85796 and eax,10h 00C85799 je UnmarkedGCThingFlags+7Fh (0C8579Fh) return NULL; 00C8579B xor eax,eax 00C8579D jmp UnmarkedGCThingFlags+82h (0C857A2h) return flagp; 00C8579F mov eax,dword ptr [flagp] } 00C857A2 mov esp,ebp 00C857A4 pop ebp 00C857A5 ret the caller is: GC_MARK(cx, fp->argsobj, "arguments object", NULL); + fp->argsobj 0x0012f9c0 {map=0x0000011c {nrefs=??? ops=??? nslots=??? ...} slots=0x00010005 } JSObject * - &fp->argsobj->slots[-1],10 0x00010001 long * [0x0] 0x3a004300 long [0x1] 0x43003d00 long [0x2] 0x5c003a00 long [0x3] 0x6f004400 long [0x4] 0x75006300 long [0x5] 0x65006d00 long [0x6] 0x74006e00 long [0x7] 0x20007300 long [0x8] 0x6e006100 long [0x9] 0x20006400 long i had tried to use xpc_DumpJSStack / FormatJSStackDump moments earlier, and the debugger failed to dispatch them. so it's possible that this is a self inflicted problem. bug 286406 contains a list of crashes with this signature which should contain brendan's last fix for this signature (well, it doesn't include builds from march, all 2 crashes). some of them match this stack fairly closely, a bunch of them have bogus stacks. [ js_ForceGC - nsAppStartup::Run ], i think my favorite is http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=4112031#id but that can be addressed elsewhere if we can't find anything useful here.
Dupe of 292455?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Flags: testcase-
(In reply to comment #1) > Dupe of 292455? timeless. dupe? bc comments was fixed by bug 322045
fine w/ me
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ UnmarkedGCThingFlags]
You need to log in before you can comment on or make changes to this bug.