Closed Bug 286407 Opened 19 years ago Closed 17 years ago

winembed - crash [@ UnmarkedGCThingFlags]

Categories

(Core :: JavaScript Engine, defect, P5)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 322045

People

(Reporter: timeless, Assigned: timeless)

Details

(Keywords: crash)

Crash Data

my build of js dates to 3/2, no object file in js/src is older than 2/22. jsgc.c
dates to 3/2 and jsgc.obj was built minutes after jsgc.c was updated.

EAX = 00002038 EBX = 00000000 ECX = 00002038 EDX = 00002038 ESI = 002D44C0 EDI =
0012FE1C EIP = 00C85742 ESP = 0012DFFC EBP = 0012E004 EFL = 00000206 

>	js3250.dll!UnmarkedGCThingFlags(void * thing=0x0012f9c0, void *
arg=0x0012e14c)  Line 1018 + 0x3	C
 	js3250.dll!js_MarkGCThing(JSContext * cx=0x06eb6760, void * thing=0x0012f9c0,
void * arg=0x0012e14c)  Line 1422 + 0xd	C
 	js3250.dll!js_GC(JSContext * cx=0x06eb6760, unsigned int gcflags=0)  Line
1705 + 0x4b	C
 	js3250.dll!js_ForceGC(JSContext * cx=0x06eb6760, unsigned int gcflags=0)  Line
1489 + 0xd	C
 	js3250.dll!JS_GC(JSContext * cx=0x06eb6760)  Line 1752 + 0xb	C
 	js3250.dll!JS_MaybeGC(JSContext * cx=0x06eb6760)  Line 1771 + 0x9	C
 	gklayout.dll!nsJSContext::DOMBranchCallback(JSContext * cx=0x06eb6760,
JSScript * script=0x075f1270)  Line 507 + 0xa	C++

static uint8 *
UNMARKED_GC_THING_FLAGS(void *thing, void *arg)
{
00C85720  push        ebp  
00C85721  mov         ebp,esp 
00C85723  sub         esp,8 
    uint8 flags, *flagp;

    if (!thing)
00C85726  cmp         dword ptr [thing],0 
00C8572A  jne         UnmarkedGCThingFlags+10h (0C85730h) 
        return NULL;
00C8572C  xor         eax,eax 
00C8572E  jmp         UnmarkedGCThingFlags+82h (0C857A2h) 

    flagp = js_GetGCThingFlags(thing);
00C85730  mov         eax,dword ptr [thing] 
00C85733  push        eax  
00C85734  call        @ILT+2505(_js_GetGCThingFlags) (0C419CEh) 
00C85739  add         esp,4 
00C8573C  mov         dword ptr [flagp],eax 
    flags = *flagp;
00C8573F  mov         ecx,dword ptr [flagp] 
00C85742  mov         dl,byte ptr [ecx] 
00C85744  mov         byte ptr [flags],dl 
    JS_ASSERT(flags != GCF_FINAL);
00C85747  movzx       eax,byte ptr [flags] 
00C8574B  cmp         eax,20h 
00C8574E  je          UnmarkedGCThingFlags+32h (0C85752h) 
00C85750  jmp         UnmarkedGCThingFlags+49h (0C85769h) 
00C85752  push        3FBh 
00C85757  push        0D30B00h 
00C8575C  push        0D30B1Ch 
00C85761  call        @ILT+3950(_JS_Assert) (0C41F73h) 
00C85766  add         esp,0Ch 
#ifdef GC_MARK_DEBUG
    if (js_LiveThingToFind == thing)
00C85769  mov         ecx,dword ptr [_js_LiveThingToFind (0D4DAA4h)] 
00C8576F  cmp         ecx,dword ptr [thing] 
00C85772  jne         UnmarkedGCThingFlags+72h (0C85792h) 
        gc_dump_thing(thing, flags, arg, stderr);
00C85774  mov         edx,dword ptr [__imp___iob (0D4E2B8h)] 
00C8577A  add         edx,40h 
00C8577D  push        edx  
00C8577E  mov         eax,dword ptr [arg] 
00C85781  push        eax  
00C85782  mov         cl,byte ptr [flags] 
00C85785  push        ecx  
00C85786  mov         edx,dword ptr [thing] 
00C85789  push        edx  
00C8578A  call        gc_dump_thing (0C857D0h) 
00C8578F  add         esp,10h 
#endif

    if (flags & GCF_MARK)
00C85792  movzx       eax,byte ptr [flags] 
00C85796  and         eax,10h 
00C85799  je          UnmarkedGCThingFlags+7Fh (0C8579Fh) 
        return NULL;
00C8579B  xor         eax,eax 
00C8579D  jmp         UnmarkedGCThingFlags+82h (0C857A2h) 

    return flagp;
00C8579F  mov         eax,dword ptr [flagp] 
}
00C857A2  mov         esp,ebp 
00C857A4  pop         ebp  
00C857A5  ret              

the caller is:
                    GC_MARK(cx, fp->argsobj, "arguments object", NULL);

+	fp->argsobj	0x0012f9c0 {map=0x0000011c {nrefs=??? ops=??? nslots=??? ...}
slots=0x00010005 }	JSObject *
-	&fp->argsobj->slots[-1],10	0x00010001	long *
	[0x0]	0x3a004300	long
	[0x1]	0x43003d00	long
	[0x2]	0x5c003a00	long
	[0x3]	0x6f004400	long
	[0x4]	0x75006300	long
	[0x5]	0x65006d00	long
	[0x6]	0x74006e00	long
	[0x7]	0x20007300	long
	[0x8]	0x6e006100	long
	[0x9]	0x20006400	long

i had tried to use xpc_DumpJSStack / FormatJSStackDump moments earlier, and the
debugger failed to dispatch them. so it's possible that this is a self inflicted
problem.

bug 286406 contains a list of crashes with this signature which should contain
brendan's last fix for this signature (well, it doesn't include builds from
march, all 2 crashes). some of them match this stack fairly closely, a bunch of
them have bogus stacks. [ js_ForceGC - nsAppStartup::Run ], i think my favorite
is
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=4112031#id
but that can be addressed elsewhere if we can't find anything useful here.
Dupe of 292455?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Flags: testcase-
(In reply to comment #1)
> Dupe of 292455?

timeless. dupe? bc comments was fixed by bug 322045
fine w/ me
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ UnmarkedGCThingFlags]
You need to log in before you can comment on or make changes to this bug.