Closed Bug 292949 Opened 19 years ago Closed 19 years ago

crash [@ js_SetClassPrototype] because proto isn't rooted in js_InitExceptionClasses across call to js_DefineFunction

Categories

(Core :: JavaScript Engine, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: timeless, Assigned: timeless)

Details

(Keywords: crash, js1.5)

Crash Data

Attachments

(1 obsolete file)

my tree isn't entirely current, but i'm fairly certain this isn't fixed yet. i
can update early next week.

I'm abusing too_much_gc by restricting the jsenvironment to about 20k.

steps:
(build with support for JS_RUNTIME_SIZE)
set JS_RUNTIME_SIZE=20
winembed.exe

death is very simple:
        /* Make the prototype for the current constructor name. */
        protos[i] = js_NewObject(cx, &ExceptionClass,
                                 (protoIndex != JSEXN_NONE)
                                 ? protos[protoIndex]
                                 : NULL,
                                 obj);
/* creates a happy proto with a map != 0; */
        if (!protos[i])
            return NULL;

        /* So exn_finalize knows whether to destroy private data. */
        OBJ_SET_SLOT(cx, protos[i], JSSLOT_PRIVATE, JSVAL_VOID);

        atom = js_Atomize(cx, exceptions[i].name, strlen(exceptions[i].name), 
0);
        if (!atom)
            return NULL;

        /* Make a constructor function for the current name. */
        fun = js_DefineFunction(cx, obj, atom, exceptions[i].native, 3, 0);
/* destroyed the proto, presumably because it wasn't rooted */

the call to:
        if (!js_SetClassPrototype(cx, fun->object, protos[i],
                                  JSPROP_READONLY | JSPROP_PERMANENT)) {
crashes at:
    return OBJ_DEFINE_PROPERTY(cx, proto,
                               ATOM_TO_JSID(cx->runtime->atomState
                                            .constructorAtom),
                               OBJECT_TO_JSVAL(ctor),
                               JS_PropertyStub, JS_PropertyStub,
                               0, NULL);
because:
+	proto->map	0x00000000 {nrefs=??? ops=??? nslots=??? ...}
	JSObjectMap *
and obj_define_property wants to use (proto)->map->ops->defineProperty which
isn't very reachable

 	js3250.dll!js_SetClassPrototype(JSContext * cx=0x00ab9878, JSObject * 
ctor=0x00b35368, JSObject * proto=0x00b35360, unsigned int attrs=0x00000006)  
Line 3668 + 0x2c	C
>	js3250.dll!js_InitExceptionClasses(JSContext * cx=0x00ab9878, JSObject 
* obj=0x00b34ab0)  Line 860 + 0x1a	C
 	js3250.dll!JS_InitStandardClasses(JSContext * cx=0x00ab9878, JSObject * 
obj=0x00b34ab0)  Line 1204 + 0xc1	C
 	jsd3250.dll!_newJSDContext(JSRuntime * jsrt=0x00aa9028, 
JSD_UserCallbacks * callbacks=0x00000000, void * user=0x00000000)  Line 144 + 
0x14	C
 	jsd3250.dll!jsd_DebuggerOnForUser(JSRuntime * jsrt=0x00aa9028, 
JSD_UserCallbacks * callbacks=0x00000000, void * user=0x00000000)  Line 199 + 
0x11	C
 	jsd3250.dll!JSD_DebuggerOnForUser(JSRuntime * jsrt=0x00aa9028, 
JSD_UserCallbacks * callbacks=0x00000000, void * user=0x00000000)  Line 52 + 
0x11	C
 	jsd3250.dll!jsdService::OnForRuntime(JSRuntime * rt=0x00aa9028)  Line 
2506 + 0xd	C++
 	jsd3250.dll!jsdASObserver::Observe(nsISupports * aSubject=0x00000000, 
const char * aTopic=0x00345190, const unsigned short * aData=0x0035105c)  Line 
3333 + 0x1b	C++
 	xpcom_core.dll!NS_CreateServicesFromCategory(const char * 
category=0x00345198, nsISupports * origin=0x00000000, const char * 
observerTopic=0x00345190)  Line 827	C++
 	xpcom_core.dll!nsComponentManagerImpl::AutoRegisterImpl(int 
when=0x00000000, nsIFile * inDirSpec=0x00000000, int fileIsCompDir=0x00000001)  
Line 3194 + 0x11	C++
 	xpcom_core.dll!nsComponentManagerImpl::AutoRegister(nsIFile * 
aSpec=0x00000000)  Line 3417 + 0x13	C++
 	xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x003dd8d8, 
unsigned int methodIndex=0x00000003, unsigned int paramCount=0x00000001, 
nsXPTCVariant * params=0x0012ead0)  Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, 
XPCWrappedNative::CallMode mode=CALL_METHOD)  Line 2068 + 0x1e	C++
 	xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x00b32598, JSObject * 
obj=0x00b349a8, unsigned int argc=0x00000001, long * argv=0x00b60528, long * 
vp=0x0012eda4)  Line 1311 + 0xb	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x00b32598, unsigned int 
argc=0x00000001, unsigned int flags=0x00000000)  Line 1320 + 0x20	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00b32598, unsigned char * 
pc=0x00b57eaf, long * result=0x0012f890)  Line 3614 + 0xf	C
 	js3250.dll!js_Invoke(JSContext * cx=0x00b32598, unsigned int 
argc=0x00000003, unsigned int flags=0x00000002)  Line 1340 + 0x13	C
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * 
wrapper=0x00b50bf0, unsigned short methodIndex=0x0003, const nsXPTMethodInfo * 
info=0x00b63640, nsXPTCMiniVariant * nativeParams=0x0012fba4)  Line 1413 + 0x14
	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short 
methodIndex=0x0003, const nsXPTMethodInfo * info=0x00b63640, nsXPTCMiniVariant 
* params=0x0012fba4)  Line 450	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x00b50bf0, 
unsigned int methodIndex=0x00000003, unsigned int * args=0x0012fc6c, unsigned 
int * stackBytesToPop=0x0012fc5c)  Line 117 + 0x1c	C++
 	xpcom_core.dll!SharedStub()  Line 147	C++
 	xpcom_core.dll!NS_CreateServicesFromCategory(const char * 
category=0x0032dbc0, nsISupports * origin=0x00000000, const char * 
observerTopic=0x0032dbb0)  Line 827	C++
 	xpcom_core.dll!NS_InitXPCOM2_P(nsIServiceManager * * result=0x00414b90, 
nsIFile * binDirectory=0x00000000, nsIDirectoryServiceProvider * 
appFileLocationProvider=0x00000000)  Line 683 + 0x11	C++
 	xpcom.dll!NS_InitXPCOM2(nsIServiceManager * * result=0x00414b90, 
nsIFile * binDirectory=0x00000000, nsIDirectoryServiceProvider * 
dirProvider=0x00000000)  Line 120 + 0x12	C++
 	winEmbed.exe!NS_InitEmbedding(nsILocalFile * 
mozBinDirectory=0x00000000, nsIDirectoryServiceProvider * 
appFileLocProvider=0x00000000)  Line 102 + 0x13	C++
 	winEmbed.exe!main(int argc=0x00000001, char * * argv=0x003d9668)  Line 
168 + 0x9	C++
 	winEmbed.exe!mainCRTStartup()  Line 398 + 0x11	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23
Assignee: general → timeless
Status: NEW → ASSIGNED
Attachment #182647 - Flags: review?(brendan)
Comment on attachment 182647 [details] [diff] [review]
i don't think there's anything to root proto

><HTML><HEAD><STYLE>u { text-decoration:none!important; font-style:italic!important; }</STYLE></HEAD><BODY><PRE>Index: jsexn.c
>===================================================================
>RCS file: /cvsroot/mozilla/js/src/jsexn.c,v
>retrieving revision 3.47
>diff -u -p -7 -r3.47 jsexn.c
>--- jsexn.c	7 Jan 2005 03:35:36 -0000	3.47
>+++ jsexn.c	5 May 2005 03:34:53 -0000
>@@ -818,66 +818,73 @@ static JSFunctionSpec exception_methods[
>     {0,0,0,0,0}
> };
> 
> JSObject *
> js_InitExceptionClasses(JSContext *cx, JSObject *obj)
> {
>     int i;
>+    JSBool ok = JS_FALSE;

This looks unused, nuke it.

>     }

Extra blank line here.

>+    js_LeaveLocalRootScope(cx);
>+    if (exceptions[i].name)
>+        return NULL;

r+a=me with those changes.

/be
Attachment #182647 - Flags: review?(brendan)
Attachment #182647 - Flags: review+
Attachment #182647 - Flags: approval1.8b2+
Comment on attachment 182647 [details] [diff] [review]
i don't think there's anything to root proto

mozilla/js/src/jsexn.c	3.48
Attachment #182647 - Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: testcase-
Crash Signature: [@ js_SetClassPrototype]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: