Closed Bug 320314 Opened 20 years ago Closed 7 years ago

jsdValues don't participate in garbage collection, resulting in crashes when they use their garbage collected strings [@ js_DeflateString]

Categories

(Other Applications Graveyard :: Venkman JS Debugger, defect)

Product:
Other Applications Graveyard
Component:
Venkman JS Debugger
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: timeless, Assigned: timeless)

Details

(Keywords: crash)

Crash Data

vendor build (1741) based on 1.8 branch # 00 js3250!js_DeflateString(struct JSContext * cx = <Memory access error>, unsigned short * chars = <Memory access error>, unsigned int length = <Memory access error>)+0x33 (FPO: [3,0,0]) (CONV: cdecl) 01 js3250!js_GetStringBytes(struct JSString * str = <Memory access error>)+0xaa (FPO: [Uses EBP] [1,2,0]) (CONV: cdecl) 02 js3250!JS_GetStringBytes(struct JSString * str = 0x00ab4af8)+0x9 (FPO: [1,0,0]) (CONV: cdecl) 03 jsd3250!jsdValue::GetStringValue(char ** _rval = 0x148ba948)+0x29 (FPO: [2,0,0]) (CONV: stdcall) 04 xpcom_core!XPTC_InvokeByIndex(class nsISupports * that = 0x148ba948, unsigned int methodIndex = 0x14, unsigned int paramCount = 1, struct nsXPTCVariant * params = 0x0012dc44)+0x27 (CONV: cdecl) 05 xpc3250!XPCWrappedNative::CallMethod(class XPCCallContext * ccx = 0x0012dde8, XPCWrappedNative::CallMode mode = CALL_GETTER (1))+0x6c4 (FPO: [Non-Fpo]) (CONV: cdecl) 06 xpc3250!XPC_WN_GetterSetter(struct JSContext * cx = 0x00a9e5f0, struct JSObject * obj = 0x0b259fe8, unsigned int argc = 0, long * argv = 0x0aa91578, long * vp = 0x0012dea8)+0xce (FPO: [Non-Fpo]) (CONV: cdecl) 07 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 0, unsigned int flags = 2)+0x556 (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 08 js3250!js_InternalInvoke(struct JSContext * cx = 0x148cc8e4, struct JSObject * obj = 0x0b259fe8, long fval = 0xb259ff8, unsigned int flags = 0, unsigned int argc = 0, long * argv = 0x00000000, long * rval = 0x0012e17c)+0x89 (FPO: [Non-Fpo]) (CONV: cdecl) 09 js3250!js_InternalGetOrSet(struct JSContext * cx = 0x00a9e5f0, struct JSObject * obj = 0x0b259fe8, long id = 0xa97e390, long fval = 0xb259ff8, JSAccessMode mode = JSACC_READ (4), unsigned int argc = 0, long * argv = 0x00000000, long * rval = 0x0012e17c)+0xd0 (FPO: [Non-Fpo]) (CONV: cdecl) 0a js3250!js_GetProperty(struct JSContext * cx = 0x00a9e5f0, struct JSObject * obj = 0x0b259fe8, long id = 0xa97e390, long * vp = 0x0012e17c)+0x251 (FPO: [Non-Fpo]) (CONV: cdecl) 0b js3250!js_Interpret(struct JSContext * cx = 0x00a9e5f0, unsigned char * pc = 0x0a9b6706 "5", long * result = 0x0012e228)+0x7bf4 (FPO: [Uses EBP] [3,85,0]) (CONV: cdecl) 0c js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 3, unsigned int flags = 2)+0x597 (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 0d xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 0x03eb0cd0, unsigned short methodIndex = 3, class nsXPTMethodInfo * info = 0x0aae9208, struct nsXPTCMiniVariant * nativeParams = 0x0012e3d0)+0x6b1 (FPO: [Uses EBP] [5,82,0]) (CONV: stdcall) 0e xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0xcd0, class nsXPTMethodInfo * info = 0x00000003, struct nsXPTCMiniVariant * params = 0x0012e48c)+0x27 (FPO: [4,0,0]) (CONV: stdcall) 0f xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x0aeb0cd0, unsigned int methodIndex = 3, unsigned int * args = 0x0012e48c, unsigned int * stackBytesToPop = 0x0012e47c)+0xee (FPO: [Non-Fpo]) (CONV: stdcall) 10 xpcom_core!SharedStub(void)+0x16 (CONV: cdecl) 11 jsd3250!jsds_ExecutionHookProc(struct JSDContext * jsdc = 0x00a2f7e0, struct JSDThreadState * jsdthreadstate = 0x14896a98, unsigned int type = 1, void * callerdata = 0x00000001, long * rval = 0x0012e6b0)+0x182 (FPO: [Non-Fpo]) (CONV: cdecl) 12 jsd3250!jsd_CallExecutionHook(struct JSDContext * jsdc = 0x00a2f7e0, struct JSContext * cx = 0x00a9e5f0, unsigned int type = 1, <function> * hook = 0x00e17eb1, void * hookData = 0x00000001, long * rval = 0x0012e6b0)+0x56 (FPO: [Non-Fpo]) (CONV: cdecl) 13 jsd3250!jsd_TrapHandler(struct JSContext * cx = 0x00a9e5f0, struct JSScript * script = 0x02373580, unsigned char * pc = 0x02373a1f "SC6", long * rval = 0x0012e6b0, void * closure = 0x13d7cb29)+0x6c (FPO: [Non-Fpo]) (CONV: cdecl) 14 js3250!JS_HandleTrap(struct JSContext * cx = 0x00a9e5f0, struct JSScript * script = 0x02373580, unsigned char * pc = 0x02373a1f "SC6", long * rval = 0x0012e6b0)+0x31 (FPO: [Non-Fpo]) (CONV: cdecl) 15 js3250!js_Interpret(struct JSContext * cx = 0x00a9e5f0, unsigned char * pc = 0x02373a1f "SC6", long * result = 0x0012e75c)+0x1f6 (FPO: [Uses EBP] [3,85,0]) (CONV: cdecl) 16 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 1, unsigned int flags = 1)+0x597 (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 17 js3250!js_Interpret(struct JSContext * cx = 0x00a9e5f0, unsigned char * pc = 0x022fe93f "#", long * result = 0x0012e97c)+0x6ede (FPO: [Uses EBP] [3,85,0]) (CONV: cdecl) 18 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 1, unsigned int flags = 1)+0x597 (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 19 js3250!js_Interpret(struct JSContext * cx = 0x00a9e5f0, unsigned char * pc = 0x022d70b1 "#", long * result = 0x0012eb9c)+0x6ede (FPO: [Uses EBP] [3,85,0]) (CONV: cdecl) 1a js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 3, unsigned int flags = 2)+0x597 (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 1b xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 0x039e9248, unsigned short methodIndex = 3, class nsXPTMethodInfo * info = 0x00a3d5a8, struct nsXPTCMiniVariant * nativeParams = 0x0012ed44)+0x6b1 (FPO: [Uses EBP] [5,82,0]) (CONV: stdcall) 1c xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0x9248, class nsXPTMethodInfo * info = 0x00000003, struct nsXPTCMiniVariant * params = 0x0012ee00)+0x27 (FPO: [4,0,0]) (CONV: stdcall) 1d xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x139e9248, unsigned int methodIndex = 3, unsigned int * args = 0x0012ee00, unsigned int * stackBytesToPop = 0x0012edf0)+0xee (FPO: [Non-Fpo]) (CONV: stdcall) 1e xpcom_core!SharedStub(void)+0x16 (CONV: cdecl) 1f xpcom_core!XPTC_InvokeByIndex(class nsISupports * that = 0x139e9248, unsigned int methodIndex = 3, unsigned int paramCount = 3, struct nsXPTCVariant * params = 0x0012ee3c)+0x27 (CONV: cdecl) 20 xpc3250!XPCWrappedNative::CallMethod(class XPCCallContext * ccx = 0x0012efe0, XPCWrappedNative::CallMode mode = CALL_METHOD (0))+0x6c4 (FPO: [Non-Fpo]) (CONV: cdecl) 21 xpc3250!XPC_WN_CallMethod(struct JSContext * cx = 0x00a9e5f0, struct JSObject * obj = 0x0bda2598, unsigned int argc = 3, long * argv = 0x01fb7bf0, long * vp = 0x0012f0a0)+0x8e (FPO: [Non-Fpo]) (CONV: cdecl) 22 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 3, unsigned int flags = 0)+0x556 (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 23 js3250!js_Interpret(struct JSContext * cx = 0x00a9e5f0, unsigned char * pc = 0x01c2b9a8 ":", long * result = 0x0012f328)+0x4fb5 (FPO: [Uses EBP] [3,85,0]) (CONV: cdecl) 24 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 3, unsigned int flags = 2)+0x597 (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 25 xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 0x036190c8, unsigned short methodIndex = 3, class nsXPTMethodInfo * info = 0x00a3d5a8, struct nsXPTCMiniVariant * nativeParams = 0x0012f4d0)+0x6b1 (FPO: [Uses EBP] [5,82,0]) (CONV: stdcall) 26 xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0x90c8, class nsXPTMethodInfo * info = 0x00000003, struct nsXPTCMiniVariant * params = 0x0012f58c)+0x27 (FPO: [4,0,0]) (CONV: stdcall) 27 xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x016190c8, unsigned int methodIndex = 3, unsigned int * args = 0x0012f58c, unsigned int * stackBytesToPop = 0x0012f57c)+0xee (FPO: [Non-Fpo]) (CONV: stdcall) 28 xpcom_core!SharedStub(void)+0x16 (CONV: cdecl) 29 xpcom_core!nsObserverService::NotifyObservers(class nsISupports * aSubject = 0x133f6a9c, char * aTopic = 0x00ba6770 "http-on-modify-request", unsigned short * someData = 0x00000000 "")+0xbf (FPO: [Non-Fpo]) (CONV: stdcall) frame 05 0:000> dv callee = 0x148ba948 frame 03 0:000> dt -b jsdValue 0x148ba948 +0x000 __VFN_table : 0x00e19828 +0x004 mRefCnt : +0x000 mValue : 2 +0x008 mValid : 1 +0x00c mLiveListEntry : LiveEphemeral +0x000 links : PRCListStr +0x000 next : 0x0a8d3ba4 +0x004 prev : 0x148b96c4 +0x008 value : 0x148ba948 +0x00c key : (null) +0x01c mCx : 0x00a2f7e0 +0x020 mValue : 0x1497cda8 0:000> dt -b JSDValue 0x1497cda8 +0x000 val : 0x14f59cf4 +0x004 nref : 1 +0x008 props : JSCListStr +0x000 next : 0x1497cdb0 +0x004 prev : 0x1497cdb0 +0x010 string : 0x14f59cf0 +0x014 funName : (null) +0x018 className : (null) +0x01c proto : (null) +0x020 parent : (null) +0x024 ctor : (null) +0x028 flags : 0 0:000> dt -b JSString 0x14f59cf0 +0x000 length : 0x14f59cf8 +0x004 chars : 0x14f59136 "†" 0:000> dt -b int 0x14f59136 0x2020
timeless, any info on how this would be fixable? If this is something general users are likely to encounter and it's reasonably easy to fix, WeirdAl and I can look at it in the 1.9 timeframe. For now, with my completely-unable-to-oversee-what's-going-on intuition, I'd say this is future as it seems it requires API changes which seem non-trivial to me.
Basically you have to use JS_AddRoot or something for the jsval referenced by jsdValues. There are 3 or 4 different rooting stories, I can't remember which ones are public/recommended. JS_AddNamedRoot seems to be available, so until igor or someone says to use something else, i think that (and its pair JS_RemoveRoot). I think the only big concern is that you don't want to have jsd rooting the entire js world. Perhaps there's some way to be notified when an object dies, dunno, ask igor :).
(In reply to comment #2) > Basically you have to use JS_AddRoot or something for the jsval referenced by > jsdValues. One has to be careful with explicit rooting as it easy to add cycles and leaks. I suspect that the proper solution is to make jsdValue to participate in the cycle collection in the same way as xpconnect types holding JS objects do.
yeah, that seemed more likely. Helpwanted :). I suppose technically it's always been possible, but I've certainly never had the time.
(In reply to comment #3) > (In reply to comment #2) > > Basically you have to use JS_AddRoot or something for the jsval referenced by > > jsdValues. > > One has to be careful with explicit rooting as it easy to add cycles and leaks. > I suspect that the proper solution is to make jsdValue to participate in the > cycle collection in the same way as xpconnect types holding JS objects do. > OK, any idea on who might be able to make that happen? Because it's most certainly a few miles above my head (and while I might be able to change that given a large amount of time, I don't have that amount of time, so...)
QA Contact: caillon → venkman
Crash Signature: [@ js_DeflateString]
Closing because no crash reported since 12 weeks.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Product: Other Applications → Other Applications Graveyard
You need to log in before you can comment on or make changes to this bug.