Closed
Bug 348027
Opened 19 years ago
Closed 19 years ago
Crash in 1.8|trunk debug builds with invalid op [@ js_Interpret]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.8.1
People
(Reporter: bc, Assigned: brendan)
References
Details
(Keywords: crash, regression, verified1.8.1)
Crash Data
Attachments
(1 file)
|
776 bytes,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
cloned from bug 341821 Comment #61
<http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_7/iterable/regress-341821.js;language=type;text/javascript;version=1.7>
<http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_7/iterable/regress-340526-02.js;language=type;text/javascript;version=1.7>
<http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_7/iterable/regress-341499.js;language=type;text/javascript;version=1.7>
<http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_7/iterable/regress-341510.js;language=type;text/javascript;version=1.7>
<http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_7/iterable/regress-341815.js;language=type;text/javascript;version=1.7>
etc.
|
||
Updated•19 years ago
|
Severity: major → critical
Keywords: crash
Summary: Crash in 1.8 debug builds in js_Interpret with invalid op → Crash in 1.8 debug builds with invalid op [@ js_Interpret]
|
Assignee | |
Comment 1•19 years ago
|
||
Why is tracefp non-null? That's only #ifdef DEBUG and if you call tracing(1) in the shell, e.g. This bug can stand for tracing broken-ness, but why is tracing on in your test?
/be
|
Reporter | |
Comment 2•19 years ago
|
||
(In reply to comment #1)
I have no idea. Maybe something stomped on it.
|
|
Reporter | |
Comment 3•19 years ago
|
||
also occurs in trunk debug 20060809 windows xp browser and shell builds on js1_7/geniter/regress-347739.js
Flags: in-testsuite+
Flags: blocking1.8.1?
Version: 1.8 Branch → Trunk
|
||
Comment 4•19 years ago
|
||
Marking blocking, we'll get to as many of these as we can.
Flags: blocking1.8.1? → blocking1.8.1+
Target Milestone: --- → mozilla1.8.1
|
|
Reporter | |
Updated•19 years ago
|
Summary: Crash in 1.8 debug builds with invalid op [@ js_Interpret] → Crash in 1.8|trunk debug builds with invalid op [@ js_Interpret]
|
|
Reporter | |
Comment 5•19 years ago
|
||
on the first example: js1_7/iterable/regress-341821.js, I set breakpoints everywhere looking for when tracefp != cx->tracefp. It hit:
out:
=> if (!ok) {
/*
> js3250.dll!js_Interpret(JSContext * cx=0x051a11f8, unsigned char * pc=0x049d8d59, long * result=0x0012dd4c) Line 6176 C
js3250.dll!generator_send(JSContext * cx=0x051a11f8, JSObject * obj=0x0517e548, unsigned int argc=0, long * argv=0x051b6d50, long * rval=0x0012de38) Line 795 + 0x14 bytes C
js3250.dll!generator_close(JSContext * cx=0x051a11f8, JSObject * obj=0x0517e548, unsigned int argc=0, long * argv=0x051b6d50, long * rval=0x0012de38) Line 846 + 0x17 bytes C
js3250.dll!js_Invoke(JSContext * cx=0x051a11f8, unsigned int argc=0, unsigned int flags=2) Line 1350 + 0x20 bytes C
js3250.dll!js_InternalInvoke(JSContext * cx=0x051a11f8, JSObject * obj=0x0517e548, long fval=85452080, unsigned int flags=0, unsigned int argc=0, long * argv=0x00000000, long * rval=0x0012df8c) Line 1448 + 0x14 bytes C
js3250.dll!js_CloseGeneratorObject(JSContext * cx=0x051a11f8, JSGenerator * gen=0x049fc9f8) Line 623 + 0x1b bytes C
js3250.dll!js_RunCloseHooks(JSContext * cx=0x051a11f8) Line 1057 + 0xd bytes C
js3250.dll!JS_GC(JSContext * cx=0x051a11f8) Line 1945 + 0x9 bytes C
gklayout.dll!nsJSContext::Notify(nsITimer * timer=0x051b6cc8) Line 3047 + 0xd bytes C++
following along, it did:
/*
* Look for a try block in script that can catch this exception.
*/
SCRIPT_FIND_CATCH_START(script, pc, pc);
if (pc) {
/* Don't clear cx->throwing to save cx->exception from GC. */
len = 0;
ok = JS_TRUE;
=> DO_NEXT_OP(len);
}
}
which did:
advance_pc:
pc += len;
then fell into the DEBUG only code at:
#ifdef DEBUG
if (tracefp) {
intN ndefs, n;
jsval *siter;
ndefs = js_CodeSpec[op].ndefs;
The goto out I am hitting must be in one of the macros since I've set a breakpoint at every other goto out. If someone can tell me how to set a conditional breakpoint tied to this function and not to a line I would appreciate it.
It seems like one of the macros is doing goto out before tracefp is initialized. Changing the declaration to set tracefp to NULL prevents this debug only crash. What other initialization issues might be lurking?
|
|
Assignee | |
Comment 6•19 years ago
|
||
This is DEBUG only code that affects only Windows (no JS_THREADED_INTERP). It should go into the trunk and branch right away.
/be
|
||
Comment 7•19 years ago
|
||
Comment on attachment 234317 [details] [diff] [review]
d'oh, sorry bc
Argh. Does GCC's overwarning find this one?
Attachment #234317 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 8•19 years ago
|
||
(In reply to comment #7)
> (From update of attachment 234317 [details] [diff] [review] [edit])
> Argh. Does GCC's overwarning find this one?
No. Bob, did your Windows build warn?
Fixed on trunk and 1.8 branch.
/be
|
|
Reporter | |
Comment 9•19 years ago
|
||
(In reply to comment #8)
> Bob, did your Windows build warn?
Nope, but I should probably turn on warnings everywhere and keep track of them.
> Fixed on trunk and 1.8 branch.
Thanks!
|
|
Reporter | |
Comment 10•19 years ago
|
||
verified fixed 1.8, 1.9 20060818 windows
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
|
||
Updated•14 years ago
|
Crash Signature: [@ js_Interpret]
You need to log in
before you can comment on or make changes to this bug.
Description
•