crash [@ js_IsArrayLike]

RESOLVED WORKSFORME

Status

()

--
critical
RESOLVED WORKSFORME
12 years ago
8 years ago

People

(Reporter: f.braem, Assigned: f.braem)

Tracking

({crash})

Trunk
x86
Windows XP
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [needs retesting with franky's code that uses spidermonkey], crash signature)

Attachments

(1 attachment)

(Assignee)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6

js_IsArrayLike crashes on C++ classes that are ported to JavaScript with SpiderMonkey.

Reproducible: Always





The JavaScript code used is the for each loop:
// JavaScript Document
var htmlTextFile = new wxTextFile("c:\\development\\wxjs\\wxJS2\\docs\\io\\classes\\constant.html");
htmlTextFile.open();
for each(var line in htmlTextFile.lines)
{
  wxJS.print(line.content);
}

Are there changes in how to implement enumeration in porting C++ classes?

The c++ code can be found here:

http://svn.sourceforge.net/viewvc/wxjs/trunk/wxJS2/src/io/textline.cpp?revision=174&view=markup

The call stack:

>	js32mtd.dll!js_IsArrayLike(JSContext * cx=0x00ca0318, JSObject * obj=0x0012fa70, int * answerp=0x0012f1e4, unsigned long * lengthp=0x0012f1e0)  Line 366 + 0xa bytes	C
 	js32mtd.dll!CheckKeyValueReturn(JSContext * cx=0x00ca0318, unsigned int flags=3, long * idp=0x0012f618, long * rval=0x0012f6b8)  Line 202 + 0x15 bytes	C
 	js32mtd.dll!js_CallIteratorNext(JSContext * cx=0x00ca0318, JSObject * iterobj=0x00cdcf28, unsigned int flags=3, long * idp=0x0012f618, long * rval=0x0012f6b8)  Line 524 + 0x31 bytes	C
 	js32mtd.dll!js_Interpret(JSContext * cx=0x00ca0318, unsigned char * pc=0x00cf0983, long * result=0x0012f7d0)  Line 2721 + 0x2b bytes	C
 	js32mtd.dll!js_Execute(JSContext * cx=0x00ca0318, JSObject * chain=0x00cdcb88, JSScript * script=0x00cf0928, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x0012fb88)  Line 1599 + 0x13 bytes	C
 	js32mtd.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88, JSPrincipals * principals=0x00000000, const unsigned short * chars=0x00cf06cc, unsigned int length=218, const char * filename=0x00cef300, unsigned int lineno=1, long * rval=0x0012fb88)  Line 4363 + 0x19 bytes	C
 	js32mtd.dll!JS_EvaluateUCScript(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88, const unsigned short * chars=0x00cf06cc, unsigned int length=218, const char * filename=0x00cef300, unsigned int lineno=1, long * rval=0x0012fb88)  Line 4341 + 0x23 bytes	C
 	wxjs.exe!Engine::DoRun(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88, Script * script=0x00cef258, long * rval=0x0012fb88)  Line 272 + 0x31 bytes	C++
 	wxjs.exe!Engine::RunScript(const wxString & scriptFile={...}, const wxMBConv & conv={...}, JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88)  Line 255	C++
 	wxjs.exe!wxJSApp::OnRun()  Line 166 + 0x50 bytes	C++
 	wxjs.exe!wxEntryReal(int & argc=4, wchar_t * * argv=0x003fac70)  Line 440 + 0x1d bytes	C++
 	wxjs.exe!wxEntry(int & argc=4, wchar_t * * argv=0x003fac70)  Line 208 + 0xd bytes	C++
 	wxjs.exe!wxEntry(int & argc=4, char * * argv=0x003f8480)  Line 452 + 0xf bytes	C++
 	wxjs.exe!main(int argc=4, char * * argv=0x003f8480)  Line 36 + 0x2b bytes	C++
 	wxjs.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	wxjs.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!RegisterWaitForInputIdle()  + 0x49 bytes	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]
What line is that crash on?  If it's on this one:

    clasp = OBJ_GET_CLASS(cx, obj);

then obj must be corrupted, or recycled.  You'll need to debug more.

/be

Updated

12 years ago
Severity: normal → critical
Keywords: crash
Summary: js_IsArrayLike crashes → crash [@ js_IsArrayLike]
A minimal testcase that shows the problem in the js shell (with extensions to add a native class, if you need to do that) would be ideal.  Short of that, a wxJS debuggable test program would help.  Assigning to you since this bug is not "fixable" by anyone else until one of those two test programs shows up.

/be
Assignee: general → f.braem
(Assignee)

Comment 3

12 years ago
(In reply to comment #2)

I'll try to write an example to isolates the problem.
(Sorry for the late answer, but I was on a holiday for 5 days).

Franky.
(Assignee)

Comment 4

12 years ago
Created attachment 234966 [details]
This is a small test program which enumerates an object
(Assignee)

Comment 5

12 years ago
(In reply to comment #1)
> What line is that crash on?  If it's on this one:
> 
>     clasp = OBJ_GET_CLASS(cx, obj);
> 
> then obj must be corrupted, or recycled.  You'll need to debug more.
> 
> /be
> 

This is indeed the line where the crash occurs. I can't get the test program (see attachment) to crash. The enumeration goes fine.

Back to wxJS: The enumeration also goes fine, but js_isArrayLike is called after these statements are executed:

	case JSENUMERATE_DESTROY:
		*statep = JSVAL_NULL;
		break;

js_isArrayLike doesn't get called in the test program?
When is this function actually called?

(In reply to comment #5)
> (In reply to comment #1)
> > What line is that crash on?  If it's on this one:
> > 
> >     clasp = OBJ_GET_CLASS(cx, obj);
> > 
> > then obj must be corrupted, or recycled.  You'll need to debug more.
> > 
> > /be
> > 
> 
> This is indeed the line where the crash occurs. I can't get the test program
> (see attachment) to crash. The enumeration goes fine.
> 
> Back to wxJS: The enumeration also goes fine, but js_isArrayLike is called
> after these statements are executed:
> 
>         case JSENUMERATE_DESTROY:
>                 *statep = JSVAL_NULL;
>                 break;

What is the full stack backtrace at this point, and then later when js_IsArrayLike is called?

/be

(Assignee)

Comment 7

12 years ago
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #1)
> > > What line is that crash on?  If it's on this one:
> > > 
> > >     clasp = OBJ_GET_CLASS(cx, obj);
> > > 
> > > then obj must be corrupted, or recycled.  You'll need to debug more.
> > > 
> > > /be
> > > 
> > 
> > This is indeed the line where the crash occurs. I can't get the test program
> > (see attachment) to crash. The enumeration goes fine.
> > 
> > Back to wxJS: The enumeration also goes fine, but js_isArrayLike is called
> > after these statements are executed:
> > 
> >         case JSENUMERATE_DESTROY:
> >                 *statep = JSVAL_NULL;
> >                 break;
> 
> What is the full stack backtrace at this point, and then later when
> js_IsArrayLike is called?
> 
> /be
> 

The stacktrace when the above is called:

>	wxJS_io.dll!wxJSTextLine::Enumerate(wxJS_Index * p=0x00cf03f8, JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcbd8, JSIterateOp enum_op=JSENUMERATE_NEXT, long * statep=0x0012f1e4, long * idp=0x0012f1d0)  Line 165	C++
 	wxJS_io.dll!wxJS_ApiWrapper<wxJSTextLine,wxJS_Index>::JSEnumerate(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcbd8, JSIterateOp enum_op=JSENUMERATE_NEXT, long * statep=0x0012f1e4, long * idp=0x0012f1d0)  Line 396 + 0x1d bytes	C++
 	js32mtd.dll!js_Enumerate(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcbd8, JSIterateOp enum_op=JSENUMERATE_NEXT, long * statep=0x0012f1e4, long * idp=0x0012f1d0)  Line 3912 + 0x17 bytes	C
 	js32mtd.dll!iterator_next(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcbe0, unsigned int argc=0, long * argv=0x00000000, long * rval=0x0012f6b8)  Line 247 + 0x5a bytes	C
 	js32mtd.dll!js_CallIteratorNext(JSContext * cx=0x00ca0318, JSObject * iterobj=0x00cdcbe0, unsigned int flags=3, long * idp=0x0012f618, long * rval=0x0012f6b8)  Line 485 + 0x15 bytes	C
 	js32mtd.dll!js_Interpret(JSContext * cx=0x00ca0318, unsigned char * pc=0x00cf0a39, long * result=0x0012f7d0)  Line 2721 + 0x2b bytes	C
 	js32mtd.dll!js_Execute(JSContext * cx=0x00ca0318, JSObject * chain=0x00cdcb88, JSScript * script=0x00cf09d0, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x0012fb88)  Line 1599 + 0x13 bytes	C
 	js32mtd.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88, JSPrincipals * principals=0x00000000, const unsigned short * chars=0x00cf070c, unsigned int length=239, const char * filename=0x00cef300, unsigned int lineno=1, long * rval=0x0012fb88)  Line 4363 + 0x19 bytes	C
 	js32mtd.dll!JS_EvaluateUCScript(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88, const unsigned short * chars=0x00cf070c, unsigned int length=239, const char * filename=0x00cef300, unsigned int lineno=1, long * rval=0x0012fb88)  Line 4341 + 0x23 bytes	C
 	wxjs.exe!Engine::DoRun(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88, Script * script=0x00cef258, long * rval=0x0012fb88)  Line 272 + 0x31 bytes	C++
 	wxjs.exe!Engine::RunScript(const wxString & scriptFile={...}, const wxMBConv & conv={...}, JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88)  Line 255	C++
 	wxjs.exe!wxJSApp::OnRun()  Line 166 + 0x50 bytes	C++
 	wxjs.exe!wxEntryReal(int & argc=4, wchar_t * * argv=0x003fac70)  Line 440 + 0x1d bytes	C++
 	wxjs.exe!wxEntry(int & argc=4, wchar_t * * argv=0x003fac70)  Line 208 + 0xd bytes	C++
 	wxjs.exe!wxEntry(int & argc=4, char * * argv=0x003f8480)  Line 452 + 0xf bytes	C++
 	wxjs.exe!main(int argc=4, char * * argv=0x003f8480)  Line 36 + 0x2b bytes	C++
 	wxjs.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	wxjs.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!RegisterWaitForInputIdle()  + 0x49 bytes	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]	


The stacktrace when the crash in js_IsArrayLike occurs:

 	js32mtd.dll!CheckKeyValueReturn(JSContext * cx=0x00ca0318, unsigned int flags=3, long * idp=0x0012f618, long * rval=0x0012f6b8)  Line 202 + 0x15 bytes	C
 	js32mtd.dll!js_CallIteratorNext(JSContext * cx=0x00ca0318, JSObject * iterobj=0x00cdcee8, unsigned int flags=3, long * idp=0x0012f618, long * rval=0x0012f6b8)  Line 524 + 0x31 bytes	C
 	js32mtd.dll!js_Interpret(JSContext * cx=0x00ca0318, unsigned char * pc=0x00cf0a39, long * result=0x0012f7d0)  Line 2721 + 0x2b bytes	C
 	js32mtd.dll!js_Execute(JSContext * cx=0x00ca0318, JSObject * chain=0x00cdcb88, JSScript * script=0x00cf09d0, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x0012fb88)  Line 1599 + 0x13 bytes	C
 	js32mtd.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88, JSPrincipals * principals=0x00000000, const unsigned short * chars=0x00cf070c, unsigned int length=239, const char * filename=0x00cef300, unsigned int lineno=1, long * rval=0x0012fb88)  Line 4363 + 0x19 bytes	C
 	js32mtd.dll!JS_EvaluateUCScript(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88, const unsigned short * chars=0x00cf070c, unsigned int length=239, const char * filename=0x00cef300, unsigned int lineno=1, long * rval=0x0012fb88)  Line 4341 + 0x23 bytes	C
 	wxjs.exe!Engine::DoRun(JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88, Script * script=0x00cef258, long * rval=0x0012fb88)  Line 272 + 0x31 bytes	C++
 	wxjs.exe!Engine::RunScript(const wxString & scriptFile={...}, const wxMBConv & conv={...}, JSContext * cx=0x00ca0318, JSObject * obj=0x00cdcb88)  Line 255	C++
 	wxjs.exe!wxJSApp::OnRun()  Line 166 + 0x50 bytes	C++
 	wxjs.exe!wxEntryReal(int & argc=4, wchar_t * * argv=0x003fac70)  Line 440 + 0x1d bytes	C++
 	wxjs.exe!wxEntry(int & argc=4, wchar_t * * argv=0x003fac70)  Line 208 + 0xd bytes	C++
 	wxjs.exe!wxEntry(int & argc=4, char * * argv=0x003f8480)  Line 452 + 0xf bytes	C++
 	wxjs.exe!main(int argc=4, char * * argv=0x003f8480)  Line 36 + 0x2b bytes	C++
 	wxjs.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	wxjs.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!RegisterWaitForInputIdle()  + 0x49 bytes	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]	
(Assignee)

Comment 8

12 years ago
After some debugging I find the following:

The enumeration on the object works. When the iteration is done, a new iterator is created for the prototype object (I think, reading the comments: 

                /*
                 * Clear JSITER_FOREACH now that we are up the prototype chain
                 * from the original object.  We can't expect to get the same
                 * value from a prototype as we would if we started the get at
                 * the original object, so we must do our own getting, further
                 * below when testing 'if (flags & JSITER_FOREACH)'.
                 */

). When the next iterator is asked, the crash occurs.

I hope this shines a new light on this crash.
Franky, are you still hitting this with a current version of spidermonkey?
Whiteboard: [needs retesting with franky's code that uses spidermonkey]
The last 3 functions on the original stack have been removed at some point.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID

Comment 11

8 years ago
evilpie: we generally avoid using invalid for "this bug was valid when filed but was made obsolete by later code changes".
Resolution: INVALID → WORKSFORME
timless: sorry, this has been explained differently to me.
Crash Signature: [@ js_IsArrayLike]
You need to log in before you can comment on or make changes to this bug.