Closed
Bug 357444
Opened 18 years ago
Closed 18 years ago
Crash under js_obj_toSource (session saver)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 356083
People
(Reporter: bzbarsky, Unassigned)
Details
BUILD: Current trunk debug build.
REPRODUCIBLE: Always
STEPS TO REPRODUCE:
1) Start a current trunk Firefox build
2) Wait a little bit, order of a minute (for the session saver time to fire, I
assume).
EXPECTED RESULTS: No crashes.
ACTUAL RESULTS: Crash.
STACK:
#0 0xb7f0de1d in js_GetProperty (cx=0x83a39a8, obj=0x8e3a450, id=137074788,
vp=0x8e6acc8) at ../../../mozilla/js/src/jsobj.c:3403
#1 0xb7f05d17 in js_obj_toSource (cx=0x83a39a8, obj=0x8e3a450, argc=0, argv=0x8e6acc0,
rval=0xbfff9ea8) at ../../../mozilla/js/src/jsobj.c:900
#2 0xb7edf692 in js_Invoke (cx=0x83a39a8, argc=0, flags=0)
at ../../../mozilla/js/src/jsinterp.c:1395
#3 0xb7eefca4 in js_Interpret (cx=0x83a39a8, pc=0x832588a ":", result=0xbfffa734)
at ../../../mozilla/js/src/jsinterp.c:3945
#4 0xb7edf717 in js_Invoke (cx=0x83a39a8, argc=3, flags=2)
at ../../../mozilla/js/src/jsinterp.c:1414
#5 0xb7902af6 in nsXPCWrappedJSClass::CallMethod (this=0x81ec6b8, wrapper=0x8307ec0,
methodIndex=3, info=0x816b3f8, nativeParams=0xbfffaad8)
at ../../../../../mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1418
#6 0xb78fb17f in nsXPCWrappedJS::CallMethod (this=0x8307ec0, methodIndex=3,
info=0x816b3f8, params=0xbfffaad8)
at ../../../../../mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp:477
#7 0xb7e2c87e in PrepareAndDispatch (methodIndex=3, self=0x8307ec0, args=0xbfffab7c)
at ../../../../../../../mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_gcc_x86_unix.cpp:100
#8 0xb7e1bf70 in nsTimerImpl::Fire (this=0xb383f4a8)
at ../../../mozilla/xpcom/threads/nsTimerImpl.cpp:389
JS STACK:
(gdb) jsstack
0 [native frame]
1 sss_saveState(aUpdateAll = undefined) ["file:///home/bzbarsky/mozilla/vanilla/obj-firefox/dist/bin/components/nsSessionStore.js":1693]
oState = [object Object]
this = [object Object]
2 sss_observe(aSubject = [xpconnect wrapped nsITimer @ 0xb383f4e8 (native @ 0xb383f4a8)], aTopic = "timer-callback", aData = null) ["file:///home/bzbarsky/mozilla/vanilla/obj-firefox/dist/bin/components/nsSessionStore.js":343]
_this = [object Object]
win = undefined
ix = undefined
this = [object Object]
3 [native frame]
MORE INFORMATION:
(gdb) frame 0
#0 0xb7f0de1d in js_GetProperty (cx=0x83a39a8, obj=0x8e3a450, id=137074788,
vp=0x8e6acc8) at ../../../mozilla/js/src/jsobj.c:3403
3403 CHECK_FOR_STRING_INDEX(id);
(gdb) p id
$11 = 137074788
(gdb) p id & 0x3
$12 = 0
(gdb) p *(JSAtom*)id
$13 = {entry = {next = 0x82a4c88, keyHash = 136991008, key = 0x82ab8bc, value = 0xa},
flags = 136992192, number = 136992320}
(gdb) p ((jsval)((JSAtom*)id)->entry.key)
$14 = 137017532
(gdb) p ((jsval)((JSAtom*)id)->entry.key) & 7
$15 = 4
(gdb) p *(JSString*)((jsval)((JSAtom*)id)->entry.key)
$16 = {length = 0, chars = 0x0}
So we're inside CHECK_FOR_STRING_INDEX, we get our JSString*, we get its chars, then we do:
2757 JSBool negative_ = (*cp_ == '-');
Which crashes, since |cp| is null.
Now I suspect that a null |chars| in a JSString is just Wrong. But I have no idea how it got into this state.
|
Reporter | |
Comment 1•18 years ago
|
||
Er, this should be blocker, since I can't actually use the browser to like ... do anything. Like debugging other things, say.
Severity: critical → blocker
|
|
Reporter | |
Comment 2•18 years ago
|
||
Looks like this is the issue that caused bug 356083 to get backed out.
*** This bug has been marked as a duplicate of 356083 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•