The default bug view has changed. See this FAQ.

Assertion failure: pcdepth >= 0, at jsopcode.c:4737 - failure to handle JSOP_TRAP in js_DecompileValueGenerator

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: timeless, Assigned: timeless)

Tracking

({assertion, crash, fixed1.8.1.2})

Trunk
x86
Windows XP
assertion, crash, fixed1.8.1.2
Points:
---
Bug Flags:
blocking1.8.1.2 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 obsolete attachment)

(Assignee)

Description

10 years ago
DOMContentLoaded: [object XPCNativeWrapper [object HTMLDocument @ 0x7242870 (native @ 0x70836b8)]]view-source:file:///C:/Documen

Assertion failure: pcdepth >= 0, at c:/home/mozilla.org/mozilla/js/src/jsopcode.c:4737

js3250!js_DecompileValueGenerator(struct JSContext * cx = <Memory access error>, int spindex = <Memory access error>, long v = <Memory access error>, struct JSString * fallback = <Memory access error>)+0x4dd [c:\home\mozilla.org\mozilla\js\src\jsopcode.c @ 4737]
js3250!js_ValueToNonNullObject(struct JSContext * cx = 0x06ff37e8, long v = -2147483647)+0x31 [c:\home\mozilla.org\mozilla\js\src\jsobj.c @ 4468]
js3250!js_Interpret(struct JSContext * cx = 0x06ff37e8, unsigned char * pc = 0x012e1228 ";", long * result = 0x0012dc64)+0x7585 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 3717]
js3250!js_Invoke(struct JSContext * cx = 0x06ff37e8, unsigned int argc = 1, unsigned int flags = 2)+0x7a8 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1417]
xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 0x06ab2558, unsigned short methodIndex = 3, struct XPTMethodDescriptor * info = 0x019a5028, struct nsXPTCMiniVariant * nativeParams = 0x0012de94)+0x845 [c:\home\mozilla.org\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 1419]
xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0xbd48, struct XPTMethodDescriptor * info = 0x00000003, struct nsXPTCMiniVariant * params = 0x0012df54)+0x27 [c:\home\mozilla.org\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 480]
xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x06efbd48, unsigned int methodIndex = 3, unsigned int * args = 0x0012df54, unsigned int * stackBytesToPop = 0x0012df44)+0x165 [c:\home\mozilla.org\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 114]
xpcom_core!SharedStub(void)+0x16 [c:\home\mozilla.org\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 142]
gklayout!nsEventListenerManager::HandleEventSubType(struct nsListenerStruct * aListenerStruct = 0x1020fc2e, class nsIDOMEventListener * aListener = 0x00000000, class nsIDOMEvent * aDOMEvent = 0x1020fc25, class nsISupports * aCurrentTarget = 0xc3e4a7e6, unsigned int aPhaseFlags = 0xc)+0x14c [c:\home\mozilla.org\mozilla\content\events\src\nseventlistenermanager.cpp @ 1266]
WARNING: Frame IP not in any known module. Following frames may be wrong.
0x12dffc
MSVCR80D!_nh_malloc_dbg(unsigned int nSize = 0x21a4d38, int nhFlag = 1237088, int nBlockUse = 113829688, char * szFileName = 0x071efe10 "???", int nLine = 117959776)+0x19 [f:\rtm\vctools\crt_bld\self_x86\crt\src\dbgheap.c @ 266]
0x199e0c8
xpcom_core!nsWeakReference::QueryReferent(struct nsID * aIID = 0x0287e068, void ** aInstancePtr = 0x00000004)+0x1a [c:\home\mozilla.org\mozilla\dbg-firefox-i686-pc-mingw32\xpcom\build\nsweakreference.cpp @ 151]
gklayout!nsMarkedJSFunctionHolder_base::Get(struct nsID * aIID = 0x00000004)+0x19 [c:\home\mozilla.org\mozilla\dom\src\base\nsjsutils.cpp @ 279]

I'm sorry. I don't have locals because JS_Assert tails to exit() so the compiler helpfully optimized away the stack locals and the debugger just isn't sure how to recover them.
(Assignee)

Comment 1

10 years ago
OK. the critical part about this (steps weren't included because while i could trigger it while debugging i wasn't thinking about what was going on):

I'm using Venkman (surprise), and I'm setting a breakpoint or stepping into a function.

venkman and friends talk to jsd_xpc which talks to jsd which uses JS_SetTrap (our friend the crashy function).

JS_SetTrap munges JSScript objects by inserting JSOP_TRAP.
        op = (JSOp) *pc; /* JSOP_TRAP */
        cs = &js_CodeSpec[op]; /* "trap" */
        oplen = cs->length; /* WRONG LOOKUP */

        sn = js_GetSrcNote(script, pc); /* CODE ASSUMES op relates to SourceNote for pc, but it doesn't because JS_SetTrap is evil */
        ...
        nuses = cs->nuses; /* WRONG LOOKUP */
        pcdepth -= nuses; /* POISONED */
        JS_ASSERT(pcdepth >= 0); /* ASSERT LUCKY ROUND ONE */

        ndefs = cs->ndefs; /* POISONED - WRONG ANSWER */

This is almost certainly a duplicate. but that doesn't really matter.

The actual instruction was "this" (JSOP_THIS)

js3250!js_CodeSpec[js3250!JSOP_THIS].ndefs 1
js3250!js_CodeSpec[js3250!JSOP_TRAP].ndefs 0

When the code loops around the next time, it is now hopelessly confused and it takes the only action it knows, killing me.
Keywords: assertion, crash
Summary: Assertion failure: pcdepth >= 0, at c:/home/mozilla.org/mozilla/js/src/jsopcode.c:4737 → Assertion failure: pcdepth >= 0, at jsopcode.c:4737 - failure to handle JSOP_TRAP in js_DecompileValueGenerator
(Assignee)

Comment 2

10 years ago
Created attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander
Assignee: general → timeless
Status: UNCONFIRMED → ASSIGNED
Attachment #249099 - Flags: review?(brendan)
(Assignee)

Updated

10 years ago
Depends on: 346642
(Assignee)

Updated

10 years ago
Flags: blocking1.8.1.1?
(Assignee)

Updated

10 years ago
Flags: blocking1.8.1.1? → blocking1.8.1.2?

Comment 3

10 years ago
Looks pretty important, and we have a patch to look at.  Here's hoping brendan gets some free time to r+
Severity: normal → major
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

Wow, that's the most context I've ever seen for a two-line patch ;-).

Thanks for the find&fix.

/be
Attachment #249099 - Flags: review?(brendan)
Attachment #249099 - Flags: review+
Attachment #249099 - Flags: approval1.8.1.2?
Attachment #249099 - Flags: approval1.8.0.10?

Comment 5

10 years ago
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

Approved for both branches, a=jay for drivers.
Attachment #249099 - Flags: approval1.8.1.2?
Attachment #249099 - Flags: approval1.8.1.2+
Attachment #249099 - Flags: approval1.8.0.10?
Attachment #249099 - Flags: approval1.8.0.10+

Updated

10 years ago
Flags: blocking1.8.1.2? → blocking1.8.1.2+
Timeless, can you do all the checkins?  Dunno if you are around over the next week or so (holiday break for many here).

/be
(Assignee)

Comment 7

10 years ago
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

mozilla/js/src/jsopcode.c 	3.198
MOZILLA_1_8_BRANCH:
mozilla/js/src/jsopcode.c 	3.89.2.68

MOZILLA_1_8_0_BRANCH is not yet affected and I presume it will not be.
Attachment #249099 - Attachment is obsolete: true
(Assignee)

Updated

10 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Updated

10 years ago
Keywords: fixed1.8.1.2

Updated

10 years ago
Flags: in-testsuite-
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

Right, as timeless notes, this is not needed on the 1.8.0 branch.

/be
Attachment #249099 - Flags: approval1.8.0.10+
You need to log in before you can comment on or make changes to this bug.