Closed Bug 364264 Opened 18 years ago Closed 18 years ago

Assertion failure: pcdepth >= 0, at jsopcode.c:4737 - failure to handle JSOP_TRAP in js_DecompileValueGenerator

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: timeless, Assigned: timeless)

References

Details

(Keywords: assertion, crash, fixed1.8.1.2)

Attachments

(1 obsolete file) 

DOMContentLoaded: [object XPCNativeWrapper [object HTMLDocument @ 0x7242870 (native @ 0x70836b8)]]view-source:file:///C:/Documen

Assertion failure: pcdepth >= 0, at c:/home/mozilla.org/mozilla/js/src/jsopcode.c:4737

js3250!js_DecompileValueGenerator(struct JSContext * cx = <Memory access error>, int spindex = <Memory access error>, long v = <Memory access error>, struct JSString * fallback = <Memory access error>)+0x4dd [c:\home\mozilla.org\mozilla\js\src\jsopcode.c @ 4737]
js3250!js_ValueToNonNullObject(struct JSContext * cx = 0x06ff37e8, long v = -2147483647)+0x31 [c:\home\mozilla.org\mozilla\js\src\jsobj.c @ 4468]
js3250!js_Interpret(struct JSContext * cx = 0x06ff37e8, unsigned char * pc = 0x012e1228 ";", long * result = 0x0012dc64)+0x7585 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 3717]
js3250!js_Invoke(struct JSContext * cx = 0x06ff37e8, unsigned int argc = 1, unsigned int flags = 2)+0x7a8 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1417]
xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 0x06ab2558, unsigned short methodIndex = 3, struct XPTMethodDescriptor * info = 0x019a5028, struct nsXPTCMiniVariant * nativeParams = 0x0012de94)+0x845 [c:\home\mozilla.org\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 1419]
xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0xbd48, struct XPTMethodDescriptor * info = 0x00000003, struct nsXPTCMiniVariant * params = 0x0012df54)+0x27 [c:\home\mozilla.org\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 480]
xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x06efbd48, unsigned int methodIndex = 3, unsigned int * args = 0x0012df54, unsigned int * stackBytesToPop = 0x0012df44)+0x165 [c:\home\mozilla.org\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 114]
xpcom_core!SharedStub(void)+0x16 [c:\home\mozilla.org\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 142]
gklayout!nsEventListenerManager::HandleEventSubType(struct nsListenerStruct * aListenerStruct = 0x1020fc2e, class nsIDOMEventListener * aListener = 0x00000000, class nsIDOMEvent * aDOMEvent = 0x1020fc25, class nsISupports * aCurrentTarget = 0xc3e4a7e6, unsigned int aPhaseFlags = 0xc)+0x14c [c:\home\mozilla.org\mozilla\content\events\src\nseventlistenermanager.cpp @ 1266]
WARNING: Frame IP not in any known module. Following frames may be wrong.
0x12dffc
MSVCR80D!_nh_malloc_dbg(unsigned int nSize = 0x21a4d38, int nhFlag = 1237088, int nBlockUse = 113829688, char * szFileName = 0x071efe10 "???", int nLine = 117959776)+0x19 [f:\rtm\vctools\crt_bld\self_x86\crt\src\dbgheap.c @ 266]
0x199e0c8
xpcom_core!nsWeakReference::QueryReferent(struct nsID * aIID = 0x0287e068, void ** aInstancePtr = 0x00000004)+0x1a [c:\home\mozilla.org\mozilla\dbg-firefox-i686-pc-mingw32\xpcom\build\nsweakreference.cpp @ 151]
gklayout!nsMarkedJSFunctionHolder_base::Get(struct nsID * aIID = 0x00000004)+0x19 [c:\home\mozilla.org\mozilla\dom\src\base\nsjsutils.cpp @ 279]

I'm sorry. I don't have locals because JS_Assert tails to exit() so the compiler helpfully optimized away the stack locals and the debugger just isn't sure how to recover them.
OK. the critical part about this (steps weren't included because while i could trigger it while debugging i wasn't thinking about what was going on):

I'm using Venkman (surprise), and I'm setting a breakpoint or stepping into a function.

venkman and friends talk to jsd_xpc which talks to jsd which uses JS_SetTrap (our friend the crashy function).

JS_SetTrap munges JSScript objects by inserting JSOP_TRAP.
        op = (JSOp) *pc; /* JSOP_TRAP */
        cs = &js_CodeSpec[op]; /* "trap" */
        oplen = cs->length; /* WRONG LOOKUP */

        sn = js_GetSrcNote(script, pc); /* CODE ASSUMES op relates to SourceNote for pc, but it doesn't because JS_SetTrap is evil */
        ...
        nuses = cs->nuses; /* WRONG LOOKUP */
        pcdepth -= nuses; /* POISONED */
        JS_ASSERT(pcdepth >= 0); /* ASSERT LUCKY ROUND ONE */

        ndefs = cs->ndefs; /* POISONED - WRONG ANSWER */

This is almost certainly a duplicate. but that doesn't really matter.

The actual instruction was "this" (JSOP_THIS)

js3250!js_CodeSpec[js3250!JSOP_THIS].ndefs 1
js3250!js_CodeSpec[js3250!JSOP_TRAP].ndefs 0

When the code loops around the next time, it is now hopelessly confused and it takes the only action it knows, killing me.
Keywords: assertion, crash
Summary: Assertion failure: pcdepth >= 0, at c:/home/mozilla.org/mozilla/js/src/jsopcode.c:4737 → Assertion failure: pcdepth >= 0, at jsopcode.c:4737 - failure to handle JSOP_TRAP in js_DecompileValueGenerator
Assignee: general → timeless
Status: UNCONFIRMED → ASSIGNED

        Attachment #249099 -
        Flags: review?(brendan)

    
  
Depends on: desdec

    
  
Flags: blocking1.8.1.1?

    
  
Flags: blocking1.8.1.1? → blocking1.8.1.2?

    
    

    
  
Looks pretty important, and we have a patch to look at.  Here's hoping brendan gets some free time to r+
Severity: normal → major

    
    

    
  
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

Wow, that's the most context I've ever seen for a two-line patch ;-).

Thanks for the find&fix.

/be

        Attachment #249099 -
        Flags: review?(brendan)

        Attachment #249099 -
        Flags: review+

        Attachment #249099 -
        Flags: approval1.8.1.2?

        Attachment #249099 -
        Flags: approval1.8.0.10?

    
    

    
  
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

Approved for both branches, a=jay for drivers.

        Attachment #249099 -
        Flags: approval1.8.1.2?

        Attachment #249099 -
        Flags: approval1.8.1.2+

        Attachment #249099 -
        Flags: approval1.8.0.10?

        Attachment #249099 -
        Flags: approval1.8.0.10+

    
  
Flags: blocking1.8.1.2? → blocking1.8.1.2+

    
    

    
  
Timeless, can you do all the checkins?  Dunno if you are around over the next week or so (holiday break for many here).

/be

    
    

    
  
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

mozilla/js/src/jsopcode.c 	3.198
MOZILLA_1_8_BRANCH:
mozilla/js/src/jsopcode.c 	3.89.2.68

MOZILLA_1_8_0_BRANCH is not yet affected and I presume it will not be.

        Attachment #249099 -
        Attachment is obsolete: true

    
  
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
  
Keywords: fixed1.8.1.2
Flags: in-testsuite-

    
    

    
  
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

Right, as timeless notes, this is not needed on the 1.8.0 branch.

/be

        Attachment #249099 -
        Flags: approval1.8.0.10+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: