Closed
Bug 364264
Opened 18 years ago
Closed 18 years ago
Assertion failure: pcdepth >= 0, at jsopcode.c:4737 - failure to handle JSOP_TRAP in js_DecompileValueGenerator
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: timeless, Assigned: timeless)
References
Details
(Keywords: assertion, crash, fixed1.8.1.2)
Attachments
(1 obsolete file)
DOMContentLoaded: [object XPCNativeWrapper [object HTMLDocument @ 0x7242870 (native @ 0x70836b8)]]view-source:file:///C:/Documen Assertion failure: pcdepth >= 0, at c:/home/mozilla.org/mozilla/js/src/jsopcode.c:4737 js3250!js_DecompileValueGenerator(struct JSContext * cx = <Memory access error>, int spindex = <Memory access error>, long v = <Memory access error>, struct JSString * fallback = <Memory access error>)+0x4dd [c:\home\mozilla.org\mozilla\js\src\jsopcode.c @ 4737] js3250!js_ValueToNonNullObject(struct JSContext * cx = 0x06ff37e8, long v = -2147483647)+0x31 [c:\home\mozilla.org\mozilla\js\src\jsobj.c @ 4468] js3250!js_Interpret(struct JSContext * cx = 0x06ff37e8, unsigned char * pc = 0x012e1228 ";", long * result = 0x0012dc64)+0x7585 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 3717] js3250!js_Invoke(struct JSContext * cx = 0x06ff37e8, unsigned int argc = 1, unsigned int flags = 2)+0x7a8 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1417] xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 0x06ab2558, unsigned short methodIndex = 3, struct XPTMethodDescriptor * info = 0x019a5028, struct nsXPTCMiniVariant * nativeParams = 0x0012de94)+0x845 [c:\home\mozilla.org\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 1419] xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0xbd48, struct XPTMethodDescriptor * info = 0x00000003, struct nsXPTCMiniVariant * params = 0x0012df54)+0x27 [c:\home\mozilla.org\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 480] xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x06efbd48, unsigned int methodIndex = 3, unsigned int * args = 0x0012df54, unsigned int * stackBytesToPop = 0x0012df44)+0x165 [c:\home\mozilla.org\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 114] xpcom_core!SharedStub(void)+0x16 [c:\home\mozilla.org\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 142] gklayout!nsEventListenerManager::HandleEventSubType(struct nsListenerStruct * aListenerStruct = 0x1020fc2e, class nsIDOMEventListener * aListener = 0x00000000, class nsIDOMEvent * aDOMEvent = 0x1020fc25, class nsISupports * aCurrentTarget = 0xc3e4a7e6, unsigned int aPhaseFlags = 0xc)+0x14c [c:\home\mozilla.org\mozilla\content\events\src\nseventlistenermanager.cpp @ 1266] WARNING: Frame IP not in any known module. Following frames may be wrong. 0x12dffc MSVCR80D!_nh_malloc_dbg(unsigned int nSize = 0x21a4d38, int nhFlag = 1237088, int nBlockUse = 113829688, char * szFileName = 0x071efe10 "???", int nLine = 117959776)+0x19 [f:\rtm\vctools\crt_bld\self_x86\crt\src\dbgheap.c @ 266] 0x199e0c8 xpcom_core!nsWeakReference::QueryReferent(struct nsID * aIID = 0x0287e068, void ** aInstancePtr = 0x00000004)+0x1a [c:\home\mozilla.org\mozilla\dbg-firefox-i686-pc-mingw32\xpcom\build\nsweakreference.cpp @ 151] gklayout!nsMarkedJSFunctionHolder_base::Get(struct nsID * aIID = 0x00000004)+0x19 [c:\home\mozilla.org\mozilla\dom\src\base\nsjsutils.cpp @ 279] I'm sorry. I don't have locals because JS_Assert tails to exit() so the compiler helpfully optimized away the stack locals and the debugger just isn't sure how to recover them.
OK. the critical part about this (steps weren't included because while i could trigger it while debugging i wasn't thinking about what was going on): I'm using Venkman (surprise), and I'm setting a breakpoint or stepping into a function. venkman and friends talk to jsd_xpc which talks to jsd which uses JS_SetTrap (our friend the crashy function). JS_SetTrap munges JSScript objects by inserting JSOP_TRAP. op = (JSOp) *pc; /* JSOP_TRAP */ cs = &js_CodeSpec[op]; /* "trap" */ oplen = cs->length; /* WRONG LOOKUP */ sn = js_GetSrcNote(script, pc); /* CODE ASSUMES op relates to SourceNote for pc, but it doesn't because JS_SetTrap is evil */ ... nuses = cs->nuses; /* WRONG LOOKUP */ pcdepth -= nuses; /* POISONED */ JS_ASSERT(pcdepth >= 0); /* ASSERT LUCKY ROUND ONE */ ndefs = cs->ndefs; /* POISONED - WRONG ANSWER */ This is almost certainly a duplicate. but that doesn't really matter. The actual instruction was "this" (JSOP_THIS) js3250!js_CodeSpec[js3250!JSOP_THIS].ndefs 1 js3250!js_CodeSpec[js3250!JSOP_TRAP].ndefs 0 When the code loops around the next time, it is now hopelessly confused and it takes the only action it knows, killing me.
Assignee: general → timeless
Status: UNCONFIRMED → ASSIGNED
Attachment #249099 -
Flags: review?(brendan)
Comment 3•18 years ago
|
||
Looks pretty important, and we have a patch to look at. Here's hoping brendan gets some free time to r+
Severity: normal → major
Comment 4•18 years ago
|
||
Comment on attachment 249099 [details] [diff] [review] what's good for the goose is good for the gander Wow, that's the most context I've ever seen for a two-line patch ;-). Thanks for the find&fix. /be
Attachment #249099 -
Flags: review?(brendan)
Attachment #249099 -
Flags: review+
Attachment #249099 -
Flags: approval1.8.1.2?
Attachment #249099 -
Flags: approval1.8.0.10?
Comment 5•18 years ago
|
||
Comment on attachment 249099 [details] [diff] [review] what's good for the goose is good for the gander Approved for both branches, a=jay for drivers.
Attachment #249099 -
Flags: approval1.8.1.2?
Attachment #249099 -
Flags: approval1.8.1.2+
Attachment #249099 -
Flags: approval1.8.0.10?
Attachment #249099 -
Flags: approval1.8.0.10+
Updated•18 years ago
|
Flags: blocking1.8.1.2? → blocking1.8.1.2+
Comment 6•18 years ago
|
||
Timeless, can you do all the checkins? Dunno if you are around over the next week or so (holiday break for many here). /be
Comment on attachment 249099 [details] [diff] [review] what's good for the goose is good for the gander mozilla/js/src/jsopcode.c 3.198 MOZILLA_1_8_BRANCH: mozilla/js/src/jsopcode.c 3.89.2.68 MOZILLA_1_8_0_BRANCH is not yet affected and I presume it will not be.
Attachment #249099 -
Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Keywords: fixed1.8.1.2
Updated•18 years ago
|
Flags: in-testsuite-
Comment 8•18 years ago
|
||
Comment on attachment 249099 [details] [diff] [review] what's good for the goose is good for the gander Right, as timeless notes, this is not needed on the 1.8.0 branch. /be
Attachment #249099 -
Flags: approval1.8.0.10+
You need to log in
before you can comment on or make changes to this bug.
Description
•