Last Comment Bug 364264 - Assertion failure: pcdepth >= 0, at jsopcode.c:4737 - failure to handle JSOP_TRAP in js_DecompileValueGenerator
: Assertion failure: pcdepth >= 0, at jsopcode.c:4737 - failure to handle JSOP_...
Status: RESOLVED FIXED
: assertion, crash, fixed1.8.1.2
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Windows XP
: -- major (vote)
: ---
Assigned To: timeless
:
Mentors:
Depends on: desdec
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-18 12:58 PST by timeless
Modified: 2007-01-18 14:41 PST (History)
2 users (show)
jaymoz: blocking1.8.1.2+
bob: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
what's good for the goose is good for the gander (5.02 KB, patch)
2006-12-19 05:09 PST, timeless
brendan: review+
jaymoz: approval1.8.1.2+
Details | Diff | Review

Description timeless 2006-12-18 12:58:08 PST
DOMContentLoaded: [object XPCNativeWrapper [object HTMLDocument @ 0x7242870 (native @ 0x70836b8)]]view-source:file:///C:/Documen

Assertion failure: pcdepth >= 0, at c:/home/mozilla.org/mozilla/js/src/jsopcode.c:4737

js3250!js_DecompileValueGenerator(struct JSContext * cx = <Memory access error>, int spindex = <Memory access error>, long v = <Memory access error>, struct JSString * fallback = <Memory access error>)+0x4dd [c:\home\mozilla.org\mozilla\js\src\jsopcode.c @ 4737]
js3250!js_ValueToNonNullObject(struct JSContext * cx = 0x06ff37e8, long v = -2147483647)+0x31 [c:\home\mozilla.org\mozilla\js\src\jsobj.c @ 4468]
js3250!js_Interpret(struct JSContext * cx = 0x06ff37e8, unsigned char * pc = 0x012e1228 ";", long * result = 0x0012dc64)+0x7585 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 3717]
js3250!js_Invoke(struct JSContext * cx = 0x06ff37e8, unsigned int argc = 1, unsigned int flags = 2)+0x7a8 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1417]
xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 0x06ab2558, unsigned short methodIndex = 3, struct XPTMethodDescriptor * info = 0x019a5028, struct nsXPTCMiniVariant * nativeParams = 0x0012de94)+0x845 [c:\home\mozilla.org\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 1419]
xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0xbd48, struct XPTMethodDescriptor * info = 0x00000003, struct nsXPTCMiniVariant * params = 0x0012df54)+0x27 [c:\home\mozilla.org\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 480]
xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x06efbd48, unsigned int methodIndex = 3, unsigned int * args = 0x0012df54, unsigned int * stackBytesToPop = 0x0012df44)+0x165 [c:\home\mozilla.org\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 114]
xpcom_core!SharedStub(void)+0x16 [c:\home\mozilla.org\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 142]
gklayout!nsEventListenerManager::HandleEventSubType(struct nsListenerStruct * aListenerStruct = 0x1020fc2e, class nsIDOMEventListener * aListener = 0x00000000, class nsIDOMEvent * aDOMEvent = 0x1020fc25, class nsISupports * aCurrentTarget = 0xc3e4a7e6, unsigned int aPhaseFlags = 0xc)+0x14c [c:\home\mozilla.org\mozilla\content\events\src\nseventlistenermanager.cpp @ 1266]
WARNING: Frame IP not in any known module. Following frames may be wrong.
0x12dffc
MSVCR80D!_nh_malloc_dbg(unsigned int nSize = 0x21a4d38, int nhFlag = 1237088, int nBlockUse = 113829688, char * szFileName = 0x071efe10 "???", int nLine = 117959776)+0x19 [f:\rtm\vctools\crt_bld\self_x86\crt\src\dbgheap.c @ 266]
0x199e0c8
xpcom_core!nsWeakReference::QueryReferent(struct nsID * aIID = 0x0287e068, void ** aInstancePtr = 0x00000004)+0x1a [c:\home\mozilla.org\mozilla\dbg-firefox-i686-pc-mingw32\xpcom\build\nsweakreference.cpp @ 151]
gklayout!nsMarkedJSFunctionHolder_base::Get(struct nsID * aIID = 0x00000004)+0x19 [c:\home\mozilla.org\mozilla\dom\src\base\nsjsutils.cpp @ 279]

I'm sorry. I don't have locals because JS_Assert tails to exit() so the compiler helpfully optimized away the stack locals and the debugger just isn't sure how to recover them.
Comment 1 timeless 2006-12-19 04:57:42 PST
OK. the critical part about this (steps weren't included because while i could trigger it while debugging i wasn't thinking about what was going on):

I'm using Venkman (surprise), and I'm setting a breakpoint or stepping into a function.

venkman and friends talk to jsd_xpc which talks to jsd which uses JS_SetTrap (our friend the crashy function).

JS_SetTrap munges JSScript objects by inserting JSOP_TRAP.
        op = (JSOp) *pc; /* JSOP_TRAP */
        cs = &js_CodeSpec[op]; /* "trap" */
        oplen = cs->length; /* WRONG LOOKUP */

        sn = js_GetSrcNote(script, pc); /* CODE ASSUMES op relates to SourceNote for pc, but it doesn't because JS_SetTrap is evil */
        ...
        nuses = cs->nuses; /* WRONG LOOKUP */
        pcdepth -= nuses; /* POISONED */
        JS_ASSERT(pcdepth >= 0); /* ASSERT LUCKY ROUND ONE */

        ndefs = cs->ndefs; /* POISONED - WRONG ANSWER */

This is almost certainly a duplicate. but that doesn't really matter.

The actual instruction was "this" (JSOP_THIS)

js3250!js_CodeSpec[js3250!JSOP_THIS].ndefs 1
js3250!js_CodeSpec[js3250!JSOP_TRAP].ndefs 0

When the code loops around the next time, it is now hopelessly confused and it takes the only action it knows, killing me.
Comment 2 timeless 2006-12-19 05:09:35 PST
Created attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander
Comment 3 Brian Crowder 2006-12-19 13:16:10 PST
Looks pretty important, and we have a patch to look at.  Here's hoping brendan gets some free time to r+
Comment 4 Brendan Eich [:brendan] 2006-12-19 19:09:13 PST
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

Wow, that's the most context I've ever seen for a two-line patch ;-).

Thanks for the find&fix.

/be
Comment 5 Jay Patel [:jay] 2006-12-20 15:23:20 PST
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

Approved for both branches, a=jay for drivers.
Comment 6 Brendan Eich [:brendan] 2006-12-22 15:28:13 PST
Timeless, can you do all the checkins?  Dunno if you are around over the next week or so (holiday break for many here).

/be
Comment 7 timeless 2006-12-23 11:34:16 PST
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

mozilla/js/src/jsopcode.c 	3.198
MOZILLA_1_8_BRANCH:
mozilla/js/src/jsopcode.c 	3.89.2.68

MOZILLA_1_8_0_BRANCH is not yet affected and I presume it will not be.
Comment 8 Brendan Eich [:brendan] 2007-01-18 14:41:00 PST
Comment on attachment 249099 [details] [diff] [review]
what's good for the goose is good for the gander

Right, as timeless notes, this is not needed on the 1.8.0 branch.

/be

Note You need to log in before you can comment on or make changes to this bug.