Closed
Bug 365716
Opened 18 years ago
Closed 18 years ago
JS_Assert(char * s = 0x1012279c "!flbase[flindex]"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 366975
People
(Reporter: timeless, Unassigned)
Details
Attachments
(1 file)
|
7.92 KB,
text/plain; charset=UTF-8
|
Details |
steps:
1. build seamonkey (+ xpcshell)
2. run xpcshell
3. attach windbg
4. set a breakpoint on
3 e 03574f50 0001 (0001) 0:**** addrbook!nsAbLDAPReplicationQuery::Release
it doesn't precisely have to be this, but this is the one i had.
5. at the js> prompt, paste the following:
function stubWorld(method, blacklist) {
switch (arguments.length) {
case 0:
method = 'getService';
case 1:
blacklist = {};
case 2:
default:
}
for (contract in Components.classes) try {
if (Components.classes[contract] instanceof Function)
continue;
if (uneval(blacklist).length > 4) {
if (contract in blacklist) {
delete blacklist[contract];
continue;
}
/* continue; */
}
var name = 'ns_'+contract.replace(/@[^\/]*/,'').replace(/[^a-z0-9]+/ig,'_');
name = name.replace(/_+([a-z])/g, function (a,b) {return b.toUpperCase()});
print(' Components.addClass(null, new Factory('+name+'), "'+contract+'");');
print(' /* "'+contract+'" */');
print(' function '+name+'() {}\n '+name+'.prototype = {');
/* this isn't legal per xpcom, but we're just searching for things */
var svc = Components.classes[contract][method]();
stubObject(svc);
if (/xpconnect wrapped \(?(\S+?)\)?\s/.test((''+svc).replace(/, /g,',')))
print(' interfaces: buildInterfaceList("'+RegExp.$1+'")\n }');
} catch (e) {}
}
/* this function is for use in xpcshell. */
function stubObject(unknown) {
for (var iface in Components.interfaces) {
try {
if (!(unknown instanceof Components.interfaces[iface]))
continue;
print (' /* ' + iface + ' */');
for (var attr in unknown[iface]) {
if (attr == "QueryInterface")
continue;
if (typeof unknown[iface][attr] == 'number')
continue;
try {
var method = unknown[iface][attr];
if (method instanceof Function) {
var args = [];
for (var i = 0; i < method.length; ++i)
args.push('a'+i);
print(' '+attr+': function ('+args.join(',')+'){},');
} else {
print(' '+attr+': /* attribute */null,');
}
} catch (e) {
print(' '+attr+': /* exception */null,');
}
}
} catch (e) {}
}
}
function knownStubWorld() {
stubWorld('getService', {
"@mozilla.org/messenger/messageservice;1?type=imap": 1,
"@mozilla.org/messenger/server;1?type=nntp": 1,
"@mozilla.org/uriloader/content-handler;1?type=x-application-imapfolder": 1,
"@mozilla.org/xul/xul-template-builder;1": 1,
"@mozilla.org/network/ldap-message;1": 1,
"@mozilla.org/messenger/messageservice;1?type=imap-message": 1,
"@mozilla.org/messenger/server;1?type=rss": 1,
"@mozilla.org/generic-factory;1": 1,
"@mozilla.org/messenger/server;1?type=pop3": 1,
"@mozilla.org/xmlextras/proxy/webservicepropertybagwrapper;1": 1,
"@mozilla.org/messengercompose/smtpurl;1": 1,
"@mozilla.org/addressbook/carddatabase;1": 1,
"@mozilla.org/browser/shistory-internal;1": 1,
"@mozilla.org/network/async-stream-copier;1": 1,
"@mozilla.org/messenger/protocol/info;1?type=imap": 1,
"@mozilla.org/network/protocol;1?name=imap": 1,
"@mozilla.org/addressbook/abview;1": 1,
"@mozilla.org/messenger/server;1?type=none": 1,
"@mozilla.org/messenger/imapservice;1": 1,
"@mozilla.org/messenger/server;1?type=imap": 1,
"@mozilla.org/browser/shistory;1": 1,
"@mozilla.org/xul/xul-tree-builder;1": 1,
"@mozilla.org/js/xpc/test/Noisy;1": 1,
"@mozilla.org/svg/svg-document;1": 1,
"@mozilla.org/content/canvas-rendering-context;1?id=2d": 1,
"@mozilla.org/messenger/msgdbview;1?type=xfvf": 1
});
}
knownStubWorld();
6. When you hit a ::Release() call under GCCallback, do:
.call DumpJSStack(); g
which is how windbg sets up and executes DumpJSStack().
then continue a bit. you'll die like this:
ntdll!DbgBreakPoint
js3250!JS_Assert(char * s = 0x1012279c "!flbase[flindex]", char * file = 0x1012276c "c:/home/mozilla.org/mozilla/js/src/jsgc.c", int ln = 1461)+0x2d [c:\home\mozilla.org\mozilla\js\src\jsutil.c @ 59]
js3250!js_NewGCThing(struct JSContext * cx = 0x00bec2b8, unsigned int flags = 1, unsigned int nbytes = 8)+0x257 [c:\home\mozilla.org\mozilla\js\src\jsgc.c @ 1461]
js3250!js_NewString(struct JSContext * cx = 0x00bec2b8, unsigned short * chars = 0x09985bc0, unsigned int length = 0x2b, unsigned int gcflag = 0)+0x34 [c:\home\mozilla.org\mozilla\js\src\jsstr.c @ 2424]
js3250!JS_NewStringCopyZ(struct JSContext * cx = 0x00bec2b8, char * s = 0x099ab940 "'@mozilla.org/messenger/server;1?type=none'")+0x5d [c:\home\mozilla.org\mozilla\js\src\jsapi.c @ 4475]
js3250!js_QuoteString(struct JSContext * cx = 0x00bec2b8, struct JSString * str = 0x00bccff0, unsigned short quote = 0x27)+0x61 [c:\home\mozilla.org\mozilla\js\src\jsopcode.c @ 556]
js3250!js_obj_toSource(struct JSContext * cx = 0x00bec2b8, struct JSObject * obj = 0x00c65ae0, unsigned int argc = 0, long * argv = 0x00c8d180, long * rval = 0x0012e1c0)+0x486 [c:\home\mozilla.org\mozilla\js\src\jsobj.c @ 910]
js3250!js_Invoke(struct JSContext * cx = 0x00bec2b8, unsigned int argc = 0, unsigned int flags = 2)+0xbd5 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1398]
js3250!js_InternalInvoke(struct JSContext * cx = 0x00bec2b8, struct JSObject * obj = 0x00c65ae0, long fval = 12474880, unsigned int flags = 0, unsigned int argc = 0, long * argv = 0x00000000, long * rval = 0x0012e358)+0x118 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1492]
js3250!js_TryMethod(struct JSContext * cx = 0x00bec2b8, struct JSObject * obj = 0x00c65ae0, struct JSAtom * atom = 0x00bd0340, unsigned int argc = 0, long * argv = 0x00000000, long * rval = 0x0012e358)+0x102 [c:\home\mozilla.org\mozilla\js\src\jsobj.c @ 4531]
js3250!js_ValueToSource(struct JSContext * cx = 0x00bec2b8, long v = 12999392)+0x109 [c:\home\mozilla.org\mozilla\js\src\jsstr.c @ 2702]
js3250!str_uneval(struct JSContext * cx = 0x00bec2b8, struct JSObject * obj = 0x00be58e0, unsigned int argc = 1, long * argv = 0x00c8d160, long * rval = 0x0012e3dc)+0x13 [c:\home\mozilla.org\mozilla\js\src\jsstr.c @ 469]
js3250!js_Invoke(struct JSContext * cx = 0x00bec2b8, unsigned int argc = 1, unsigned int flags = 0)+0xbd5 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1398]
js3250!js_Interpret(struct JSContext * cx = 0x00bec2b8, unsigned char * pc = 0x00c79d39 ":", long * result = 0x0012ed30)+0xe37b [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 4134]
js3250!js_Execute(struct JSContext * cx = 0x00bec2b8, struct JSObject * chain = 0x00be58e0, struct JSScript * script = 0x00c8b838, struct JSStackFrame * down = 0x00000000, unsigned int flags = 0, long * result = 0x0012fde0)+0x347 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1645]
js3250!JS_ExecuteScript(struct JSContext * cx = 0x00bec2b8, struct JSObject * obj = 0x00be58e0, struct JSScript * script = 0x00c8b838, long * rval = 0x0012fde0)+0x1d [c:\home\mozilla.org\mozilla\js\src\jsapi.c @ 4204]
xpcshell!ProcessFile(struct JSContext * cx = 0x00bec2b8, struct JSObject * obj = 0x00be58e0, char * filename = 0x00000000 "", struct _iobuf * file = 0x10310bd0, int forceTTY = 0)+0x25c [c:\home\mozilla.org\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 635]
xpcshell!Process(struct JSContext * cx = 0x00bec2b8, struct JSObject * obj = 0x00be58e0, char * filename = 0x00000000 "", int forceTTY = 0)+0x9d [c:\home\mozilla.org\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 674]
xpcshell!ProcessArgs(struct JSContext * cx = 0x00bec2b8, struct JSObject * obj = 0x00be58e0, char ** argv = 0x00ad77c4, int argc = 0)+0x4a3 [c:\home\mozilla.org\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 829]
xpcshell!main(int argc = 0, char ** argv = 0x00ad77c4, char ** envp = 0x00ad32a0)+0x85e [c:\home\mozilla.org\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 1103]
xpcshell!__tmainCRTStartup(void)+0x1a6 [f:\rtm\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586]
xpcshell!mainCRTStartup(void)+0xd [f:\rtm\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 403]
kernel32!BaseProcessStart+0x23
reproducable:
triggered twice now.
dbaron has hit this stack using firefox, but my testcase is smaller :)
fwiw, (third crash) here's a place where you can insert this method call. as dbaron predicted, too much gc would be relevant, given that this is "GC_LAST_DITCH". addrbook!nsAbLDAPReplicationQuery::Release(void) [c:\home\mozilla.org\mozilla\mailnews\addrbook\src\nsabldapreplicationquery.cpp @ 54] xpc3250!XPCJSRuntime::GCCallback(struct JSContext * cx = 0x00c284f0, JSGCStatus status = JSGC_END (1))+0x71c [c:\home\mozilla.org\mozilla\js\src\xpconnect\src\xpcjsruntime.cpp @ 590] gklayout!DOMGCCallback(struct JSContext * cx = 0x00c284f0, JSGCStatus status = JSGC_END (1))+0x1d [c:\home\mozilla.org\mozilla\dom\src\base\nsjsenvironment.cpp @ 3171] js3250!js_GC(struct JSContext * cx = 0x00c284f0, JSGCInvocationKind gckind = GC_LAST_DITCH (2))+0xff6 [c:\home\mozilla.org\mozilla\js\src\jsgc.c @ 3178] js3250!js_NewGCThing(struct JSContext * cx = 0x00c284f0, unsigned int flags = 1, unsigned int nbytes = 8)+0x1ce [c:\home\mozilla.org\mozilla\js\src\jsgc.c @ 1439] js3250!js_NewString(struct JSContext * cx = 0x00c284f0, unsigned short * chars = 0x099a7110, unsigned int length = 0x2b, unsigned int gcflag = 0)+0x34 [c:\home\mozilla.org\mozilla\js\src\jsstr.c @ 2424] js3250!JS_NewStringCopyZ(struct JSContext * cx = 0x00c284f0, char * s = 0x099a85d8 "'@mozilla.org/messenger/server;1?type=imap'")+0x5d [c:\home\mozilla.org\mozilla\js\src\jsapi.c @ 4475] js3250!js_QuoteString(struct JSContext * cx = 0x00c284f0, struct JSString * str = 0x00c02028, unsigned short quote = 0x27)+0x61 [c:\home\mozilla.org\mozilla\js\src\jsopcode.c @ 556] js3250!js_obj_toSource(struct JSContext * cx = 0x00c284f0, struct JSObject * obj = 0x00c666e0, unsigned int argc = 0, long * argv = 0x00c8d198, long * rval = 0x0012e1c0)+0x486 [c:\home\mozilla.org\mozilla\js\src\jsobj.c @ 910] js3250!js_Invoke(struct JSContext * cx = 0x00c284f0, unsigned int argc = 0, unsigned int flags = 2)+0xbd5 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1398] js3250!js_InternalInvoke(struct JSContext * cx = 0x00c284f0, struct JSObject * obj = 0x00c666e0, long fval = 12690944, unsigned int flags = 0, unsigned int argc = 0, long * argv = 0x00000000, long * rval = 0x0012e358)+0x118 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1492] js3250!js_TryMethod(struct JSContext * cx = 0x00c284f0, struct JSObject * obj = 0x00c666e0, struct JSAtom * atom = 0x00c05068, unsigned int argc = 0, long * argv = 0x00000000, long * rval = 0x0012e358)+0x102 [c:\home\mozilla.org\mozilla\js\src\jsobj.c @ 4531] js3250!js_ValueToSource(struct JSContext * cx = 0x00c284f0, long v = 13002464)+0x109 [c:\home\mozilla.org\mozilla\js\src\jsstr.c @ 2702] js3250!str_uneval(struct JSContext * cx = 0x00c284f0, struct JSObject * obj = 0x00c1a4e0, unsigned int argc = 1, long * argv = 0x00c8d178, long * rval = 0x0012e3dc)+0x13 [c:\home\mozilla.org\mozilla\js\src\jsstr.c @ 469] js3250!js_Invoke(struct JSContext * cx = 0x00c284f0, unsigned int argc = 1, unsigned int flags = 0)+0xbd5 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1398] js3250!js_Interpret(struct JSContext * cx = 0x00c284f0, unsigned char * pc = 0x00c798e9 ":", long * result = 0x0012ed30)+0xe37b [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 4134] js3250!js_Execute(struct JSContext * cx = 0x00c284f0, struct JSObject * chain = 0x00c1a4e0, struct JSScript * script = 0x00c809f0, struct JSStackFrame * down = 0x00000000, unsigned int flags = 0, long * result = 0x0012fde0)+0x347 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1645] js3250!JS_ExecuteScript(struct JSContext * cx = 0x00c284f0, struct JSObject * obj = 0x00c1a4e0, struct JSScript * script = 0x00c809f0, long * rval = 0x0012fde0)+0x1d [c:\home\mozilla.org\mozilla\js\src\jsapi.c @ 4204] xpcshell!ProcessFile(struct JSContext * cx = 0x00c284f0, struct JSObject * obj = 0x00c1a4e0, char * filename = 0x00000000 "", struct _iobuf * file = 0x10310bd0, int forceTTY = 0)+0x25c [c:\home\mozilla.org\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 635] xpcshell!Process(struct JSContext * cx = 0x00c284f0, struct JSObject * obj = 0x00c1a4e0, char * filename = 0x00000000 "", int forceTTY = 0)+0x9d [c:\home\mozilla.org\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 674] xpcshell!ProcessArgs(struct JSContext * cx = 0x00c284f0, struct JSObject * obj = 0x00c1a4e0, char ** argv = 0x00ad8b44, int argc = 0)+0x4a3 [c:\home\mozilla.org\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 829] xpcshell!main(int argc = 0, char ** argv = 0x00ad8b44, char ** envp = 0x00ad3d20)+0x85e [c:\home\mozilla.org\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 1103] xpcshell!__tmainCRTStartup(void)+0x1a6 [f:\rtm\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586] xpcshell!mainCRTStartup(void)+0xd [f:\rtm\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 403] kernel32!BaseProcessStart+0x23 if you don't insert the stack dumping you can then do this: js> gc() before 7570240, after 1190928, break 00000000 that's a lot of garbage that can't be reaped until the function finishes :)
I had left the room, but I'd recently been using google maps's directions -- in fact, I had two or three windows of it open.
|
||
Comment 3•18 years ago
|
||
dbaron's stack for google maps is worth looking at -- there is no js_GC active, and the assertion that's botched is one of the two identical
JS_ASSERT(!flbase[flindex]);
I'm not sure which one, because the 1465 line number doesn't match either of the two I see in trunk source.
Igor, Feng, any thoughts?
/be
I have 4 extra lines for debugging code at the top of my jsgc.c (revision 3.194). (The debugging code itself is below 1465.) So my 1465 is the last of these:
#ifdef JS_THREADSAFE
/*
* Refill the local free list by taking several things from the
* global free list unless we are still at rt->gcMaxMallocBytes
* barrier. The latter happens when GC is canceled due to
* !gcCallback(cx, JSGC_BEGIN) or no gcPoke.
*/
if (rt->gcMallocBytes >= rt->gcMaxMallocBytes)
break;
JS_ASSERT(!flbase[flindex]);
|
|
||
Comment 5•18 years ago
|
||
Shouldn't this be forward-dup'ed against bug 366975? /be
|
||
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•