bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Crash when stopping at breakpoint set by Venkman [@ ComputeGlobalThis]

VERIFIED FIXED in mozilla1.9beta4

Status

()

Core
JavaScript Engine
P1
critical
VERIFIED FIXED
11 years ago
7 years ago

People

(Reporter: whimboo, Assigned: mrbkap)

Tracking

({crash})

Trunk
mozilla1.9beta4
crash
Points:
---
Bug Flags:
blocking1.9 +
in-testsuite -
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment, 2 obsolete attachments)

#0  JS_Assert (s=0x110e554 "!fp->thisp && fp->argv == argv", file=0x110e124 "/Users/henrik/Projects/mozilla/source/mozilla/js/src/jsinterp.c", ln=928) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/jsutil.c:63
#1  0x010626e1 in ComputeGlobalThis (cx=0x3df70010, lazy=1, argv=0x25d498c) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/jsinterp.c:928
#2  0x010629d3 in js_ComputeThis (cx=0x3df70010, lazy=1, argv=0x25d498c) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/jsinterp.c:995
#3  0x01035b21 in JS_GetFrameThis (cx=0x3df70010, fp=0x25d4998) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/jsdbgapi.c:1089
#4  0x2f886dc5 in jsd_NewThreadState (jsdc=0x36c3bc40, cx=0x3df70010) at /Users/henrik/Projects/mozilla/source/mozilla/js/jsd/jsd_stak.c:133
#5  0x2f883cfa in jsd_CallExecutionHook (jsdc=0x36c3bc40, cx=0x3df70010, type=1, hook=0x2f892c16 <jsds_ExecutionHookProc(JSDContext*, JSDThreadState*, unsigned int, void*, long*)>, hookData=0x1, rval=0xbfffa570) at /Users/henrik/Projects/mozilla/source/mozilla/js/jsd/jsd_hook.c:165
#6  0x2f8863d2 in jsd_TrapHandler (cx=0x3df70010, script=0x3f330ab0, pc=0x3f330af4 "S5", rval=0xbfffa570, closure=0x3c78b371) at /Users/henrik/Projects/mozilla/source/mozilla/js/jsd/jsd_scpt.c:736
#7  0x01033d49 in JS_HandleTrap (cx=0x3df70010, script=0x3f330ab0, pc=0x3f330af4 "S5", rval=0xbfffa570) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/jsdbgapi.c:289
#8  0x0107e173 in js_Interpret (cx=0x3df70010, pc=0x3f330af4 "S5", result=0xbfffa8d8) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/jsinterp.c:5225
#9  0x010638a8 in js_Invoke (cx=0x3df70010, argc=1, vp=0x25d4820, flags=2) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/jsinterp.c:1433
#10 0x35811515 in nsXPCWrappedJSClass::CallMethod (this=0x3a044640, wrapper=0x3f3b1cf0, methodIndex=3, info=0x20cd9d0, nativeParams=0xbfffad34) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1473
#11 0x35809c6f in nsXPCWrappedJS::CallMethod (this=0x3f3b1cf0, methodIndex=3, info=0x20cd9d0, params=0xbfffad34) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp:556
#12 0x0139788a in PrepareAndDispatch (self=0x3f3b1d30, methodIndex=3, args=0xbfffae54) at /Users/henrik/Projects/mozilla/source/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
#13 0x013978e8 in nsXPTCStubBase::Stub3 (this=0x3f3b1d30) at ../../../../../../dist/include/xpcom/xptcstubsdef.inc:5
#14 0x1604090e in nsEventListenerManager::HandleEventSubType (this=0x3f39fb90, aListenerStruct=0x3f39b058, aListener=0x3f3b1d30, aDOMEvent=0x3e61edbc, aCurrentTarget=0x3e326e20, aPhaseFlags=6) at /Users/henrik/Projects/mozilla/source/mozilla/content/events/src/nsEventListenerManager.cpp:1082
#15 0x1604267b in nsEventListenerManager::HandleEvent (this=0x3f39fb90, aPresContext=0x3f31cf10, aEvent=0xbfffb1f4, aDOMEvent=0xbfffb124, aCurrentTarget=0x3e326e20, aFlags=6, aEventStatus=0xbfffb128) at /Users/henrik/Projects/mozilla/source/mozilla/content/events/src/nsEventListenerManager.cpp:1184
#16 0x16067b5f in nsEventTargetChainItem::HandleEvent (this=0x3d20b920, aVisitor=@0xbfffb11c, aFlags=6) at /Users/henrik/Projects/mozilla/source/mozilla/content/events/src/nsEventDispatcher.cpp:206
#17 0x16067d31 in nsEventTargetChainItem::HandleEventTargetChain (this=0x3d20b9c0, aVisitor=@0xbfffb11c, aFlags=6, aCallback=0x0) at /Users/henrik/Projects/mozilla/source/mozilla/content/events/src/nsEventDispatcher.cpp:264
#18 0x160685e2 in nsEventDispatcher::Dispatch (aTarget=0x3e326e20, aPresContext=0x3f31cf10, aEvent=0xbfffb1f4, aDOMEvent=0x0, aEventStatus=0xbfffb23c, aCallback=0x0) at /Users/henrik/Projects/mozilla/source/mozilla/content/events/src/nsEventDispatcher.cpp:479
#19 0x15dbcdab in PresShell::HandleDOMEventWithTarget (this=0x3d164200, aTargetContent=0x3e326e20, aEvent=0xbfffb1f4, aStatus=0xbfffb23c) at /Users/henrik/Projects/mozilla/source/mozilla/layout/base/nsPresShell.cpp:5886
#20 0x15f5de8d in nsButtonBoxFrame::DoMouseClick (this=0x259b7a0, aEvent=0xbfffb51c, aTrustEvent=0) at /Users/henrik/Projects/mozilla/source/mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp:160
Sorry, hit the enter key too early. Here comes the missing part:

While checking the application details dialog and setting a breakpoint in there, Minefield crashes when reaching the breakpoint.

STR:

1. Start Minefield and open Venkman
2. Open Preferences and go to applications
3. Open drop down box of "Web Feed" and select "Application Details"
4. Goto Venkman and goto appManager_onOk within applicationManager.js
5. Set a breakpoint at line 46: if (!this._removed.length) {
6. Go back to the Application Details dialog and hit Ok

Now Minefield crashes with the above stack trace. Here some values:

(gdb) frame 1
#1  0x010626e1 in ComputeGlobalThis (cx=0x3df70010, lazy=1, argv=0x25d498c) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/jsinterp.c:928
928	            JS_ASSERT(!fp->thisp && fp->argv == argv);
(gdb) p !fp->thisp
$1 = 0
(gdb) p fp->argv
$2 = (jsval *) 0x25d4a1c
(gdb) p argv
$3 = (jsval *) 0x25d498c
fp in frame 1 must not be cx->fp, then. True?

/be
fp is the same as cx->fp:

(gdb) p fp
$1 = (JSStackFrame *) 0x3caca21c
(gdb) p cx->fp
$2 = (JSStackFrame *) 0x3caca21c

Anything other would be suspicious, due to following lines:

        fp = cx->fp;    /* quell GCC overwarning */
        if (lazy) {
            JS_ASSERT(!fp->thisp && fp->argv == argv);
            fp->dormantNext = cx->dormantFrameChain;
Yes, sorry -- I meant in frame 3. But JS_GetFrameThis there is passed fp (which must differ from cx->fp for argv to differ in frame 1) from jsd_NewThreadState, which indeed says:

    while( NULL != (fp = JS_FrameIterator(cx, &iter)) )
    {
        JSScript* script = JS_GetFrameScript(cx, fp);
        jsuword  pc = (jsuword) JS_GetFramePC(cx, fp);
        
        /*
         * don't construct a JSDStackFrame for dummy frames (those without a
         * |this| object, or native frames, if JSD_INCLUDE_NATIVE_FRAMES
         * isn't set.
         */
        if (JS_GetFrameThis(cx, fp) &&

So the bug is obvious.

/be
Assignee: general → brendan
Flags: blocking1.9+
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9beta4
Aah, then here the values:

(gdb) frame 3
#3  0x01035b21 in JS_GetFrameThis (cx=0x3b8db870, fp=0x3cbb7198) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/jsdbgapi.c:1089
1089	        fp->thisp = js_ComputeThis(cx, JS_TRUE, fp->argv);
Current language:  auto; currently c
(gdb) p fp
$1 = (JSStackFrame *) 0x3cbb7198
(gdb) p cx->fp
$2 = (JSStackFrame *) 0x3cbb721c

I'm still not able to get Minefield crash under Windows.
I probably have reproducible scenario (crashes always for me) with TRUNK build not older then 4 hours since this comment post on Win XP:

I have setup browser.cache.disk_cache_ssl = true - might be important
I have installed Firebug 1.1.0b10

Start from blank page
Go to www.paypal.com (wait for full load)
Go to www.volny.cz (in another tab!)
Click on 'E-mail' link at the main top black bar
Click 'Zabezpecene prihlaseni' (CZ) or 'Secure login' (EN) in the login form
Minefield blocks this page (certificate domain is not valid)
Click 'Add an exception'
Click 'Get certificate' -> ASSERT FAILS

Call stack (back trace) is:

 	js3250.dll!JS_Assert(const char * s=0x005ac610, const char * file=0x005ac5e4, int ln=926)  Line 59	C
>	js3250.dll!ComputeGlobalThis(JSContext * cx=0x033dfe78, int lazy=1, long * argv=0x086e4a1c)  Line 926 + 0x2a bytes	C
 	js3250.dll!js_ComputeThis(JSContext * cx=0x033dfe78, int lazy=1, long * argv=0x086e4a1c)  Line 993 + 0x11 bytes	C
 	js3250.dll!JS_GetFrameThis(JSContext * cx=0x033dfe78, JSStackFrame * fp=0x086e4a28)  Line 1089 + 0x12 bytes	C
 	jsd3250.dll!jsd_NewThreadState(JSDContext * jsdc=0x056c4560, JSContext * cx=0x033dfe78)  Line 135 + 0xe bytes	C
 	jsd3250.dll!jsd_CallExecutionHook(JSDContext * jsdc=0x056c4560, JSContext * cx=0x033dfe78, unsigned int type=4, unsigned int (JSDContext *, JSDThreadState *, unsigned int, void *, long *)* hook=0x036c12f0, void * hookData=0x00000000, long * rval=0x00128e04)  Line 165 + 0x13 bytes	C
 	jsd3250.dll!jsd_ThrowHandler(JSContext * cx=0x033dfe78, JSScript * script=0x059b64a8, unsigned char * pc=0x059b6546, long * rval=0x00128e04, void * closure=0x056c4560)  Line 149 + 0x1b bytes	C
 	js3250.dll!js_Interpret(JSContext * cx=0x033dfe78, unsigned char * pc=0x059b6546, long * result=0x00128f24)  Line 6770 + 0x26 bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=0x033dfe78, unsigned int argc=1, long * vp=0x086e4bb4, unsigned int flags=2)  Line 1435 + 0x13 bytes	C
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x08605668, unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x00c5e5b0, nsXPTCMiniVariant * nativeParams=0x00129240)  Line 1475 + 0x1b bytes	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x00c5e5b0, nsXPTCMiniVariant * params=0x00129240)  Line 557	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x086056e0, unsigned int methodIndex=3, unsigned int * args=0x00129300, unsigned int * stackBytesToPop=0x001292f0)  Line 114 + 0x21 bytes	C++
 	xpcom_core.dll!SharedStub()  Line 142	C++
 	gklayout.dll!nsXMLHttpRequest::GetInterface(const nsID & aIID={...}, void * * aResult=0x001294fc)  Line 2745 + 0x24 bytes	C++
 	gklayout.dll!nsXMLHttpRequest::GetInterface(const nsID & aIID={...}, void * * aResult=0x001294fc)  Line 2745 + 0x24 bytes	C++
 	xpcom_core.dll!NS_InvokeByIndex_P(nsISupports * that=0x00000003, unsigned int methodIndex=2, unsigned int paramCount=1217772, nsXPTCVariant * params=0x00000000)  Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, XPCWrappedNative::CallMode mode=3)  Line 2339 + 0x21 bytes	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, XPCWrappedNative::CallMode mode=CALL_METHOD)  Line 2339 + 0x21 bytes	C++
 	xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x033dfe78, JSObject * obj=0x062931e0, unsigned int argc=1, long * argv=0x086e4b9c, long * vp=0x001297b4)  Line 1470 + 0xe bytes	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x033dfe78, unsigned int argc=1, long * vp=0x086e4b94, unsigned int flags=0)  Line 1419 + 0x20 bytes	C
 	js3250.dll!js_Interpret(JSContext * cx=0x033dfe78, unsigned char * pc=0x04087e9d, long * result=0x00129fd0)  Line 4759 + 0x16 bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=0x033dfe78, unsigned int argc=3, long * vp=0x086e4b5c, unsigned int flags=2)  Line 1435 + 0x13 bytes	C
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x05b4ad80, unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x01cf8680, nsXPTCMiniVariant * nativeParams=0x0012a2ec)  Line 1475 + 0x1b bytes	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x01cf8680, nsXPTCMiniVariant * params=0x0012a2ec)  Line 557	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x05b4adf8, unsigned int methodIndex=3, unsigned int * args=0x0012a3ac, unsigned int * stackBytesToPop=0x0012a39c)  Line 114 + 0x21 bytes	C++
 	xpcom_core.dll!SharedStub()  Line 142	C++
 	xpcom_core.dll!nsObserverList::NotifyObservers(nsISupports * aSubject=0x05b4adf8, const char * aTopic=0x06067cb8, const wchar_t * someData=0x01943cc0)  Line 129	C++
 	xpcom_core.dll!nsObserverList::NotifyObservers(nsISupports * aSubject=0x06067cb8, const char * aTopic=0x01943cc0, const wchar_t * someData=0x00000000)  Line 129	C++
 	xpcom_core.dll!nsObserverService::NotifyObservers(nsISupports * aSubject=0x06067cb8, const char * aTopic=0x01943cc0, const wchar_t * someData=0x00000000)  Line 184	C++
 	necko.dll!nsHttpHandler::NotifyObservers(nsIHttpChannel * chan=0x06067cb8, const char * event=0x01943cc0)  Line 493	C++
 	necko.dll!nsHttpHandler::OnModifyRequest(nsIHttpChannel * chan=0x06067cb8)  Line 180	C++
 	necko.dll!nsHttpChannel::AsyncOpen(nsIStreamListener * listener=0x05b6c580, nsISupports * context=0x00000000)  Line 3666	C++
 	gklayout.dll!nsXMLHttpRequest::Send(nsIVariant * aBody=0x085e6808)  Line 2330 + 0x30 bytes	C++
 	xpcom_core.dll!NS_InvokeByIndex_P(nsISupports * that=0x0000000d, unsigned int methodIndex=1, unsigned int paramCount=1223068, nsXPTCVariant * params=0x00000000)  Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, XPCWrappedNative::CallMode mode=13)  Line 2339 + 0x21 bytes	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, XPCWrappedNative::CallMode mode=CALL_METHOD)  Line 2339 + 0x21 bytes	C++
 	xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x033dfe78, JSObject * obj=0x062809e0, unsigned int argc=1, long * argv=0x086e4b48, long * vp=0x0012ac64)  Line 1470 + 0xe bytes	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x033dfe78, unsigned int argc=1, long * vp=0x086e4b40, unsigned int flags=0)  Line 1419 + 0x20 bytes	C
 	js3250.dll!js_Interpret(JSContext * cx=0x033dfe78, unsigned char * pc=0x086732cf, long * result=0x0012b480)  Line 4759 + 0x16 bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=0x033dfe78, unsigned int argc=1, long * vp=0x086e48b0, unsigned int flags=2)  Line 1435 + 0x13 bytes	C
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x05f64d18, unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x032e66f0, nsXPTCMiniVariant * nativeParams=0x0012b79c)  Line 1475 + 0x1b bytes	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x032e66f0, nsXPTCMiniVariant * params=0x0012b79c)  Line 557	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x05ff4ea0, unsigned int methodIndex=3, unsigned int * args=0x0012b85c, unsigned int * stackBytesToPop=0x0012b84c)  Line 114 + 0x21 bytes	C++
 	xpcom_core.dll!SharedStub()  Line 142	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct=0x05ff4ea0, nsIDOMEventListener * aListener=0x0451064c, nsIDOMEvent * aDOMEvent=0x05ee36e8, nsISupports * aCurrentTarget=0x002f991b, unsigned int aPhaseFlags=1)  Line 1082 + 0x12 bytes	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct=0x05a3cf70, nsIDOMEventListener * aListener=0x05ff4ea0, nsIDOMEvent * aDOMEvent=0x0451064c, nsISupports * aCurrentTarget=0x033d63b0, unsigned int aPhaseFlags=6)  Line 1082 + 0x12 bytes	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x08701020, nsEvent * aEvent=0x0012bb20, nsIDOMEvent * * aDOMEvent=0x0012ba6c, nsISupports * aCurrentTarget=0x033d63b0, unsigned int aFlags=6, nsEventStatus * aEventStatus=0x0012ba70)  Line 1190	C++
 	gklayout.dll!nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6)  Line 207	C++
 	gklayout.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x00000000)  Line 266	C++
 	gklayout.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget=0x033d63b0, nsPresContext * aPresContext=0x08701020, nsEvent * aEvent=0x0012bb20, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012bb1c, nsDispatchingCallback * aCallback=0x00000000)  Line 479 + 0x12 bytes	C++
 	gklayout.dll!PresShell::HandleDOMEventWithTarget(nsIContent * aTargetContent=0x033d63b0, nsEvent * aEvent=0x0012bb20, nsEventStatus * aStatus=0x0012bb1c)  Line 5934 + 0x1c bytes	C++
 	gklayout.dll!nsButtonBoxFrame::DoMouseClick(nsGUIEvent * aEvent=0x0012bdf4, int aTrustEvent=0)  Line 162	C++
 	gklayout.dll!nsButtonBoxFrame::MouseClicked(nsPresContext * aPresContext=0x08701020, nsGUIEvent * aEvent=0x0012bdf4)  Line 62 + 0x15 bytes	C++
 	gklayout.dll!nsButtonBoxFrame::HandleEvent(nsPresContext * aPresContext=0x08701020, nsGUIEvent * aEvent=0x0012bdf4, nsEventStatus * aEventStatus=0x0012bc60)  Line 135	C++
 	gklayout.dll!nsPresShellEventCB::HandleEvent(nsEventChainPostVisitor & aVisitor={...})  Line 1227	C++
 	gklayout.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x0012bd10)  Line 314	C++
 	gklayout.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget=0x033d63b0, nsPresContext * aPresContext=0x08701020, nsEvent * aEvent=0x0012bdf4, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012c228, nsDispatchingCallback * aCallback=0x0012bd10)  Line 479 + 0x12 bytes	C++
 	gklayout.dll!PresShell::HandleEventInternal(nsEvent * aEvent=0x0012bdf4, nsIView * aView=0x00000000, nsEventStatus * aStatus=0x0012c228)  Line 5888 + 0x29 bytes	C++
 	gklayout.dll!PresShell::HandleEventWithTarget(nsEvent * aEvent=0x0012bdf4, nsIFrame * aFrame=0x05ec04b8, nsIContent * aContent=0x033d63b0, nsEventStatus * aStatus=0x0012c228)  Line 5793 + 0x12 bytes	C++
 	gklayout.dll!nsEventStateManager::CheckForAndDispatchClick(nsPresContext * aPresContext=0x08701020, nsMouseEvent * aEvent=0x0012c48c, nsEventStatus * aStatus=0x0012c228)  Line 3356 + 0x45 bytes	C++
 	gklayout.dll!nsEventStateManager::PostHandleEvent(nsPresContext * aPresContext=0x08701020, nsEvent * aEvent=0x0012c48c, nsIFrame * aTargetFrame=0x05ec04b8, nsEventStatus * aStatus=0x0012c228, nsIView * aView=0x03efbed8)  Line 2420 + 0x1c bytes	C++
 	gklayout.dll!PresShell::HandleEventInternal(nsEvent * aEvent=0x0012c48c, nsIView * aView=0x03efbed8, nsEventStatus * aStatus=0x0012c228)  Line 5909 + 0x3a bytes	C++
 	gklayout.dll!PresShell::HandlePositionedEvent(nsIView * aView=0x03efbed8, nsIFrame * aTargetFrame=0x05ec04b8, nsGUIEvent * aEvent=0x0012c48c, nsEventStatus * aEventStatus=0x0012c228)  Line 5776 + 0x14 bytes	C++
 	gklayout.dll!PresShell::HandleEvent(nsIView * aView=0x03efbed8, nsGUIEvent * aEvent=0x0012c48c, nsEventStatus * aEventStatus=0x0012c228)  Line 5636 + 0x1e bytes	C++
 	gklayout.dll!nsViewManager::HandleEvent(nsView * aView=0x03efbed8, nsPoint aPoint={...}, nsGUIEvent * aEvent=0x0012c48c, int aCaptured=0)  Line 1399	C++
 	gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012c48c, nsEventStatus * aStatus=0x0012c370)  Line 1351 + 0x22 bytes	C++
 	gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012c48c)  Line 171	C++
 	gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012c48c, nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 972 + 0xc bytes	C++
 	gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012c48c)  Line 993	C++
 	gkwidget.dll!nsWindow::DispatchMouseEvent(unsigned int aEventType=301, unsigned int wParam=0, long lParam=6029731, int aIsContextMenuKey=0, short aButton=0)  Line 5865 + 0x1a bytes	C++
 	gkwidget.dll!ChildWindow::DispatchMouseEvent(unsigned int aEventType=301, unsigned int wParam=0, long lParam=6029731, int aIsContextMenuKey=0, short aButton=0)  Line 6038	C++
 	gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=514, unsigned int wParam=0, long lParam=6029731, long * aRetValue=0x0012c944)  Line 4341 + 0x24 bytes	C++
 	gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x002b0b76, unsigned int msg=514, unsigned int wParam=0, long lParam=6029731)  Line 1187 + 0x1d bytes	C++
 	user32.dll!7e418734() 	
 	user32.dll!7e418816() 	
 	user32.dll!7e4189cd() 	
 	user32.dll!7e419402() 	
 	user32.dll!7e418a10() 	
 	gkwidget.dll!nsAppShell::ProcessNextNativeEvent(int mayWait=1)  Line 149	C++
 	gkwidget.dll!nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=1)  Line 133 + 0x11 bytes	C++
 	gkwidget.dll!nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00bc7a10, int mayWait=1, unsigned int recursionDepth=0)  Line 252 + 0xf bytes	C++
 	xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012cb40)  Line 500	C++
 	xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00bc7a10, int mayWait=1)  Line 227 + 0x16 bytes	C++
 	appshell.dll!nsXULWindow::ShowModal()  Line 398 + 0xc bytes	C++
 	appshell.dll!nsContentTreeOwner::ShowAsModal()  Line 525	C++
 	embedcomponents.dll!nsWindowWatcher::OpenWindowJSInternal(nsIDOMWindow * aParent=0x033ee568, const char * aUrl=0x0454fc68, const char * aName=0x00000000, const char * aFeatures=0x0012d25c, int aDialog=1, nsIArray * argv=0x0454fc0c, int aCalledFromJS=1, nsIDOMWindow * * _retval=0x0012d2b8)  Line 945	C++
 	embedcomponents.dll!nsWindowWatcher::OpenWindowJS(nsIDOMWindow * aParent=0x033ee568, const char * aUrl=0x0454fc68, const char * aName=0x00000000, const char * aFeatures=0x0012d25c, int aDialog=1, nsIArray * argv=0x0454fc0c, nsIDOMWindow * * _retval=0x0012d2b8)  Line 485	C++
 	gklayout.dll!nsGlobalWindow::OpenInternal(const nsAString_internal & aUrl={...}, const nsAString_internal & aName={...}, const nsAString_internal & aOptions={...}, int aDialog=1, int aContentModal=0, int aCalledNoScript=0, int aDoJSFixups=0, nsIArray * argv=0x0454fc0c, nsISupports * aExtraArgument=0x00000000, nsIPrincipal * aCalleePrincipal=0x00c97150, JSContext * aJSCallerContext=0x033ee940, nsIDOMWindow * * aReturn=0x0012d6a4)  Line 7222 + 0x69 bytes	C++
 	gklayout.dll!nsGlobalWindow::OpenDialog(nsIDOMWindow * * _retval=0x0012d6a4)  Line 5056 + 0x4d bytes	C++
 	xpcom_core.dll!NS_InvokeByIndex_P(nsISupports * that=0x00000010, unsigned int methodIndex=1, unsigned int paramCount=1234596, nsXPTCVariant * params=0x033fb370)  Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, XPCWrappedNative::CallMode mode=16)  Line 2339 + 0x21 bytes	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, XPCWrappedNative::CallMode mode=CALL_METHOD)  Line 2339 + 0x21 bytes	C++
 	xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x033ee940, JSObject * obj=0x03a411a0, unsigned int argc=4, long * argv=0x0331d070, long * vp=0x0012d96c)  Line 1470 + 0xe bytes	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x033ee940, unsigned int argc=4, long * vp=0x0331d068, unsigned int flags=0)  Line 1419 + 0x20 bytes	C
 	js3250.dll!js_Interpret(JSContext * cx=0x033ee940, unsigned char * pc=0x03ef962e, long * result=0x0012e188)  Line 4759 + 0x16 bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=0x033ee940, unsigned int argc=1, long * vp=0x0331d030, unsigned int flags=2)  Line 1435 + 0x13 bytes	C
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x0533ede0, unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x032e66f0, nsXPTCMiniVariant * nativeParams=0x0012e4a4)  Line 1475 + 0x1b bytes	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x032e66f0, nsXPTCMiniVariant * params=0x0012e4a4)  Line 557	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x0533ee58, unsigned int methodIndex=3, unsigned int * args=0x0012e564, unsigned int * stackBytesToPop=0x0012e554)  Line 114 + 0x21 bytes	C++
 	xpcom_core.dll!SharedStub()  Line 142	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct=0x0533ee58, nsIDOMEventListener * aListener=0x045539e4, nsIDOMEvent * aDOMEvent=0x03ead6d8, nsISupports * aCurrentTarget=0x002f991b, unsigned int aPhaseFlags=1)  Line 1082 + 0x12 bytes	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct=0x0533ec50, nsIDOMEventListener * aListener=0x0533ee58, nsIDOMEvent * aDOMEvent=0x045539e4, nsISupports * aCurrentTarget=0x03ead670, unsigned int aPhaseFlags=2)  Line 1082 + 0x12 bytes	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x08627948, nsEvent * aEvent=0x0012e828, nsIDOMEvent * * aDOMEvent=0x0012e774, nsISupports * aCurrentTarget=0x03ead670, unsigned int aFlags=2, nsEventStatus * aEventStatus=0x0012e778)  Line 1190	C++
 	gklayout.dll!nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=2)  Line 207	C++
 	gklayout.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x00000000)  Line 289	C++
 	gklayout.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget=0x045a4310, nsPresContext * aPresContext=0x08627948, nsEvent * aEvent=0x0012e828, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012e824, nsDispatchingCallback * aCallback=0x00000000)  Line 479 + 0x12 bytes	C++
 	gklayout.dll!PresShell::HandleDOMEventWithTarget(nsIContent * aTargetContent=0x045a4310, nsEvent * aEvent=0x0012e828, nsEventStatus * aStatus=0x0012e824)  Line 5934 + 0x1c bytes	C++
 	gklayout.dll!nsButtonBoxFrame::DoMouseClick(nsGUIEvent * aEvent=0x0012eafc, int aTrustEvent=0)  Line 162	C++
 	gklayout.dll!nsButtonBoxFrame::MouseClicked(nsPresContext * aPresContext=0x08627948, nsGUIEvent * aEvent=0x0012eafc)  Line 62 + 0x15 bytes	C++

------------

Assertion value is:
fp->thisp = 0x06280da0 {map=0x044fdf38 fslots=0x06280da4 dslots=0x00000000 }
fp->argv = 0x086e4bd4
argv = 0x086e4a1c

------------

This is JS stack:

0 anonymous(aIID = {f3fb86e6-5914-4b47-a1f6-8907e37e1159}) ["chrome://pippki/con
tent/exceptionDialog.js":59]
    this = [object Object]
1 anonymous(aIID = {f3fb86e6-5914-4b47-a1f6-8907e37e1159}) ["chrome://pippki/con
tent/exceptionDialog.js":51]
    this = [object Object]
2 [native frame]
3 anonymous(data = null, topic = "http-on-modify-request", request = [xpconnect
wrapped nsIHttpChannel @ 0x5703040 (native @ 0x5f78f00)]) ["chrome://firebug/con
tent/spy.js":37]
    i = undefined
    win = undefined
    xhrRequest = undefined
    this = [object Object]
4 [native frame]
5 checkCert() ["chrome://pippki/content/exceptionDialog.js":151]
    Ci = undefined
    req = [object XMLHttpRequest @ 0x5d8caa8 (native @ 0x5d8c9c0)]
    uri = [xpconnect wrapped nsIURI @ 0x5c0c118 (native @ 0x5c0be9c)]
    this = [object ChromeWindow @ 0x615db30 (native @ 0x5d237bc)]
6 anonymous(event = [object Event @ 0x5eeab20 (native @ 0x5eeaa50)]) ["chrome://
global/content/bindings/dialog.xml":357]
    this = [object ChromeWindow @ 0x5a18a20 (native @ 0x5b5abdc)]
7 _fireButtonEvent(aDlgType = "extra2") ["chrome://global/content/bindings/dialo
g.xml":358]
    returned = undefined
    fn = [function]
    handler = "checkCert();"
    noCancel = true
    event = [object Event @ 0x5eeab20 (native @ 0x5eeaa50)]
    this = [object XULElement @ 0x5d7e380 (native @ 0x5aa7d10)]
8 _doButtonCommand(aDlgType = "extra2") ["chrome://global/content/bindings/dialo
g.xml":332]
    noCancel = undefined
    button = [object XULElement @ 0x5719c28 (native @ 0x5de6388)]
    this = [object XULElement @ 0x5d7e380 (native @ 0x5aa7d10)]
9 _handleButtonCommand(aEvent = [object XULCommandEvent @ 0x5eea430 (native @ 0x
5f7b1dc)]) ["chrome://global/content/bindings/dialog.xml":321]
    this = [object XULElement @ 0x5719c28 (native @ 0x5de6388)]

Hope it helps...

Updated

11 years ago
Flags: tracking1.9+ → blocking1.9+
Assignee: brendan → mrbkap
(Assignee)

Comment 7

11 years ago
Created attachment 306799 [details] [diff] [review]
Untested patch

I'm not going to get a chance to test this for a while, but this attempts to fix the bug by ensuring that we only call into ComputeGlobalThis to compute |this| for cx->fp.
Blake, I'll do the test in a minute. But FYI this crash also happens for me now when starting my debug build and clicking on Venkman under Tools. Looks really bad!
Status: NEW → ASSIGNED
Comment on attachment 306799 [details] [diff] [review]
Untested patch

Better to parameterize fp in *Compute*This so JS_GetFrameThis can just pass it in. Can do?

/be
Blake, I'll do the test in a minute. But FYI this crash also happens for me now when starting my debug build and clicking on Venkman under Tools. Looks really bad!
Sorry, something went wrong after I got the mid-air collision. After a testrun Venkman now starts again. Even the mentioned testcase doesn't crash the browser anymore. From my point of view the patch works fine. 
(Assignee)

Comment 12

11 years ago
(In reply to comment #9)
> Better to parameterize fp in *Compute*This so JS_GetFrameThis can just pass it
> in.

So, every other consumer of *Compute*This just uses cx->fp. It seems like less work to just make the "other" consumer do additional work to meet the contract.

Comment on attachment 306799 [details] [diff] [review]
Untested patch

First, I'm not convinced this is less code than making everyone pass fp (cx->fp, but some callers have fp already live and possibly in a register. Care to do an A-B code size test?

Second, none of the guts should run if (fp->flags & JSFRAME_COMPUTED_THIS) -- just return fp->thisp in that case.

Third, style nits about declaration and code blank line separator, and maybe a wittier name than fp2 ;-). Suggest afp.

/be

Updated

11 years ago
Duplicate of this bug: 420545
(Assignee)

Comment 15

11 years ago
Created attachment 306963 [details] [diff] [review]
Pick nits

On IRC, I argued for reduced brainprint in the common cases (calling js_ComputeThis with fp == cx->fp).
Attachment #306799 - Attachment is obsolete: true
Attachment #306963 - Flags: review?(brendan)
a1.9b4=beltzner once we have a reviewed patch.
Created attachment 306981 [details] [diff] [review]
final patch for checkin

Thanks, mrbkap -- I fixed the comment and stripped trailing whitespace (everywhere) -- will commit for you if beltzner is as speedy as he has been tonight.

/be
Attachment #306963 - Attachment is obsolete: true
Attachment #306981 - Flags: review+
Attachment #306981 - Flags: approval1.9b4?
Attachment #306981 - Flags: approval1.9+
Attachment #306963 - Flags: review?(brendan)
Comment on attachment 306981 [details] [diff] [review]
final patch for checkin

Per comment 16, pointed out by crowder -- thanks.

/be
Attachment #306981 - Flags: approval1.9b4? → approval1.9b4+
Fixed:

js/src/jsdbgapi.c 3.130

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Thanks Blake! Venkman works again and doesn't cause a crash on start or setting a breakpoint.

Verified with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b4pre) Gecko Minefield/3.0b4pre ID:2008030308
Status: RESOLVED → VERIFIED

Updated

11 years ago
Flags: in-testsuite-
Flags: in-litmus-
Crash Signature: [@ ComputeGlobalThis]
You need to log in before you can comment on or make changes to this bug.