Crash (assertion) in Decompile()

VERIFIED WORKSFORME

Status

()

P3
normal
VERIFIED WORKSFORME
19 years ago
17 years ago

People

(Reporter: jst, Assigned: brendan)

Tracking

({crash, js1.5})

Trunk
Future
x86
Windows NT
crash, js1.5
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta3-])

Attachments

(1 attachment)

(Reporter)

Description

19 years ago
Calling the following function causes an assertion in the js engine:

function foo() {
  clearTimeout(bar);
  var bar = 0;
}

The assertion happens when the JS engine tries to convert 'bar' into a number
when calling 'clearTimeout', the weird thing is that if the declaration of 'bar' 
is removed, even thogh the declaration apperas after 'bar' is passed as an
argument to 'clearTimeout', the assertion goes away. Here's a stacktrace:

NTDLL! 77f7629c()
Decompile(SprintStack * 0x0012e210, unsigned char * 0x033c9488, int 3) line 1712 
+ 38 bytes
js_DecompileCode(JSPrinter * 0x03409410, JSScript * 0x033c9450, unsigned char * 
0x033c9488, unsigned int 3) line 2169 + 17 bytes
js_DecompileValueGenerator(JSContext * 0x03248ab0, int 1, long -2147483647, 
JSString * 0x00000000) line 2442 + 27 bytes
js_ValueToInt32(JSContext * 0x03248ab0, long -2147483647, long * 0x0012e30c) 
line 688 + 17 bytes
JS_ValueToInt32(JSContext * 0x03248ab0, long -2147483647, long * 0x0012e30c) 
line 535 + 17 bytes
WindowClearTimeout(JSContext * 0x03248ab0, JSObject * 0x02c905a0, unsigned int 
1, long * 0x02cdf870, long * 0x0012e3c4) line 1865 + 20 bytes
js_Invoke(JSContext * 0x03248ab0, unsigned int 1, unsigned int 0) line 716 + 23 
bytes
js_Interpret(JSContext * 0x03248ab0, long * 0x0012ed00) line 2517 + 15 bytes
js_Invoke(JSContext * 0x03248ab0, unsigned int 1, unsigned int 2) line 732 + 13 
bytes
js_InternalInvoke(JSContext * 0x03248ab0, JSObject * 0x02c905a0, long 46731688, 
unsigned int 0, unsigned int 1, long * 0x0012ee94, long * 0x0012ee24) line 805 + 
19 bytes
JS_CallFunctionValue(JSContext * 0x03248ab0, JSObject * 0x02c905a0, long 
46731688, unsigned int 1, long * 0x0012ee94, long * 0x0012ee24) line 2817 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x0324c900, void * 0x02c905a0, 
void * 0x02c911a8, unsigned int 1, void * 0x0012ee94, int * 0x0012ee90, int 0) 
line 847 + 33 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x033ff894) line 154 + 64 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x033c8e30, 
nsIDOMEvent * 0x033ff894, nsIDOMEventTarget * 0x0324c970, unsigned int 1, 
unsigned int 7) line 772 + 19 bytes
nsEventListenerManager::HandleEvent(nsIPresContext * 0x038390a0, nsEvent * 
0x0012fa7c, nsIDOMEvent * * 0x0012f388, nsIDOMEventTarget * 0x0324c970, unsigned 
int 7, nsEventStatus * 0x0012fac0) line 1341 + 39 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x0324c960, 
nsIPresContext * 0x038390a0, nsEvent * 0x0012fa7c, nsIDOMEvent * * 0x0012f388, 
unsigned int 1, nsEventStatus * 0x0012fac0) line 419
nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x032594bc, nsIDocumentLoader * 
0x0325b890, nsIChannel * 0x0383df70, unsigned int 0) line 964 + 56 bytes
...

I'll attach a testcase.
(Reporter)

Comment 1

19 years ago
Created attachment 11549 [details]
Testcase...

Comment 2

19 years ago
spam: Adding crash keyword...
Keywords: crash

Comment 3

19 years ago
brendan, can you advise? The decompiler is not getting the right frame for the 
function because there's a new frame constructed for the call to 
WindowClearTimeout. Setting fp->fun to fp->down->fun gets the right behaviour, 
but I'm not sure how to correctly detect the cicumstances under which this 
occurs. (c.f. jsobj.c line 2720 where js_Call resets fp->fun so that GETARG is 
handled correctly)
thanks
Status: NEW → ASSIGNED
Keywords: nsbeta3
(Assignee)

Comment 4

19 years ago
That farbling of fp->fun in js_Call is wrong, we should endeavor to fix the code 
in jsopcode.c to recover the correct scope from the stack.  More in a bit.

/be
Keywords: js1.5

Comment 5

19 years ago
Need to fix crashing bugs! Marking nsbeta3+.
Whiteboard: [nsbeta3+]

Comment 6

18 years ago
Crashed upon exit of java.sun.com (duplicated crash) on windows.

Comment 7

18 years ago
The build for that test failure was mozilla build 2000-08-14-10-M18

Comment 8

18 years ago
did not have this problem with build 2000-08-15-08-M18
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 9

18 years ago
markigng as verified
Status: RESOLVED → VERIFIED
Brendan wants this bug re-opened (due to problems with 50060)
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 11

18 years ago
bug 50060 shows what I believe to be the same skidmark as this bug.  I don't
understand why this bug was closed without a fix -- esp. not closed as
WORKSFORME.  Did I miss something?

/be

Comment 12

18 years ago
Brendan,
Will you be able to add a bit more detail to the 'More in a bit' promise? Did 
you want me to continue pursuing this one? (I'd still appreciate insight into a 
solution path). 
thanks
(Assignee)

Comment 13

18 years ago
Argh, I forgot about this.  Does the patch in bug 49816 (you're trying that
patch out for me, aren't you?  Please say yes!) help?  Probably not, but I'd
like to get that in, then have some brainwaves left over for this one.

/be
(Assignee)

Comment 14

18 years ago
Roger, I missed this because it was REOPENED on your list and with js1.5 keyword
(my query didn't include REOPENED bugs -- maybe it should?).  Anyway, I hope you
don't mind if I make it ASSIGNED.

/be
Status: REOPENED → ASSIGNED

Comment 15

18 years ago
Sorry to say the patch for 49816 didn't make a difference.

Comment 16

18 years ago
Not holding PR3 for this; marking nsbeta3-.
Whiteboard: [nsbeta3+] → [nsbeta3-]

Comment 17

18 years ago
As per discussion with JS Engine team, marking this with "Future" milestone -
Target Milestone: --- → Future

Comment 18

18 years ago
Brendan, would you give a quick look at this?[
Assignee: rogerl → brendan
Status: ASSIGNED → NEW

Comment 19

18 years ago
Using Mozilla binary 2001012504 on WinNT. When I now try Johnny's testcase, 
I do not crash. I only get this in the JS Console:


Error: uncaught exception: Exception .. "Parameter is not a number"
code: 1005
nsresult: NS_ERROR_DOM_NOT_NUMBER_ERR

Comment 20

18 years ago
Using Mozilla binary 2001012608 on Linux. Same as above: 
I do not crash. I only get this in the JS Console:


Error: uncaught exception: Exception .. "Parameter is not a number"
code: 1005
nsresult: NS_ERROR_DOM_NOT_NUMBER_ERR



Note: a build from 2001-01-08 does crash, so it looks like something
changed between then and now to stop the crash from happening. 


I don't feel I can close the bug yet, however, because I don't know 
if all the issues discussed above have been fully addressed - 
(Assignee)

Comment 21

18 years ago
Wow, this so works for me.  The "not a number" error is spot on, because the
testcase is passing undefined to clearTimeout, which requires a timeout id (an
otherwise opaque integer).

/be
Status: NEW → RESOLVED
Last Resolved: 18 years ago18 years ago
Resolution: --- → WORKSFORME

Comment 22

18 years ago
Marking Verified - 
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.