Closed Bug 506034 Opened 15 years ago Closed 6 years ago

Assertion failure: (cx)->requestDepth || (cx)->thread == (cx)->runtime->gcThread, at mozilla/js/src/jsapi.cpp:4231

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INACTIVE

People

(Reporter: kakkar_pankaj, Unassigned)

Details

Attachments

(1 file)

Add JS_{Begin|End}Request calls around JS_GetFrameCallObject call
737 bytes, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.33 Safari/530.5
Build Identifier: 

I'm writing a JS debugging extension. After calling enterNestedEventLoop within an interruptHook (having saved the jsdIStackFrame at that point), I subsequently called frame.callee within the scope of the nested event loop. This causes the assert, with the following stack (snipped beyond the eNEL call):

#0  0x00007ffff3ad9095 in raise () from /lib/libc.so.6
#1  0x00007ffff3adaaf0 in abort () from /lib/libc.so.6
#2  0x00007ffff7703481 in JS_Assert (
    s=0x7ffff771cc98 "(cx)->requestDepth || (cx)->thread == (cx)->runtime->gcThread", 
    file=0x7ffff771cc58 "/usr/local/google/pankaj/ff/mozilla-central/js/src/jsapi.cpp", ln=4233)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsutil.cpp:69
#3  0x00007ffff75fe4df in JS_GetReservedSlot (cx=0x7fffdd710800, 
    obj=0x7fffefca1600, index=1, vp=0x7fffffff6c80)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsapi.cpp:4231
#4  0x00007ffff76a0d2d in js_GetClassObject (cx=0x7fffdd710800, 
    obj=0x7fffefca1600, key=JSProto_Object, objp=0x7fffffff6d40)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsobj.cpp:3173
#5  0x00007ffff76a1052 in js_FindClassObject (cx=0x7fffdd710800, start=0x0, 
    id=3, vp=0x7fffffff6db8)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsobj.cpp:3259
#6  0x00007ffff76a1453 in js_GetClassPrototype (cx=0x7fffdd710800, scope=0x0, 
    id=3, protop=0x7fffffff6df8)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsobj.cpp:5342
#7  0x00007ffff76a3b37 in js_NewObject (cx=0x7fffdd710800, 
    clasp=0x7ffff7960920, proto=0x0, parent=0x0, objectSize=0)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsobj.cpp:2173
#8  0x00007ffff76553a6 in js_GetArgsObject (cx=0x7fffdd710800, 
    fp=0x7fffffffb8e0)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsfun.cpp:262
#9  0x00007ffff762ca3e in JS_GetFrameCallObject (cx=0x7fffdd710800, 
    fp=0x7fffffffb8e0)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsdbgapi.cpp:1120
#10 0x00007fffdd4e095a in jsd_GetCallObjectForStackFrame (
    jsdc=0x7fffe2a0c680, jsdthreadstate=0x7fffdb7ae700, 
    jsdframe=0x7fffdb7acd00)
    at /usr/local/google/pankaj/ff/mozilla-central/js/jsd/jsd_stak.c:297
#11 0x00007fffdd4dac45 in JSD_GetCallObjectForStackFrame (
    jsdc=0x7fffe2a0c680, jsdthreadstate=0x7fffdb7ae700, 
    jsdframe=0x7fffdb7acd00)
    at /usr/local/google/pankaj/ff/mozilla-central/js/jsd/jsdebug.c:704
#12 0x00007fffdd4e9997 in jsdStackFrame::GetCallee (this=0x7fffdf1c8a00, 
    _rval=0x7fffffff7150)
    at /usr/local/google/pankaj/ff/mozilla-central/js/jsd/jsd_xpc.cpp:1862
#13 0x00007ffff71426fc in NS_InvokeByIndex_P (that=0x7fffdf1c8a00, 
    methodIndex=17, paramCount=1, params=0x7fffffff7150)
    at /usr/local/google/pankaj/ff/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208
#14 0x00007fffeaca9ec3 in XPCWrappedNative::CallMethod (ccx=@0x7fffffff75d0, 
    mode=XPCWrappedNative::CALL_GETTER)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:2694
#15 0x00007fffeacbc466 in XPCWrappedNative::GetAttribute (ccx=@0x7fffffff75d0)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/xpconnect/src/xpcprivate.h:2392
#16 0x00007fffeacb6a24 in XPC_WN_GetterSetter (cx=0x7fffe72b2400, 
    obj=0x7fffdff02a80, argc=0, argv=0x7fffdc60a800, vp=0x7fffffff7780)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1780
#17 0x00007ffff768829a in js_Invoke (cx=0x7fffe72b2400, argc=0, 
    vp=0x7fffdc60a7f0, flags=2)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsinterp.cpp:1362
#18 0x00007ffff76889e1 in js_InternalInvoke (cx=0x7fffe72b2400, 
    obj=0x7fffdff02a80, fval=140736950488896, flags=0, argc=0, argv=0x0, 
    rval=0x7fffffff84a8)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsinterp.cpp:1442
#19 0x00007ffff7688c68 in js_InternalGetOrSet (cx=0x7fffe72b2400, 
    obj=0x7fffdff02a80, id=140737140798164, fval=140736950488896, 
    mode=JSACC_READ, argc=0, argv=0x0, rval=0x7fffffff84a8)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsinterp.cpp:1512
#20 0x00007ffff7699f35 in js_GetSprop (cx=0x7fffe72b2400, 
    sprop=0x7fffdd2a0560, obj=0x7fffdff02a80, vp=0x7fffffff84a8)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsscope.h:479
#21 0x00007ffff769b3ea in js_NativeGet (cx=0x7fffe72b2400, 
    obj=0x7fffdff02a80, pobj=0x7fffdff02a80, sprop=0x7fffdd2a0560, 
    vp=0x7fffffff84a8)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsobj.cpp:4139
#22 0x00007ffff769c89f in js_GetPropertyHelper (cx=0x7fffe72b2400, 
    obj=0x7fffdff02a80, id=140737140798164, cacheResult=1, vp=0x7fffffff84a8)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsobj.cpp:4305
#23 0x00007ffff7670dc4 in js_Interpret (cx=0x7fffe72b2400)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsinterp.cpp:4488
#24 0x00007ffff76882e4 in js_Invoke (cx=0x7fffe72b2400, argc=5, 
    vp=0x7fffdc60a038, flags=0)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/jsinterp.cpp:1370
#25 0x00007fffeaca221b in nsXPCWrappedJSClass::CallMethod (
    this=0x7fffdc4e9a10, wrapper=0x7fffdc468980, methodIndex=5, 
    info=0x7fffe9c83f58, nativeParams=0x7fffffff8c50)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1647
#26 0x00007fffeac9956d in nsXPCWrappedJS::CallMethod (this=0x7fffdc468980, 
    methodIndex=5, info=0x7fffe9c83f58, params=0x7fffffff8c50)
    at /usr/local/google/pankaj/ff/mozilla-central/js/src/xpconnect/src/xpcwrappedjs.cpp:570
#27 0x00007ffff71436ed in PrepareAndDispatch (self=0x7fffdc464800, 
    methodIndex=5, args=0x7fffffff8dc0, gpregs=0x7fffffff8d40, 
    fpregs=0x7fffffff8d70)
    at /usr/local/google/pankaj/ff/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
#28 0x00007ffff71427a3 in SharedStub ()
   from /usr/local/google/pankaj/ff/mozilla-central/objdir-ff-debug/dist/bin/libxpcom_core.so
#29 0x00007fffea658683 in nsInputStreamPump::OnStateTransfer (
    this=0x7fffdc468900)
    at /usr/local/google/pankaj/ff/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:508
#30 0x00007fffea658b48 in nsInputStreamPump::OnInputStreamReady (
    this=0x7fffdc468900, stream=0x7fffdc54b6b8)
    at /usr/local/google/pankaj/ff/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:398
#31 0x00007ffff70f7a55 in nsInputStreamReadyEvent::Run (this=0x7fffdb1b3dc0)
    at /usr/local/google/pankaj/ff/mozilla-central/xpcom/io/nsStreamUtils.cpp:111
#32 0x00007ffff7125ed0 in nsThread::ProcessNextEvent (this=0x7fffefb2f4c0, 
    mayWait=1, result=0x7fffffff8f7c)
    at /usr/local/google/pankaj/ff/mozilla-central/xpcom/threads/nsThread.cpp:527
#33 0x00007ffff70b0dec in NS_ProcessNextEvent_P (thread=0x7fffefb2f4c0, 
    mayWait=1) at nsThreadUtils.cpp:230
#34 0x00007fffdd4e70a3 in jsdService::EnterNestedEventLoop (
    this=0x7fffdffbfb80, callback=0x7fffdd2bba60, _rval=0x7fffffff9238)
    at /usr/local/google/pankaj/ff/mozilla-central/js/jsd/jsd_xpc.cpp:2965

The cx had a JS_SuspendRequest called on it as a result of the EnterNestedEventLoop (specifically, a Push call from there).

I suspect the fix is JS_BeginRequest/EndRequest calls around JS_GetFrameCallObject in jsd_stak.c, just like the calls around JS_GetFrameScopeChain in the very next method.

Reproducible: Always

Steps to Reproduce:
1. Set an interruptHook using jsdIDebuggerService.
2. When the hook is called, save the stack frames and call enterNestedEventLoop.
3. From within the new scope, test frame.callee.
Actual Results:  
Assertion.

Expected Results:  
No assertion.
Potential fix. I haven't done any testing beyond verifying that this gets rid of the assertion failure.
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: