Closed Bug 561566 Opened 10 years ago Closed 10 years ago

Crash [@ JS_IsArrayObject]

Categories

(Core :: JavaScript Engine, defect, critical)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: humph, Assigned: vlad)

References

()

Details

(Keywords: crash, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

Reduced test case: ttp://cubicvr.org/test/CubicVR.js/WebGLCrash1.html (via Charles).  Crash happens in line: new WebGLFloatArray(invalidMatrix)
Just a note this bug does not occur in "3.7a1pre" which provides the correct exception in the console -- so it appears to have been introduced since then.
Signature	JS_IsArrayObject
UUID	f5ee29e6-49d9-4b3b-959e-466152100424
Time 	2010-04-24 09:05:41.503905
Uptime	115
Last Crash	545 seconds before submission
Product	Firefox
Version	3.7a5pre
Build ID	20100424040157
Branch	1.9.3
OS	Windows NT
OS Version	6.0.6002 Service Pack 2
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x4

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	JS_IsArrayObject 	js/src/jsapi.cpp:3672
1 	mozjs.dll 	TypedArrayTemplate<float>::init 	js/src/jstypedarray.cpp:904
2 	mozjs.dll 	TypedArrayTemplate<float>::create 	js/src/jstypedarray.cpp:776
3 	mozjs.dll 	TypedArrayTemplate<float>::class_constructor 	js/src/jstypedarray.cpp:704
4 	mozjs.dll 	js_Invoke 	js/src/jsinterp.cpp:834
5 	mozjs.dll 	js_InvokeConstructor 	js/src/jsinterp.cpp:1353
6 	mozjs.dll 	js_Interpret 	js/src/jsops.cpp:1989
7 	mozjs.dll 	js_Invoke 	js/src/jsinterp.cpp:842
8 	mozjs.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:899
9 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:4947
10 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:2163
11 	xul.dll 	nsGlobalWindow::RunTimeout 	dom/base/nsGlobalWindow.cpp:8499
12 	xul.dll 	nsGlobalWindow::TimerCallback 	dom/base/nsGlobalWindow.cpp:8843
13 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:427
Version: Other Branch → Trunk
Attached patch fixSplinter Review
Fix & test; the code was checking for JSVAL_IS_OBJECT, but wasn't checking for JSVAL_NULL.
Assignee: nobody → vladimir
Attachment #441307 - Flags: review?(jorendorff)
Component: Canvas: WebGL → JavaScript Engine
QA Contact: canvas.webgl → general
Just test for !JSVAL_IS_PRIMITIVE instead?
Attachment #441307 - Flags: review?(jorendorff) → review+
Comment on attachment 441307 [details] [diff] [review]
fix

>diff --git a/js/src/jstypedarray.cpp b/js/src/jstypedarray.cpp
>+        } else if (JSVAL_IS_OBJECT(argv[0]) && argv[0] != JSVAL_NULL) {

Yeah, this bites everyone eventually. FWIW the way we normally say it is:

+        } else if (!JSVAL_IS_PRIMITIVE(argv[0])) {

which amounts to the same generated code, but still, house style.

r=me with that change.
http://hg.mozilla.org/mozilla-central/rev/ef8b60c967a9
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Crash Signature: [@ JS_IsArrayObject]
You need to log in before you can comment on or make changes to this bug.