Closed Bug 589329 Opened 14 years ago Closed 14 years ago

crash in [@ XPCConvert::JSData2Native]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta7+

People

(Reporter: ddahl, Assigned: luke)

References

Details

(Keywords: crash, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(3 files)

Backtrace
18.10 KB, text/plain
Details
Backtrace 2
18.13 KB, text/plain
Details
a fix
774 bytes, patch
jst
: review+
Details | Diff | Splinter Review
with new DOM interface patch and JS console component patch in bug 568629 I got this when running the tests like this: TEST_PATH=toolkit/components/console/hudservice/tests/browser/browser_ConsoleApiTests.js make mochitest-browser-chrome
Attached file Backtrace
I'll look into this.
Does "with new DOM interface patch" refer to some patch I need to apply, or is this patch already committed?
(In reply to comment #3) > Does "with new DOM interface patch" refer to some patch I need to apply, or is > this patch already committed? No, I have applied this: https://bug568629.bugzilla.mozilla.org/attachment.cgi?id=463676 and this: https://bug568629.bugzilla.mozilla.org/attachment.cgi?id=466510 both of which are blocking beta 5. All of the tests mentioned above passed before the last tm-merge.
Attached file Backtrace 2
So I rolled back my repo to the patch before the latest tm-merge and I get the same crash. crap. New backtrace, but looks like the old one to me.
Current changeset: % hg parent changeset: 51134:b22e82ce2364 user: Luke Wagner <lw@mozilla.com> date: Thu Aug 19 18:02:17 2010 -0700 summary: Bug 589015 - js_watch_set doesn't need that crazy dummy frame (r=mrbkap)
Attached patch a fixSplinter Review
This is why the patch in bug 585232 was named "maybe fix" ;) Looking at the value of d in the debugger, the "obvious" fix for JSData2Native is: - **((jsval**)d) = s; + *(jsval*)d = s; This is bizarre, considering that all the JSData2Native callers are passing the address of the variant. Or at least, it looks like they are, however, nsXPCWrappedJSClass::CallMethod() contains a special case where the *value* of the variant is cast as a pointer to the variant and passed to JSData2Native. I believe the reason for this insanity is that it allows JSData2Native to use a single path for both inparams and outparams for primitive parameters like ints where the inparam type is T and the outparam type is T*. jsval is an exception though: jsval* is the type of both inparams AND outparams. The fix attached runs browser_ConsoleApiTests.js without error. My question to the jst and mrbkap is: is the fix to make T_JSVAL a "dipper" type or is it the one attached? What I don't like about the fix attached is that it is using useAllocator to choose whether d is a jsval** or jsval*, which does not seem to be equivalent to the real question: did the caller pass the address of the variant or the variant's value?
Assignee: general → lw
Status: NEW → ASSIGNED
Blocks: lazy-console
Blocking a blocker for b5, so marking blocking+.
blocking2.0: --- → beta5+
Severity: normal → critical
Keywords: crash
Summary: crash in XPCConvert::JSData2Native... → crash in [@ XPCConvert::JSData2Native]
Comment on attachment 467990 [details] [diff] [review] a fix Probably the right fix :)
Attachment #467990 - Flags: review?(jst)
--> beta6+ as per the other blocker it blocks
blocking2.0: beta5+ → beta6+
Comment on attachment 467990 [details] [diff] [review] a fix r=jst, and I filed bug 592150 as a followup to this where we can avoid the allocator overhead in some cases here.
Attachment #467990 - Flags: review?(jst) → review+
Comment on attachment 467990 [details] [diff] [review] a fix Updating attachment title to reflect the fact that this probably no the wrong fix :)
Attachment #467990 - Attachment description: a fix, probably the wrong fix → a fix
http://hg.mozilla.org/tracemonkey/rev/a55126a26fa2
Whiteboard: fixed-in-tracemonkey
AIUI the deal is, if we're passing a jsval in from JS to a C++ method, we need *(jsval **)d = &some_jsval; because the type of the in parameter is `const jsval &`. But if we're passing a jsval out from a JS method to C++ caller, we need **(jsval **)d = some_jsval; because the C++ type of the out parameter is `jsval *` and d points to the parameter itself. So why does the patch say *(jsval *)d = some_jsval; instead? And is useAllocator really a solid indicator of whether we're going in or out? If so, can we just call it "in" or maybe "dir"?
Because xpcwrappedjsclass.cpp strips off a level of indirection for non-dipper outparams. See xpcwrappedjsclass.cpp:1757 and comment 7.
Disregard the first question -- for out parameters d is the value of the out parameter, not its address. The other two questions still worry me though.
(In reply to comment #14) > And is useAllocator really a solid indicator of whether we're going in or out? > If so, can we just call it "in" or maybe "dir"? I had the same concern in comment 7. jst looked into it and came back with a solid 'probably' ;) Which is to say, "its part of the caller contract". I think it would really benefit the understandability of this code to split the conversion into several functions, for the different valid ways it may be called, with real parameter types which made it clear whether we had a ptr-to-variant, contents of variant, etc.
Blocks: devtools4b7
http://hg.mozilla.org/mozilla-central/rev/a55126a26fa2
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ XPCConvert::JSData2Native]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: