Closed
Bug 592869
Opened 14 years ago
Closed 14 years ago
TM: set right compartment in XPCNativeMember::Resolve
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gwagner, Assigned: gal)
References
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file, 1 obsolete file)
|
10.27 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
xpconnect/src/xpcwrappednativeinfo.cpp:205
stack:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x00000001018e7b7a in JS_Assert (s=0x101d18dd8 "cx->compartment != cx->runtime->defaultCompartment", file=0x101d187c0 "/Users/idefix2/moz/ws1/js/src/jsapi.cpp", ln=4054) at /Users/idefix2/moz/ws1/js/src/jsutil.cpp:80
80 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0 0x00000001018e7b7a in JS_Assert (s=0x101d18dd8 "cx->compartment != cx->runtime->defaultCompartment", file=0x101d187c0 "/Users/idefix2/moz/ws1/js/src/jsapi.cpp", ln=4054) at /Users/idefix2/moz/ws1/js/src/jsutil.cpp:80
#1 0x0000000101779ba5 in JS_NewFunction (cx=0x11a5882e0, native=0x100e82fb6 <XPC_WN_GetterSetter(JSContext*, JSObject*, unsigned int, jsval_layout*, jsval_layout*)>, nargs=0, flags=0, parent=0x0, name=0x106172350 "autoStarted") at /Users/idefix2/moz/ws1/js/src/jsapi.cpp:4054
#2 0x0000000100e7efe9 in XPCNativeMember::Resolve (this=0x1061a1548, ccx=@0x7fff5fbfcbf0, iface=0x1061a1500) at /Users/idefix2/moz/ws1/js/src/xpconnect/src/xpcwrappednativeinfo.cpp:205
#3 0x0000000100e7f3dd in XPCNativeMember::NewFunctionObject (this=0x1061a1548, ccx=@0x7fff5fbfcbf0, iface=0x1061a1500, parent=0x11a148070, pval=0x7fff5fbfca90) at /Users/idefix2/moz/ws1/js/src/xpconnect/src/xpcwrappednativeinfo.cpp:120
#4 0x0000000100e87699 in DefinePropertyIfFound (ccx=@0x7fff5fbfcbf0, obj=0x11a148070, id={asBits = 4708470016}, set=0x11a562490, iface=0x1061a1500, member=0x1061a1548, scope=0x1061a5170, reflectToStringAndToSource=1, wrapperToReflectInterfaceNames=0x1061ae170, wrapperToReflectDoubleWrap=0x1061ae170, scriptableInfo=0x0, propFlags=7, resolved=0x0) at /Users/idefix2/moz/ws1/js/src/xpconnect/src/xpcwrappednativejsops.cpp:458
#5 0x0000000100e88ac1 in XPC_WN_NoHelper_Resolve (cx=0x10563ac20, obj=0x11a148070, id={asBits = 4708470016}) at /Users/idefix2/moz/ws1/js/src/xpconnect/src/xpcwrappednativejsops.cpp:764
#6 0x0000000101848a6e in CallResolveOp (cx=0x10563ac20, start=0x11a148070, obj=0x11a148070, id={asBits = 4708470016}, flags=65535, objp=0x7fff5fbfcf20, propp=0x7fff5fbfcf18, recursedp=0x7fff5fbfce9f) at /Users/idefix2/moz/ws1/js/src/jsobj.cpp:4379
#7 0x0000000101848c70 in js_LookupPropertyWithFlags (cx=0x10563ac20, obj=0x11a148070, id={asBits = 4708470016}, flags=65535, objp=0x7fff5fbfcf20, propp=0x7fff5fbfcf18) at /Users/idefix2/moz/ws1/js/src/jsobj.cpp:4420
#8 0x000000010184c8e3 in js_GetPropertyHelper (cx=0x10563ac20, obj=0x11a148070, id={asBits = 4708470016}, getHow=3, vp=0x7fff5fbfdb30) at /Users/idefix2/moz/ws1/js/src/jsobj.cpp:4755
#9 0x000000010181540a in js::Interpret (cx=0x10563ac20, entryFrame=0x117306060, inlineCallCount=1) at /Users/idefix2/moz/ws1/js/src/jsinterp.cpp:4108
#10 0x000000010182dc10 in js::RunScript (cx=0x10563ac20, script=0x10631f010, fun=0x118a6a960, scopeChain=0x118a64af0) at jsinterp.cpp:468
#11 0x000000010182eea9 in js::InvokeCommon<int (*)(JSContext*, JSObject*, unsigned int, js::Value*, js::Value*)> (cx=0x10563ac20, fun=0x118a6a960, script=0x10631f010, native=0, argsRef=@0x7fff5fbfe4e0, flags=0) at jsinterp.cpp:639
#12 0x000000010182fc1a in js::Invoke (cx=0x10563ac20, args=@0x7fff5fbfe4e0, flags=0) at jsinterp.cpp:757
#13 0x00000001018301e7 in js::InternalInvoke (cx=0x10563ac20, thisv=@0x7fff5fbfe580, fval=@0x7fff5fbfe5b8, flags=0, argc=3, argv=0x7fff5fbfec28, rval=0x7fff5fbfe840) at jsinterp.cpp:797
#14 0x0000000101778bbc in js::InternalCall (cx=0x10563ac20, obj=0x118a6cbd0, fval=@0x7fff5fbfe5b8, argc=3, argv=0x7fff5fbfec28, rval=0x7fff5fbfe840) at jsinterp.h:699
#15 0x0000000101778cfc in JS_CallFunctionValue (cx=0x10563ac20, obj=0x118a6cbd0, fval={asBits = 18445477441022893568, debugView = {payload47 = 4708539904, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = 413572608, u32 = 413572608, why = 413572608}}, asDouble = -nan(0xb800118a69e00)}, argc=3, argv=0x7fff5fbfec28, rval=0x7fff5fbfe840) at /Users/idefix2/moz/ws1/js/src/jsapi.cpp:4853
#16 0x0000000100e6af01 in nsXPCWrappedJSClass::CallMethod (this=0x10565c3b0, wrapper=0x11a5898e0, methodIndex=3, info=0x11782ced0, nativeParams=0x7fff5fbfed60) at /Users/idefix2/moz/ws1/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1692
#17 0x0000000100e618fd in nsXPCWrappedJS::CallMethod (this=0x11a5898e0, methodIndex=3, info=0x11782ced0, params=0x7fff5fbfed60) at /Users/idefix2/moz/ws1/js/src/xpconnect/src/xpcwrappedjs.cpp:570
#18 0x00000001015c4536 in PrepareAndDispatch (self=0x11a589170, methodIndex=3, args=0x7fff5fbfeee0, gpregs=0x7fff5fbfee60, fpregs=0x7fff5fbfee90) at /Users/idefix2/moz/ws1/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
#19 0x00000001015c2fab in SharedStub () at xpt_struct.h:332
#20 0x000000010155529e in nsObserverList::NotifyObservers (this=0x106a949f0, aSubject=0x0, aTopic=0x101b99926 "final-ui-startup", someData=0x0) at /Users/idefix2/moz/ws1/xpcom/ds/nsObserverList.cpp:130
#21 0x0000000101556312 in nsObserverService::NotifyObservers (this=0x1056232c0, aSubject=0x0, aTopic=0x101b99926 "final-ui-startup", someData=0x0) at /Users/idefix2/moz/ws1/xpcom/ds/nsObserverService.cpp:182
#22 0x000000010002f374 in XRE_main (argc=1, argv=0x7fff5fbff8b8, aAppData=0x105615ec0) at /Users/idefix2/moz/ws1/toolkit/xre/nsAppRunner.cpp:3625
#23 0x0000000100001297 in main (argc=1, argv=0x7fff5fbff8b8) at /Users/idefix2/moz/ws1/browser/app/nsBrowserApp.cpp:158
|
Assignee | |
Updated•14 years ago
|
Assignee: general → gal
|
|
Assignee | |
Comment 1•14 years ago
|
||
Rip out function caching code (untested, still building).
|
|
Assignee | |
Comment 2•14 years ago
|
||
Attachment #471336 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 3•14 years ago
|
||
Comment on attachment 471352 [details] [diff] [review]
patch
Working patch.
Attachment #471352 -
Flags: review?(mrbkap)
|
|
Assignee | |
Comment 4•14 years ago
|
||
Gregor, can you tryserver?
|
Reporter | |
Comment 5•14 years ago
|
||
(In reply to comment #4)
> Gregor, can you tryserver?
Tryserver is green.
|
||
Comment 6•14 years ago
|
||
Comment on attachment 471352 [details] [diff] [review]
patch
File a followup bug on tracking down uses of xpc_CloneJSFunction and making sure they're still needed?
Attachment #471352 -
Flags: review?(mrbkap) → review+
|
|
Reporter | |
Comment 7•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/8db986748809
I let Andreas handle the followup bug.
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Comment 8•14 years ago
|
||
I looked at the other cases and at least they look very unrelated. Gregor can you file the bug and assign to me to make sure we don't forget about this.
|
|
Reporter | |
Comment 9•14 years ago
|
||
(In reply to comment #8)
> I looked at the other cases and at least they look very unrelated. Gregor can
> you file the bug and assign to me to make sure we don't forget about this.
Bug 593442
|
||
Comment 10•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•