Closed Bug 601197 Opened 15 years ago Closed 15 years ago

JM: Crash on Firebug test for issue 2914

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dmandelin, Assigned: dmandelin)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Patch
845 bytes, patch
billm
: review+
Details | Diff | Splinter Review
Spun off from bug 599400 comment 11: > I am seeing yet one test case that causes crash and is also related to > clearBreakpoints(), here is a stack trace: > > mozjs.dll!js::StackSegment::getCurrentFrame() Line 86 + 0x8 bytes C++ > mozjs.dll!js::AllFramesIter::operator++() Line 474 + 0x12 bytes C++ > mozjs.dll!js::mjit::Recompiler::recompile() Line 125 + 0x21 bytes C++ > mozjs.dll!JS_ClearTrap(JSContext * cx=0x08307f08, JSScript * script=0x0d271df8, > unsigned char * pc=0x0d271e60, JSTrapStatus (JSContext *, JSScript *, unsigned > char *, unsigned __int64 *, unsigned __int64)* * handlerp=0x00000000, unsigned > __int64 * closurep=0x00000000) Line 335 C++ > jsd3250.dll!jsd_ClearExecutionHook(JSDContext * jsdc=0x039f5ec8, JSDScript * > jsdscript=0x0d274b00, unsigned int pc=220667488) Line 833 + 0x1c bytes C > jsd3250.dll!JSD_ClearExecutionHook(JSDContext * jsdc=0x039f5ec8, JSDScript * > jsdscript=0x0d274b00, unsigned int pc=220667488) Line 552 + 0x11 bytes C > jsd3250.dll!jsdScript::ClearBreakpoint(unsigned int aPC=0) Line 1502 + 0x17 > bytes C++ > > I have modified getCurrentFrame() as follows: > > JS_REQUIRES_STACK JS_ALWAYS_INLINE JSStackFrame * > StackSegment::getCurrentFrame() const > { > JSFrameRegs* regs = getCurrentRegs(); > return regs ? regs->fp : NULL; > } > > and I am seeing that |regs| is an invalid pointer. > > > STR: > 1) Install Firebug 1.6b1 > 2) Open: http://getfirebug.com/tests/content/console/2914/issue2914.html > 3) CRASH > > A glue could be to know that the test is trying to access a parent frame (from > a child frame) and use its window property. Something like as follows: > > parent.window.console.error("iframe error"); > > Honza
Attached patch PatchSplinter Review
Attachment #480190 - Flags: review?(wmccloskey)
Attachment #480190 - Flags: review?(wmccloskey) → review+
http://hg.mozilla.org/tracemonkey/rev/da2be47f32d7
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey
I have been testing this (cloning source from http://hg.mozilla.org/tracemonkey and setting manually debugMode to true) and I see a case where it still crashes. Use the same test, but set the following preference to false. user_pref("extensions.firebug.service.filterSystemURLs", false); Honza
http://hg.mozilla.org/mozilla-central/rev/da2be47f32d7
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: