Closed Bug 601197 Opened 14 years ago Closed 14 years ago

JM: Crash on Firebug test for issue 2914

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: dmandelin, Assigned: dmandelin)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Spun off from bug 599400 comment 11:

> I am seeing yet one test case that causes crash and is also related to
> clearBreakpoints(), here is a stack trace:
> 
> mozjs.dll!js::StackSegment::getCurrentFrame()  Line 86 + 0x8 bytes    C++
> mozjs.dll!js::AllFramesIter::operator++()  Line 474 + 0x12 bytes    C++
> mozjs.dll!js::mjit::Recompiler::recompile()  Line 125 + 0x21 bytes    C++
> mozjs.dll!JS_ClearTrap(JSContext * cx=0x08307f08, JSScript * script=0x0d271df8,
> unsigned char * pc=0x0d271e60, JSTrapStatus (JSContext *, JSScript *, unsigned
> char *, unsigned __int64 *, unsigned __int64)* * handlerp=0x00000000, unsigned
> __int64 * closurep=0x00000000)  Line 335    C++
> jsd3250.dll!jsd_ClearExecutionHook(JSDContext * jsdc=0x039f5ec8, JSDScript *
> jsdscript=0x0d274b00, unsigned int pc=220667488)  Line 833 + 0x1c bytes    C
> jsd3250.dll!JSD_ClearExecutionHook(JSDContext * jsdc=0x039f5ec8, JSDScript *
> jsdscript=0x0d274b00, unsigned int pc=220667488)  Line 552 + 0x11 bytes    C
> jsd3250.dll!jsdScript::ClearBreakpoint(unsigned int aPC=0)  Line 1502 + 0x17
> bytes    C++
> 
> I have modified getCurrentFrame() as follows:
> 
> JS_REQUIRES_STACK JS_ALWAYS_INLINE JSStackFrame *
> StackSegment::getCurrentFrame() const
> {
>     JSFrameRegs* regs = getCurrentRegs();
>     return regs ? regs->fp : NULL;
> }
> 
> and I am seeing that |regs| is an invalid pointer.
> 
> 
> STR:
> 1) Install Firebug 1.6b1
> 2) Open: http://getfirebug.com/tests/content/console/2914/issue2914.html
> 3) CRASH
> 
> A glue could be to know that the test is trying to access a parent frame (from
> a child frame) and use its window property. Something like as follows:
> 
> parent.window.console.error("iframe error");
> 
> Honza
Attached patch PatchSplinter Review
Attachment #480190 - Flags: review?(wmccloskey)
Attachment #480190 - Flags: review?(wmccloskey) → review+
http://hg.mozilla.org/tracemonkey/rev/da2be47f32d7
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey
I have been testing this (cloning source from http://hg.mozilla.org/tracemonkey and setting manually debugMode to true) and I see a case where it still crashes.

Use the same test, but set the following preference to false.

user_pref("extensions.firebug.service.filterSystemURLs", false);

Honza
http://hg.mozilla.org/mozilla-central/rev/da2be47f32d7
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: