Closed Bug 626936 Opened 14 years ago Closed 13 years ago

Reproducible crash in js::gc::Cell::compartment() on scribd.com using Web Console

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 627227
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: roc, Unassigned)

References

Details

(Whiteboard: hardblocker) 

1) Start debug build (b521854c006d plus a few local patches, to graphics code only)
1) Open http://www.scribd.com/doc/46819931/19-Main
2) Open Web Console
3) Reload a few times
4) Crash:

>	mozjs.dll!js::gc::Cell::compartment()  Line 459 + 0xf bytes	C++
 	mozjs.dll!JSCompartment::wrap(JSContext * cx, js::Value * vp)  Line 200 + 0x8 bytes	C++
 	mozjs.dll!JS_WrapValue(JSContext * cx, jsval_layout * vp)  Line 1256 + 0x1c bytes	C++
 	xul.dll!XPCConvert::NativeData2JS(XPCLazyCallContext & lccx, jsval_layout * d, const void * s, const nsXPTType & type, const nsID * iid, JSObject * scope, unsigned int * pErr)  Line 309 + 0xe bytes	C++
 	xul.dll!XPCConvert::NativeData2JS(XPCCallContext & ccx, jsval_layout * d, const void * s, const nsXPTType & type, const nsID * iid, JSObject * scope, unsigned int * pErr)  Line 3203 + 0x24 bytes	C++
 	xul.dll!CallMethodHelper::GatherAndConvertResults()  Line 2592 + 0x30 bytes	C++
 	xul.dll!CallMethodHelper::Call()  Line 2350	C++
 	xul.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx, XPCWrappedNative::CallMode mode)  Line 2298 + 0x16 bytes	C++
 	xul.dll!XPC_WN_CallMethod(JSContext * cx, unsigned int argc, jsval_layout * vp)  Line 1593 + 0xe bytes	C++
 	mozjs.dll!js::CallJSNative(JSContext * cx, int (JSContext *, unsigned int, js::Value *)* native, unsigned int argc, js::Value * vp)  Line 692 + 0xf bytes	C++
 	mozjs.dll!js::Interpret(JSContext * cx, JSStackFrame * entryFrame, unsigned int inlineCallCount, JSInterpMode interpMode)  Line 4783 + 0x21 bytes	C++
 	mozjs.dll!js::RunScript(JSContext * cx, JSScript * script, JSStackFrame * fp)  Line 657 + 0x11 bytes	C++
 	mozjs.dll!js::Invoke(JSContext * cx, const js::CallArgs & argsRef, unsigned int flags)  Line 737 + 0x11 bytes	C++
 	mozjs.dll!js::ExternalInvoke(JSContext * cx, const js::Value & thisv, const js::Value & fval, unsigned int argc, js::Value * argv, js::Value * rval)  Line 858 + 0xf bytes	C++
 	mozjs.dll!js::ExternalInvoke(JSContext * cx, JSObject * obj, const js::Value & fval, unsigned int argc, js::Value * argv, js::Value * rval)  Line 961 + 0x2a bytes	C++
 	mozjs.dll!JS_CallFunctionValue(JSContext * cx, JSObject * obj, jsval_layout fval, unsigned int argc, jsval_layout * argv, jsval_layout * rval)  Line 5019 + 0x38 bytes	C++
 	xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper, unsigned short methodIndex, const XPTMethodDescriptor * info, nsXPTCMiniVariant * nativeParams)  Line 1700 + 0x38 bytes	C++
 	xul.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex, const XPTMethodDescriptor * info, nsXPTCMiniVariant * params)  Line 589	C++
 	xul.dll!PrepareAndDispatch(nsXPTCStubBase * self, unsigned int methodIndex, unsigned int * args, unsigned int * stackBytesToPop)  Line 114 + 0x21 bytes	C++
 	xul.dll!SharedStub()  Line 142	C++
 	xul.dll!nsObserverList::NotifyObservers(nsISupports * aSubject, const char * aTopic, const wchar_t * someData)  Line 131	C++
 	xul.dll!nsObserverService::NotifyObservers(nsISupports * aSubject, const char * aTopic, const wchar_t * someData)  Line 185	C++
 	xul.dll!nsGlobalWindow::DispatchDOMWindowCreated()  Line 2268	C++

In JSCompartment::wrap, obj is null.

vp:

-		vp	0x0040ad70 {data={...} }	js::Value *
-		data	{asBits=18446462628797612032 s={...} asDouble=-1.#QNAN00000000000 ...}	jsval_layout
		asBits	18446462628797612032	unsigned __int64
-		s	{payload={...} tag=JSVAL_TAG_OBJECT }	jsval_layout::<unnamed-type-s>
-		payload	{i32=0 u32=0 boo=0 ...}	jsval_layout::<unnamed-type-s>::<unnamed-type-payload>
		i32	0	int
		u32	0	unsigned int
		boo	0	int
+		str	0x00000000 {lengthAndFlags=??? u={...} inlineStorage=0x00000008 <Bad Ptr> ...}	JSString *
+		obj	0x00000000 {lastProp=??? map=??? clasp=??? ...}	JSObject *
		ptr	0x00000000	void *
		why	JS_ARRAY_HOLE	JSWhyMagic
		word	0	unsigned int
		tag	JSVAL_TAG_OBJECT	JSValueTag
		asDouble	-1.#QNAN00000000000	double
		asPtr	0x00000000	void *

The script is "resource:///modules/HUDService.jsm". The method being called by XPCWrappedNative::CallMethod is nsIDOMGlobalPropertyInitializer::init.
blocking2.0: --- → ?
Actually although I have reproduced a crash with those steps, I haven't verified that it always crashes with this stack.
This must be one of those cases where we do setObject(NULL) incorrectly. Man would it be nice if our replay box worked ...
Although the object addresses presumably are not reproducible, the crash itself is. I'm getting the same stack, same method being called in XPCWrappedNative::CallMethod.
Ooh, maybe a reproducible cause of bug 605290...
Blocks: 605290
blocking2.0: ? → betaN+
Whiteboard: hardblocker
Luke, a debug build should have caught the setObject(NULL) though no?
I can't reproduce this in a macosx debug build (from yesterday, tracemonkey tip)
Depends on: 627227
I tried about 7 reloads in a Win7 TM tip debug build and got no crash. Maybe this was one of the recent compartments fixes?
I'm going to WFM this for now. roc, let us know if you can still repro this.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
(In reply to comment #8)
> I'm going to WFM this for now. roc, let us know if you can still repro this.

(In particular with the patch from bug 627227 applied.)
Still crashes for me without patch in bug 627227. Works for me with patch in bug 627227!
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
roc, so this is a dup of bug 627227 then?
(please re-open if you disagree)
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.