Closed
Bug 626936
Opened 14 years ago
Closed 13 years ago
Reproducible crash in js::gc::Cell::compartment() on scribd.com using Web Console
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 627227
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: roc, Unassigned)
References
Details
(Whiteboard: hardblocker)
1) Start debug build (b521854c006d plus a few local patches, to graphics code only) 1) Open http://www.scribd.com/doc/46819931/19-Main 2) Open Web Console 3) Reload a few times 4) Crash: > mozjs.dll!js::gc::Cell::compartment() Line 459 + 0xf bytes C++ mozjs.dll!JSCompartment::wrap(JSContext * cx, js::Value * vp) Line 200 + 0x8 bytes C++ mozjs.dll!JS_WrapValue(JSContext * cx, jsval_layout * vp) Line 1256 + 0x1c bytes C++ xul.dll!XPCConvert::NativeData2JS(XPCLazyCallContext & lccx, jsval_layout * d, const void * s, const nsXPTType & type, const nsID * iid, JSObject * scope, unsigned int * pErr) Line 309 + 0xe bytes C++ xul.dll!XPCConvert::NativeData2JS(XPCCallContext & ccx, jsval_layout * d, const void * s, const nsXPTType & type, const nsID * iid, JSObject * scope, unsigned int * pErr) Line 3203 + 0x24 bytes C++ xul.dll!CallMethodHelper::GatherAndConvertResults() Line 2592 + 0x30 bytes C++ xul.dll!CallMethodHelper::Call() Line 2350 C++ xul.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx, XPCWrappedNative::CallMode mode) Line 2298 + 0x16 bytes C++ xul.dll!XPC_WN_CallMethod(JSContext * cx, unsigned int argc, jsval_layout * vp) Line 1593 + 0xe bytes C++ mozjs.dll!js::CallJSNative(JSContext * cx, int (JSContext *, unsigned int, js::Value *)* native, unsigned int argc, js::Value * vp) Line 692 + 0xf bytes C++ mozjs.dll!js::Interpret(JSContext * cx, JSStackFrame * entryFrame, unsigned int inlineCallCount, JSInterpMode interpMode) Line 4783 + 0x21 bytes C++ mozjs.dll!js::RunScript(JSContext * cx, JSScript * script, JSStackFrame * fp) Line 657 + 0x11 bytes C++ mozjs.dll!js::Invoke(JSContext * cx, const js::CallArgs & argsRef, unsigned int flags) Line 737 + 0x11 bytes C++ mozjs.dll!js::ExternalInvoke(JSContext * cx, const js::Value & thisv, const js::Value & fval, unsigned int argc, js::Value * argv, js::Value * rval) Line 858 + 0xf bytes C++ mozjs.dll!js::ExternalInvoke(JSContext * cx, JSObject * obj, const js::Value & fval, unsigned int argc, js::Value * argv, js::Value * rval) Line 961 + 0x2a bytes C++ mozjs.dll!JS_CallFunctionValue(JSContext * cx, JSObject * obj, jsval_layout fval, unsigned int argc, jsval_layout * argv, jsval_layout * rval) Line 5019 + 0x38 bytes C++ xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper, unsigned short methodIndex, const XPTMethodDescriptor * info, nsXPTCMiniVariant * nativeParams) Line 1700 + 0x38 bytes C++ xul.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex, const XPTMethodDescriptor * info, nsXPTCMiniVariant * params) Line 589 C++ xul.dll!PrepareAndDispatch(nsXPTCStubBase * self, unsigned int methodIndex, unsigned int * args, unsigned int * stackBytesToPop) Line 114 + 0x21 bytes C++ xul.dll!SharedStub() Line 142 C++ xul.dll!nsObserverList::NotifyObservers(nsISupports * aSubject, const char * aTopic, const wchar_t * someData) Line 131 C++ xul.dll!nsObserverService::NotifyObservers(nsISupports * aSubject, const char * aTopic, const wchar_t * someData) Line 185 C++ xul.dll!nsGlobalWindow::DispatchDOMWindowCreated() Line 2268 C++ In JSCompartment::wrap, obj is null. vp: - vp 0x0040ad70 {data={...} } js::Value * - data {asBits=18446462628797612032 s={...} asDouble=-1.#QNAN00000000000 ...} jsval_layout asBits 18446462628797612032 unsigned __int64 - s {payload={...} tag=JSVAL_TAG_OBJECT } jsval_layout::<unnamed-type-s> - payload {i32=0 u32=0 boo=0 ...} jsval_layout::<unnamed-type-s>::<unnamed-type-payload> i32 0 int u32 0 unsigned int boo 0 int + str 0x00000000 {lengthAndFlags=??? u={...} inlineStorage=0x00000008 <Bad Ptr> ...} JSString * + obj 0x00000000 {lastProp=??? map=??? clasp=??? ...} JSObject * ptr 0x00000000 void * why JS_ARRAY_HOLE JSWhyMagic word 0 unsigned int tag JSVAL_TAG_OBJECT JSValueTag asDouble -1.#QNAN00000000000 double asPtr 0x00000000 void * The script is "resource:///modules/HUDService.jsm". The method being called by XPCWrappedNative::CallMethod is nsIDOMGlobalPropertyInitializer::init.
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Reporter | ||
Comment 1•14 years ago
|
||
Actually although I have reproduced a crash with those steps, I haven't verified that it always crashes with this stack.
Comment 2•14 years ago
|
||
This must be one of those cases where we do setObject(NULL) incorrectly. Man would it be nice if our replay box worked ...
Reporter | ||
Comment 3•14 years ago
|
||
Although the object addresses presumably are not reproducible, the crash itself is. I'm getting the same stack, same method being called in XPCWrappedNative::CallMethod.
Comment 4•14 years ago
|
||
Ooh, maybe a reproducible cause of bug 605290...
Updated•14 years ago
|
Comment 5•14 years ago
|
||
Luke, a debug build should have caught the setObject(NULL) though no?
Comment 6•14 years ago
|
||
I can't reproduce this in a macosx debug build (from yesterday, tracemonkey tip)
Comment 7•13 years ago
|
||
I tried about 7 reloads in a Win7 TM tip debug build and got no crash. Maybe this was one of the recent compartments fixes?
Comment 8•13 years ago
|
||
I'm going to WFM this for now. roc, let us know if you can still repro this.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Comment 9•13 years ago
|
||
(In reply to comment #8) > I'm going to WFM this for now. roc, let us know if you can still repro this. (In particular with the patch from bug 627227 applied.)
Reporter | ||
Comment 10•13 years ago
|
||
Still crashes for me without patch in bug 627227. Works for me with patch in bug 627227!
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Comment 11•13 years ago
|
||
roc, so this is a dup of bug 627227 then?
Comment 12•13 years ago
|
||
(please re-open if you disagree)
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•