646380 - [@ JSContext::popSegmentAndFrame]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[timeless]

Build identifier: Mozilla/5.0 (Windows NT 6.1; rv:2.2a1pre) Gecko/20110329 Firefox/4.2a1pre

Product	Firefox
Version	4.2a1pre
Build ID	20110329030437
Branch	2.2
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
CPU	x86
CPU Info	GenuineIntel family 6 model 28 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_WRITE
Crash Address	0x0
User Comments	grr. somewhat hacked firefox (browser.js) with venkman (actively debugging chrome)
App Notes 	AdapterVendorID: 8086, AdapterDeviceID: a011, AdapterDriverVersion: 8.14.10.2230
D3D10 Layers? D3D10 Layers-
D3D9 Layers? D3D9 Layers-
Processor Notes 	INFO: This record is a replacement for a previous record with the same uuid
EMCheckCompatibility	False
Bugzilla - Report this Crash
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	JSContext::popSegmentAndFrame 	js/src/jscntxt.cpp:2065
1 	mozjs.dll 	js::FrameGuard::~FrameGuard 	js/src/jscntxt.cpp:360
2 	mozjs.dll 	js::AutoCompartment::leave 	js/src/jswrapper.cpp:407
3 	mozjs.dll 	JS_LeaveCrossCompartmentCall 	js/src/jsapi.cpp:1213
4 	xul.dll 	jsd_GetValueString 	js/jsd/jsd_val.c:250
5 	xul.dll 	jsdValue::GetStringValue 	js/jsd/jsd_xpc.cpp:2307
6 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
7 	xul.dll 	XPC_WN_GetterSetter 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1663
8 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:703
9 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:863
10 	mozjs.dll 	js::Shape::get 	js/src/jsscopeinlines.h:249
11 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4215
12 	mozjs.dll 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:393
13 	mozjs.dll 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:469
14 	mozjs.dll 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
15 		@0x5d32ee1 	
16 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:740
17 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:863
18 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5173
19 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672
20 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
21 	xul.dll 	xpc_UnmarkGrayObject 	js/src/xpconnect/src/xpcpublic.h:165
22 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
23 	xul.dll 	jsds_ExecutionHookProc 	js/jsd/jsd_xpc.cpp:697

Comment 1

[Luke Wagner [:luke]]

Attachment: fix a bug in jsd_val.c, maybe this bug

The crash is under jsd_GetValueString, so I took a look and I think I found something that could cause this crash:

Say string == NULL, then we will have called JS_LeaveCrossCompartmentCall(call), but, since 'call' is still non-null, the subsequent code will call JS_LeaveCrossCompartmentCall again on 'call'.

Comment 3

[timeless]

this bug makes using venkman pretty much impossible

Comment 4

[Luke Wagner [:luke]]

Do you need on mozilla-central or is tracemonkey good enough?

Comment 5

[neil@parkwaycc.co.uk]

I'd like whatever will get it fixed fastest in Gecko 2.0.x ;-)

Comment 6

[Luke Wagner [:luke]]

In that case, I'll need to request approval to land on mozilla-2.0.

Comment 7

[Luke Wagner [:luke]]

http://hg.mozilla.org/mozilla-central/rev/a538db9ab619

(Still waiting on 2.0 approval to land on mozilla-2.0)

Comment 8

[Daniel Veditz [:dveditz]]

can someone test a mozilla-central nightly and see if it appears to fix this crash?

Comment 9

[neil@parkwaycc.co.uk]

(In reply to comment #8)
> can someone test a mozilla-central nightly and see if it appears to fix this
> crash?
It fixed bug 645651 for me, which got resolved duplicate of this bug.

Comment 10

[Daniel Veditz [:dveditz]]

Comment on attachment 523023 [details] [diff] [review]
fix a bug in jsd_val.c, maybe this bug

Approved for the mozilla2.0 repository, a=dveditz

Comment 11

[Justin Wood (:Callek)]

http://hg.mozilla.org/releases/mozilla-2.0/rev/debc1ec25222