Closed Bug 646380 Opened 14 years ago Closed 14 years ago

[@ JSContext::popSegmentAndFrame]

Categories

(Core :: JavaScript Engine, defect)

x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- Macaw+
status2.0 --- .1-fixed

People

(Reporter: timeless, Assigned: luke)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Build identifier: Mozilla/5.0 (Windows NT 6.1; rv:2.2a1pre) Gecko/20110329 Firefox/4.2a1pre

Product	Firefox
Version	4.2a1pre
Build ID	20110329030437
Branch	2.2
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
CPU	x86
CPU Info	GenuineIntel family 6 model 28 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_WRITE
Crash Address	0x0
User Comments	grr. somewhat hacked firefox (browser.js) with venkman (actively debugging chrome)
App Notes 	AdapterVendorID: 8086, AdapterDeviceID: a011, AdapterDriverVersion: 8.14.10.2230
D3D10 Layers? D3D10 Layers-
D3D9 Layers? D3D9 Layers-
Processor Notes 	INFO: This record is a replacement for a previous record with the same uuid
EMCheckCompatibility	False
Bugzilla - Report this Crash
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	JSContext::popSegmentAndFrame 	js/src/jscntxt.cpp:2065
1 	mozjs.dll 	js::FrameGuard::~FrameGuard 	js/src/jscntxt.cpp:360
2 	mozjs.dll 	js::AutoCompartment::leave 	js/src/jswrapper.cpp:407
3 	mozjs.dll 	JS_LeaveCrossCompartmentCall 	js/src/jsapi.cpp:1213
4 	xul.dll 	jsd_GetValueString 	js/jsd/jsd_val.c:250
5 	xul.dll 	jsdValue::GetStringValue 	js/jsd/jsd_xpc.cpp:2307
6 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
7 	xul.dll 	XPC_WN_GetterSetter 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1663
8 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:703
9 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:863
10 	mozjs.dll 	js::Shape::get 	js/src/jsscopeinlines.h:249
11 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4215
12 	mozjs.dll 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:393
13 	mozjs.dll 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:469
14 	mozjs.dll 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
15 		@0x5d32ee1 	
16 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:740
17 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:863
18 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5173
19 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672
20 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
21 	xul.dll 	xpc_UnmarkGrayObject 	js/src/xpconnect/src/xpcpublic.h:165
22 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
23 	xul.dll 	jsds_ExecutionHookProc 	js/jsd/jsd_xpc.cpp:697
The crash is under jsd_GetValueString, so I took a look and I think I found something that could cause this crash:

Say string == NULL, then we will have called JS_LeaveCrossCompartmentCall(call), but, since 'call' is still non-null, the subsequent code will call JS_LeaveCrossCompartmentCall again on 'call'.
Attachment #523023 - Flags: review?
Attachment #523023 - Flags: review? → review?(sphink)
Attachment #523023 - Flags: review?(sphink) → review+
Assignee: general → sphink
Component: JavaScript Engine → JavaScript Debugging/Profiling APIs
QA Contact: general → jsd
Assignee: sphink → luke
this bug makes using venkman pretty much impossible
Keywords: checkin-needed
Do you need on mozilla-central or is tracemonkey good enough?
I'd like whatever will get it fixed fastest in Gecko 2.0.x ;-)
In that case, I'll need to request approval to land on mozilla-2.0.
blocking2.0: --- → ?
http://hg.mozilla.org/mozilla-central/rev/a538db9ab619

(Still waiting on 2.0 approval to land on mozilla-2.0)
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Attachment #523023 - Flags: approval2.0?
Keywords: checkin-needed
can someone test a mozilla-central nightly and see if it appears to fix this crash?
Keywords: testcase-wanted
(In reply to comment #8)
> can someone test a mozilla-central nightly and see if it appears to fix this
> crash?
It fixed bug 645651 for me, which got resolved duplicate of this bug.
Comment on attachment 523023 [details] [diff] [review]
fix a bug in jsd_val.c, maybe this bug

Approved for the mozilla2.0 repository, a=dveditz
Attachment #523023 - Flags: approval2.0? → approval2.0+
blocking2.0: ? → Macaw+
Crash Signature: [@ JSContext::popSegmentAndFrame]
Component: JavaScript Debugging/Profiling APIs → JavaScript Engine
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: