Closed
Bug 653631
Opened 13 years ago
Closed 13 years ago
Crash [@ JSStackFrame::isDummyFrame] with mozRequestAnimationFrame
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox5 | --- | unaffected |
firefox6 | - | --- |
People
(Reporter: jruderman, Assigned: luke)
References
Details
(Keywords: crash, testcase, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(3 files)
Related to bug 652401?
Reporter | ||
Comment 1•13 years ago
|
||
Comment 2•13 years ago
|
||
> Related to bug 652401? Sorta. So we crash because cx->hasfp() is true, cx->fp()->isDummyFrame() is true, and cx->fp->prev() is null. So js::CurrentScriptFileAndLineSlow called from js::CurrentScriptFileAndLine called from Function() ends up crashing with a null-deref. We push dummy frames on AutoCompartment::enter. In this case that happens with this stack: #0 js::AutoCompartment::enter (this=0x1da0cfe0) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jswrapper.cpp:379 #1 0x04649d19 in JS_EnterCrossCompartmentCall (cx=0x5131620, target=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jsapi.cpp:1210 #2 0x04649dc3 in JSAutoEnterCompartment::enter (this=0xbfffc324, cx=0x5131620, target=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jsapi.cpp:1260 #3 0x00fa2d2c in GetContextFromObject (obj=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:569 #4 0x00fa39c7 in nsXPCWrappedJSClass::CallMethod (this=0x1da3a090, wrapper=0x1da2b8e0, methodIndex=3, info=0x58b97c8, nativeParams=0xbfffc7e0) at /Users/bzbarsky/mozilla/vanilla/mozil a/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1294 #5 0x00f9ba59 in nsXPCWrappedJS::CallMethod (this=0x1da2b8e0, methodIndex=3, info=0x58b97c8, params=0xbfffc7e0) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/xpconnect/src/xpcwrap edjs.cpp:586 GetContextFromObject only starts entering compartments and the like if the JS context stack is empty. So that's where bug 652401 comes in. However this seems like a general bug in Function. It seems to assume that if hasfp() then there is a non-dummy frame on the stack... but that's just not true. Luke added this code a few days ago in bug 602994.
Assignee | ||
Comment 3•13 years ago
|
||
Argh, this is a failed specialization of js_GetScriptedCaller (missing "fp &&" conjunct). I think I initially did this since sometimes eval is on the hot path and js_GetScriptedCaller is a call + LeaveTrace on every eval. I don't think it really matters, though, so I'll just put js_GetScriptedCaller back.
Updated•13 years ago
|
Attachment #529130 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 4•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/e4861593d134
Whiteboard: fixed-in-tracemonkey
Comment 5•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/e4861593d134
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ JSStackFrame::isDummyFrame]
You need to log in
before you can comment on or make changes to this bug.
Description
•