Closed Bug 653631 Opened 9 years ago Closed 9 years ago
Crash [@ JSStack
Frame::is Dummy Frame] with moz Request Animation Frame
Related to bug 652401?
> Related to bug 652401? Sorta. So we crash because cx->hasfp() is true, cx->fp()->isDummyFrame() is true, and cx->fp->prev() is null. So js::CurrentScriptFileAndLineSlow called from js::CurrentScriptFileAndLine called from Function() ends up crashing with a null-deref. We push dummy frames on AutoCompartment::enter. In this case that happens with this stack: #0 js::AutoCompartment::enter (this=0x1da0cfe0) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jswrapper.cpp:379 #1 0x04649d19 in JS_EnterCrossCompartmentCall (cx=0x5131620, target=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jsapi.cpp:1210 #2 0x04649dc3 in JSAutoEnterCompartment::enter (this=0xbfffc324, cx=0x5131620, target=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jsapi.cpp:1260 #3 0x00fa2d2c in GetContextFromObject (obj=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:569 #4 0x00fa39c7 in nsXPCWrappedJSClass::CallMethod (this=0x1da3a090, wrapper=0x1da2b8e0, methodIndex=3, info=0x58b97c8, nativeParams=0xbfffc7e0) at /Users/bzbarsky/mozilla/vanilla/mozil a/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1294 #5 0x00f9ba59 in nsXPCWrappedJS::CallMethod (this=0x1da2b8e0, methodIndex=3, info=0x58b97c8, params=0xbfffc7e0) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/xpconnect/src/xpcwrap edjs.cpp:586 GetContextFromObject only starts entering compartments and the like if the JS context stack is empty. So that's where bug 652401 comes in. However this seems like a general bug in Function. It seems to assume that if hasfp() then there is a non-dummy frame on the stack... but that's just not true. Luke added this code a few days ago in bug 602994.
Argh, this is a failed specialization of js_GetScriptedCaller (missing "fp &&" conjunct). I think I initially did this since sometimes eval is on the hot path and js_GetScriptedCaller is a call + LeaveTrace on every eval. I don't think it really matters, though, so I'll just put js_GetScriptedCaller back.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #529130 - Flags: review?(mrbkap)
Attachment #529130 - Flags: review?(mrbkap) → review+
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/e4861593d134
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSStackFrame::isDummyFrame]
You need to log in before you can comment on or make changes to this bug.