Closed Bug 779312 Opened 13 years ago Closed 9 years ago

Crash [@ JSCompartment::wrap ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
17 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: xtc4uall, Assigned: luke)

References

(
URL
)

Details

(Keywords: crash, reproducible, Whiteboard: [js:p1][js:bumped:1])

Crash Data

Attachments

(1 file)

WinDbg Stack
125.60 KB, text/plain
Details
Attached file WinDbg Stack
Spun off Bug 760745 Comment 21. See Bug 760745 Comment 0 for STR. 003888f0 6d587cf1 mozjs!JSCompartment::wrap(struct JSContext * cx = 0x0c46a230, class JS::Value * vp = 0x00388918)+0x2f6 [e:\builds\moz2_slave\m-cen-w32-ntly\build\js\src\jscompartment.cpp @ 160] 0038899c 6d5817f2 mozjs!js::CrossCompartmentWrapper::get(struct JSContext * cx = 0x0c46a230, struct JSObject * wrapper = 0x19293c70, struct JSObject * receiver = 0x19293c70, int id = 0n254818752, class JS::Value * vp = 0x0685ec38)+0x1c1 [e:\builds\moz2_slave\m-cen-w32-ntly\build\js\src\jswrapper.cpp @ 585] 003889d4 6d5ae751 mozjs!proxy_GetGeneric(struct JSContext * cx = 0x0c46a230, class JS::Handle<JSObject *> obj = class JS::Handle<JSObject *>, class JS::Handle<JSObject *> receiver = class JS::Handle<JSObject *>, class JS::Handle<int> id = class JS::Handle<int>, class JS::Value * vp = 0x0685ec38)+0x72 [e:\builds\moz2_slave\m-cen-w32-ntly\build\js\src\jsproxy.cpp @ 1335] 00388b6c 6d6099fa mozjs!DisabledGetElem(struct js::VMFrame * f = 0x0c46a230, struct js::mjit::ic::GetElementIC * ic = 0x003888c4)+0x1311 [e:\builds\moz2_slave\m-cen-w32-ntly\build\js\src\methodjit\polyic.cpp @ 2068] 00388bc4 6d5d5aa7 mozjs!js::mjit::stubs::Equal(struct js::VMFrame * f = 0x0c46a230)+0xa [e:\builds\moz2_slave\m-cen-w32-ntly\build\js\src\methodjit\stubcalls.cpp @ 561] 00388be8 6d59fc2d mozjs!js::mjit::EnterMethodJIT(struct JSContext * cx = 0xffffff85, class js::StackFrame * fp = 0x0c46a230, void * code = 0x0c46a230, class JS::Value * stackLimit = 0x00388be8, bool partial = true)+0x27 [e:\builds\moz2_slave\m-cen-w32-ntly\build\js\src\methodjit\methodjit.cpp @ 1017] 00389454 6d56e2e4 mozjs!js::Interpret(struct JSContext * cx = 0x0c46a230, class js::StackFrame * entryFrame = 0x06840a20, js::InterpMode interpMode = JSINTERP_NORMAL (0n0))+0x55ad [e:\builds\moz2_slave\m-cen-w32-ntly\build\js\src\jsinterp.cpp @ 1471] 003894b8 6d554b6f mozjs!UncachedInlineCall(struct js::VMFrame * f = 0x0c46a230, js::InitialFrameFlags initial = INITIAL_NONE (0n0), void ** pret = 0x00389530, bool * unjittable = 0x00389534, unsigned int argc = 1)+0x224 [e:\builds\moz2_slave\m-cen-w32-ntly\build\js\src\methodjit\invokehelpers.cpp @ 327] 003894f0 6d62d8b2 mozjs!js::mjit::stubs::UncachedCallHelper(struct js::VMFrame * f = 0x00389560, unsigned int argc = 1, bool lowered = false, struct js::mjit::stubs::UncachedCallResult * ucr = 0x0038952c)+0x9f [e:\builds\moz2_slave\m-cen-w32-ntly\build\js\src\methodjit\invokehelpers.cpp @ 410] 00389540 6d62da1e mozjs!js::mjit::CallCompiler::update(void)+0xb2 [e:\builds\moz2_slave\m-cen-w32-ntly\build\js\src\methodjit\monoic.cpp @ 934] 00389558 6d63107f mozjs!js::mjit::ic::Call(struct js::VMFrame * f = 0x0c46a230, struct js::mjit::ic::CallICInfo * ic = 0x003888c4)+0x1e [e:\builds\moz2_slave\m-cen-w32-ntly\build\js\src\methodjit\monoic.cpp @ 997] 003895a8 6d59b6a3 mozjs!JaegerThrowpoline+0x2f ... See attached WinDbg Output for full Stack.
Keywords: reproducible
Assignee: general → luke
Whiteboard: [js:p1:fx20]
Whiteboard: [js:p1:fx20] → [js:p1:fx21][js:bumped:1]
Whiteboard: [js:p1:fx21][js:bumped:1] → [js:p1][js:bumped:1]
WFM
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: