Closed Bug 82246 Opened 24 years ago Closed 24 years ago

xpcshell crashes on exit

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 80619

People

(Reporter: aaronb, Assigned: dbradley)

Details

This happens on pulls from the trunk between May 14 and 20. Since this code does not seem to have changed, I suspect it's still on the tip. To reproduce launch xpcshell with no command line options. Then type "quit()" followed by return. xpcshell crashes with an access violation in js_GetProperty() inside the CHECK_FOR_FUNNY_INDEX() macro. Looking at the disassembly suggests that ATOM_TO_STRING() is doing a lookup in deleted memory (returning 0xdddddddd in a debug build). The complete callstack (May 14) follows: js_GetProperty(JSContext * 0x00b1fbc8, JSObject * 0x00b7afc0, long 0x00b7db30, long * 0x0012f74c) line 2208 + 43 bytes js_InitObjectClass(JSContext * 0x00b1fbc8, JSObject * 0x00b7ae28) line 1523 + 36 bytes InitFunctionAndObjectClasses(JSContext * 0x00b1fbc8, JSObject * 0x00b7ae28) line 1065 + 13 bytes JS_ResolveStandardClass(JSContext * 0x00b1fbc8, JSObject * 0x00b7ae28, long 0x00b7ac9c, int * 0x0012f810) line 1341 + 11 bytes SafeGlobalResolve(JSContext * 0x00b1fbc8, JSObject * 0x00b7ae28, long 0x00b7ac9c) line 110 + 22 bytes _js_LookupProperty(JSContext * 0x00b1fbc8, JSObject * 0x00b7ae28, long 0x00b7d500, JSObject * * 0x0012f938, JSProperty * * 0x0012f930, const char * 0x61b7f850, unsigned int 0x0000069e) line 2074 + 24 bytes FindConstructor(JSContext * 0x00b1fbc8, JSObject * 0x00000000, const char * 0x61b50074 _js_Object_str, long * 0x0012f970) line 1694 + 41 bytes GetClassPrototype(JSContext * 0x00b1fbc8, JSObject * 0x00b7ae28, const char * 0x61b50074 _js_Object_str, JSObject * * 0x0012f9d4) line 3091 + 21 bytes js_NewObject(JSContext * 0x00b1fbc8, JSClass * 0x618ead28 WrappedJSOutArg_class, JSObject * 0x00000000, JSObject * 0x00b7ae28) line 1602 + 28 bytes JS_InitClass(JSContext * 0x00b1fbc8, JSObject * 0x00b7ae28, JSObject * 0x00000000, JSClass * 0x618ead28 WrappedJSOutArg_class, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x00000000, unsigned int 0x00000000, JSPropertySpec * 0x00000000, JSFunctionSpec * 0x00000000, JSPropertySpec * 0x00000000, JSFunctionSpec * 0x00000000) line 1799 + 21 bytes nsXPCWrappedJSClass::InitClasses(XPCCallContext & {...}, JSObject * 0x00b7ae28) line 1392 + 38 bytes nsXPConnect::InitClasses(nsXPConnect * const 0x00b7f958, JSContext * 0x00b1fbc8, JSObject * 0x00b7ae28) line 344 + 13 bytes XPCJSContextStack::GetSafeJSContext(XPCJSContextStack * const 0x010326e8, JSContext * * 0x0012fb90) line 141 + 29 bytes XPCCallContext::XPCCallContext(XPCContext::LangType LANG_NATIVE, JSContext * 0x00000000, JSObject * 0x00000000, JSObject * 0x00000000, long 0x00000000, unsigned int 0xffffffff, long * 0x00000000, long * 0x00000000) line 88 + 21 bytes nsXPConnect::~nsXPConnect() line 114 nsXPConnect::`scalar deleting destructor'() + 15 bytes nsXPConnect::Release(nsXPConnect * const 0x00b7f958) line 41 + 133 bytes nsXPConnect::ReleaseXPConnectSingleton() line 226 + 12 bytes xpcModuleDtor(nsIModule * 0x00b1d388) line 65 nsGenericModule::Shutdown() line 221 + 10 bytes nsGenericModule::~nsGenericModule() line 201 nsGenericModule::`scalar deleting destructor'(unsigned int 0x00000001) + 15 bytes nsGenericModule::Release(nsGenericModule * const 0x00b1d388) line 203 + 130 bytes nsDll::Shutdown() line 468 + 18 bytes nsFreeLibrary(nsDll * 0x00911ec8, nsIServiceManager * 0x00000000, int 0x00000003) line 381 nsFreeLibraryEnum(nsHashKey * 0x00912268, void * 0x00911ec8, void * 0x0012fd6c) line 429 + 64 bytes _hashEnumerate(PLHashEntry * 0x009122b0, int 0x00000000, void * 0x0012fd50) line 193 + 26 bytes PL_HashTableEnumerateEntries(PLHashTable * 0x0031fa20, int (PLHashEntry *, int, void *)* 0x61e17000 _hashEnumerate(PLHashEntry *, int, void *), void * 0x0012fd50) line 413 + 15 bytes nsHashtable::Enumerate(int (nsHashKey *, void *, void *)* 0x61e57300 nsFreeLibraryEnum(nsHashKey *, void *, void *), void * 0x0012fd6c) line 359 + 21 bytes nsNativeComponentLoader::UnloadAll(nsNativeComponentLoader * const 0x0031d5d8, int 0x00000003) line 991 nsComponentManagerImpl::UnloadLibraries(nsIServiceManager * 0x00000000, int 0x00000003) line 1883 + 22 bytes nsComponentManagerImpl::Shutdown() line 360 NS_ShutdownXPCOM(nsIServiceManager * 0x00000000) line 496 + 11 bytes main(int 0x00000000, char * * 0x00318054) line 950 + 8 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87903()
Ah good. This was bug 80619 in the JS engine. You just need to update the JS engine files and rebuild. Make some noise if this does not fix the problem for you. *** This bug has been marked as a duplicate of 80619 ***
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
Verified as Duplicate - This bug: access violation in js_GetProperty() inside the CHECK_FOR_FUNNY_INDEX() macro Bug 80619: Crashes in js_GetProperty(). The CHECK_FOR_FUNNY_INDEX(id) macro crashes because the string for cx->runtime->atomState.constructorAtom is null.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.