Closed Bug 301491 Opened 19 years ago Closed 19 years ago

[@ js_LinkFunctionObject]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: timeless, Assigned: timeless)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 obsolete file)

found in 18a5, but the code hasn't changed on trunk. funobj is 0x0 in js_LinkFunctionObject. funval is destroyed in nsXPCComponents::LookupMethod the fix is the same as in bug 180182 and bug 289949: add AUTO_MARK_JSVAL(ccx, funval); between GetValue and JS_CloneFunctionObject ChildEBP RetAddr Args to Child 0012ea50 00b1a032 00a959d8 00000000 02570590 js3250!js_LinkFunctionObject+0x9 [c:\build\chs3\build\mozilla\js\src\jsfun.c @ 1968] 0012ea70 00b02c86 00a959d8 11c6dc48 0232beb0 js3250!js_CloneFunctionObject+0x34 [c:\build\chs3\build\mozilla\js\src\jsfun.c @ 1958] 0012ea88 00ad616e 00a959d8 11c6dc48 0232beb0 js3250!JS_CloneFunctionObject+0x57 [c:\build\chs3\build\mozilla\js\src\jsapi.c @ 3172] 0012eb50 00865004 11c6dc48 0012ed08 00ae357a xpc3250! nsXPCComponents::LookupMethod+0x1e3 [c:\build\chs3 \build\mozilla\js\src\xpconnect\src\xpccomponents.cpp @ 2096] 0012eb5c 00ae357a 00fd9cb8 0000000e 00000000 xpcom_core!XPTC_InvokeByIndex+0x27 [c:\build\chs3\build\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 102] 0012ed08 00ae5400 0012ed24 00000000 00000000 xpc3250! XPCWrappedNative::CallMethod+0x6c4 [c:\build\chs3 \build\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 2065] 0012ed9c 00b1d071 00a959d8 00f9b418 00000002 xpc3250!XPC_WN_CallMethod+0x8e [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1287] 0012ee50 00b2246f 00000001 00000002 00000000 js3250!js_Invoke+0x531 [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1320] 0012efb0 00b1d0b2 00a959d8 14d8737e 0012f058 js3250!js_Interpret+0x4b13 [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 3612] 0012f05c 00b2246f 00000001 00000001 00000000 js3250!js_Invoke+0x572 [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1340] 0012f1bc 00b1d0b2 00a959d8 13215216 0012f264 js3250!js_Interpret+0x4b13 [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 3612] 0012f268 00b2429e 00000001 00000002 00000001 js3250!js_Invoke+0x572 [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1340] 0012f3c8 00b1d0b2 00a959d8 0c6f798b 0012f470 js3250!js_Interpret+0x6942 [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 3178] 0012f474 00b2246f 00000001 00000001 00000000 js3250!js_Invoke+0x572 [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1340] 0012f5d4 00b1d0b2 00a959d8 12fa8be8 0012f67c js3250!js_Interpret+0x4b13 [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 3612] 0012f680 00b2246f 00000001 00000004 00000000 js3250!js_Invoke+0x572 [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1340] 0012f7e0 00b1d0b2 00a959d8 023cc17a 0012f888 js3250!js_Interpret+0x4b13 [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 3612] 0012f88c 00ae0dd2 00000001 00000004 00000002 js3250!js_Invoke+0x572 [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1340] 0012f9f4 00ade4c5 0218a3d0 043cf308 00000003 xpc3250! nsXPCWrappedJSClass::CallMethod+0x6a4 [c:\build\chs3 \build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 1339] 0012fa0c 00864526 023cf308 00000003 0216ee70 xpc3250! nsXPCWrappedJS::CallMethod+0x27 [c:\build\chs3 \build\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 450]
Attachment #189947 - Flags: superreview?(shaver)
Attachment #189947 - Flags: review?(dbradley)
Comment on attachment 189947 [details] [diff] [review] mark the value before it passing it to a function that can cause it to be gc'd Are we sure that only one GC can happen under here?
http://lxr.mozilla.org/seamonkey/source/js/src/xpconnect/src/xpcprivate.h#3206 i'm certainly not sure, i kinda presumed the creature was going to protect it from all js_gc's for the duration of scope (it only needs to hold it until the next statement finishes). if i'm wrong and you're right then the code that i referenced that uses it is in trouble.
Comment on attachment 189947 [details] [diff] [review] mark the value before it passing it to a function that can cause it to be gc'd OK, sure.
Attachment #189947 - Flags: superreview?(shaver) → superreview+
Comment on attachment 189947 [details] [diff] [review] mark the value before it passing it to a function that can cause it to be gc'd we'd like to have this for our product which is probably going to be stuck with this branch for a year.
Attachment #189947 - Flags: approval1.8b4?
Comment on attachment 189947 [details] [diff] [review] mark the value before it passing it to a function that can cause it to be gc'd How about a comment before that AUTO_MARK_JSVAL macro call, and a blank line after? r=me in lieu of dbradley, and approving. /be
Attachment #189947 - Flags: review?(dbradley)
Attachment #189947 - Flags: review+
Attachment #189947 - Flags: approval1.8b4?
Attachment #189947 - Flags: approval1.8b4+
Comment on attachment 189947 [details] [diff] [review] mark the value before it passing it to a function that can cause it to be gc'd mozilla/js/src/xpconnect/src/xpccomponents.cpp 1.74
Attachment #189947 - Attachment is obsolete: true
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
*** Bug 306579 has been marked as a duplicate of this bug. ***
Crash Signature: [@ js_LinkFunctionObject]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: