since 20060429 trunk builds uint8 * js_GetGCThingFlags(void *thing) { JSGCPageInfo *pi; jsuword offsetInArena, thingIndex; pi = THING_TO_PAGE(thing); => offsetInArena = pi->offsetInArena; JS_ASSERT(offsetInArena < GC_THINGS_SIZE); thingIndex = ((offsetInArena & ~GC_PAGE_MASK) | ((jsuword)thing & GC_PAGE_MASK)) / sizeof(JSGCThing); JS_ASSERT(thingIndex < GC_PAGE_SIZE); if (thingIndex >= (offsetInArena & GC_PAGE_MASK)) thingIndex += GC_THINGS_SIZE; return (uint8 *)pi - offsetInArena + thingIndex; } thing 0x000001d7 void * offsetInArena 9063 unsigned long + pi 0x00000000 {offsetInArena=??? unscannedBitmap=??? } JSGCPageInfo * thingIndex 4624324 unsigned long > js3250.dll!js_GetGCThingFlags(void * thing=0x000001d7) Line 311 + 0x3 bytes C js3250.dll!js_MarkGCThing(JSContext * cx=0x048c8c18, void * thing=0x000001d7) Line 1657 + 0x9 bytes C js3250.dll!js_MarkStackFrame(JSContext * cx=0x048c8c18, JSStackFrame * fp=0x0012ebc4) Line 1794 + 0x10 bytes C js3250.dll!js_GC(JSContext * cx=0x048c8c18, unsigned int gcflags=5) Line 2025 + 0xd bytes C js3250.dll!js_NewGCThing(JSContext * cx=0x048c8c18, unsigned int flags=1, unsigned int nbytes=8) Line 771 + 0xb bytes C js3250.dll!js_NewString(JSContext * cx=0x048c8c18, unsigned short * chars=0x04ac6250, unsigned int length=3, unsigned int gcflag=0) Line 2437 + 0x12 bytes C js3250.dll!JS_NewStringCopyZ(JSContext * cx=0x048c8c18, const char * s=0x0012eaea) Line 4437 + 0x13 bytes C js3250.dll!js_NumberToString(JSContext * cx=0x048c8c18, double d=235.00000000000000) Line 716 + 0xd bytes C js3250.dll!num_toString(JSContext * cx=0x048c8c18, JSObject * obj=0x000001d7, unsigned int argc=0, long * argv=0x04ac90ac, long * rval=0x0012ebe4) Line 285 + 0x12 bytes C js3250.dll!js_Invoke(JSContext * cx=0x048c8c18, unsigned int argc=0, unsigned int flags=0) Line 1300 + 0x20 bytes C js3250.dll!js_Interpret(JSContext * cx=0x048c8c18, unsigned char * pc=0x03d68ef0, long * result=0x0012f600) Line 3955 + 0xf bytes C js3250.dll!js_Execute(JSContext * cx=0x048c8c18, JSObject * chain=0x03c34480, JSScript * script=0x04a303e0, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x0012f708) Line 1544 + 0x13 bytes C js3250.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=0x048c8c18, JSObject * obj=0x03c34480, JSPrincipals * principals=0x04a2b134, const unsigned short * chars=0x04acd8e8, unsigned int length=2810, const char * filename=0x04a309b0, unsigned int lineno=1, long * rval=0x0012f708) Line 4274 + 0x19 bytes C gklayout.dll!nsJSContext::EvaluateString(const nsAString_internal & aScript={...}, void * aScopeObject=0x03c34480, nsIPrincipal * aPrincipal=0x04a2b130, const char * aURL=0x04a309b0, unsigned int aLineNo=1, const char * aVersion=0x004fde1c, nsAString_internal * aRetValue=0x00000000, int * aIsUndefined=0x0012f7e8) Line 1080 + 0x43 bytes C++ gklayout.dll!nsScriptLoader::EvaluateScript(nsScriptLoadRequest * aRequest=0x03d6db88, const nsString & aScript={...}) Line 761 C++ gklayout.dll!nsScriptLoader::ProcessRequest(nsScriptLoadRequest * aRequest=0x03d6db88) Line 663 + 0x13 bytes C++ gklayout.dll!nsScriptLoader::OnStreamComplete(nsIStreamLoader * aLoader=0x04a30870, nsISupports * aContext=0x03d6db88, unsigned int aStatus=0, unsigned int stringLen=2810, const unsigned char * string=0x048b0448) Line 1018 C++ necko.dll!nsStreamLoader::OnStopRequest(nsIRequest * request=0x04a30a80, nsISupports * ctxt=0x03d6db88, unsigned int aStatus=0) Line 120 C++ necko.dll!nsStreamListenerTee::OnStopRequest(nsIRequest * request=0x04a30a80, nsISupports * context=0x03d6db88, unsigned int status=0) Line 66 C++ necko.dll!nsHttpChannel::OnStopRequest(nsIRequest * request=0x04a34be0, nsISupports * ctxt=0x00000000, unsigned int status=0) Line 4090 C++ necko.dll!nsInputStreamPump::OnStateStop() Line 567 C++ necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x04a34a70) Line 391 + 0xb bytes C++ xpcom_core.dll!nsInputStreamReadyEvent::EventHandler(PLEvent * plevent=0x04a34ccc) Line 121 C++ xpcom_core.dll!PL_HandleEvent(PLEvent * self=0x04a34ccc) Line 688 + 0xc bytes C xpcom_core.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x00d41d18) Line 623 + 0x9 bytes C xpcom_core.dll!_md_EventReceiverProc(HWND__ * hwnd=0x0045037a, unsigned int uMsg=49430, unsigned int wParam=0, long lParam=13901080) Line 1408 + 0x9 bytes C user32.dll!77d48734() [Frames below may be incorrect and/or missing, no symbols loaded for user32.dll] user32.dll!77d48816() user32.dll!77d489cd() user32.dll!77d49402() user32.dll!77d48a10() gkwidget.dll!nsAppShell::Run() Line 135 C++ tkitcmps.dll!nsAppStartup::Run() Line 161 + 0x1c bytes C++ xul.dll!XRE_main(int argc=4, char * * argv=0x00b27d08, const nsXREAppData * aAppData=0x004036b0) Line 2364 + 0x25 bytes C++ firefox.exe!main(int argc=4, char * * argv=0x00b27d08) Line 61 + 0x13 bytes C++ firefox.exe!__tmainCRTStartup() Line 586 + 0x19 bytes C firefox.exe!mainCRTStartup() Line 403 C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes

This is fallout from bug 334261. We're marking a number thisp, which crashes.

Check that thisp is a GC thing before marking it. We can't depend on argv[-1] keeping thisp alive since native functions can overwrite it with other jsvals.

Comment on attachment 220989 [details] [diff] [review] Fix >+ JS_ASSERT(JSVAL_IS_GCTHING((jsval)fp->thisp) || >+ (fp->fun && (fp->fun->flags & JSFUN_THISP_PRIMITIVE))); First condition should be JSVAL_IS_OBJECT((jsval)fp->thisp), if you are not going to go crazy and compare jsval tag bit cases to JSFUN_THISP_* flags and assert exact correspondence. >+ if (JSVAL_IS_GCTHING((jsval)fp->thisp)) >+ GC_MARK(cx, fp->thisp, "this"); r=me with assertion improved, thanks. /be

Fix checked in with the stronger assertion.

verified fixed 20060609 win/macppc/linux trunk.