Subj : Re: SpiderMonkey crashes on invalid JSAtom* To : netscape.public.mozilla.jseng From : "itaj sherman" Date : Wed Mar 05 2003 06:14 pm i managed to get an example for that case: the main thread of my application activates the GC thread (that calls JS_GC() every second). and then continues to define global JS API. inside a call to JS_DefineFunction() it keeps the name of the function in an atom with the local variable named 'atom', and then calls js_DefineFunction() and passes that atom as a parameter. somewhere inside there ClaimScope() is called and it suspends the GC request. at that point the GC thread happened to call JS_GC() and the GC started. i looked for that atom and caught it when it was thrown away in js_atom_sweeper. after the GC is done and the other thread continues and crashes the next time it tries to use that atom. this is the stack of the thread that defines the function. in JS_DefineFunction() atom==0x03c9d4b0 NTDLL! 77f827e8() KERNEL32! 77e83b5b() PR_WaitCondVar(PRCondVar * 0x01082310, unsigned int 0xffffffff) line 34 ClaimScope(JSScope * 0x010a4060, JSContext * 0x03c9c6c0) line 444 + 17 bytes js_GetSlotThreadSafe(JSContext * 0x03c9c6c0, JSObject * 0x02f9c368, unsigned long 0x00000002) line 511 + 22 bytes JS_TypeOfValue(JSContext * 0x03c9c6c0, long 0x02f9c368) line 578 + 301 bytes proto_resolve_stub(JSContext * 0x03c9c6c0, JSObject * 0x02f9c348, long 0x02f9c084) line 47 + 14 bytes _js_LookupProperty(JSContext * 0x03c9c6c0, JSObject * 0x02f9c348, long 0x010daa40, JSObject * * 0x0169dc00, JSProperty * * 0x0169dbfc, const char * 0x00632bd0 `string', unsigned int 0x000006a6) line 2154 + 32 bytes FindConstructor(JSContext * 0x03c9c6c0, JSObject * 0x00000000, const char * 0x0062d9d4 _js_Function_str, long * 0x0169dc8c) line 1702 + 47 bytes GetClassPrototype(JSContext * 0x03c9c6c0, JSObject * 0x02f9c348, const char * 0x0062d9d4 _js_Function_str, JSObject * * 0x0169dd3c) line 3368 + 21 bytes js_NewObject(JSContext * 0x03c9c6c0, JSClass * 0x0063ef58 _js_FunctionClass, JSObject * 0x00000000, JSObject * 0x02f9c348) line 1608 + 23 bytes js_NewFunction(JSContext * 0x03c9c6c0, JSObject * 0x00000000, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x01f65440 CreateDom(JSContext *, JSObject *, unsigned int, long *, long *), unsigned int 0x00000002, unsigned int 0x00000000, JSObject * 0x02f9c348, JSAtom * 0x03c9d4b0) line 1902 + 20 bytes js_DefineFunction(JSContext * 0x03c9c6c0, JSObject * 0x02f9c348, JSAtom * 0x03c9d4b0, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x01f65440 CreateDom(JSContext *, JSObject *, unsigned int, long *, long *), unsigned int 0x00000002, unsigned int 0x00000000) line 1966 + 31 bytes JS_DefineFunction(JSContext * 0x03c9c6c0, JSObject * 0x02f9c348, const char * 0x02154630 `string', int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x01f65440 CreateDom(JSContext *, JSObject *, unsigned int, long *, long *), unsigned int 0x00000002, unsigned int 0x00000000) line 2816 + 29 bytes JS_DefineFunctions(JSContext * 0x03c9c6c0, JSObject * 0x02f9c348, JSFunctionSpec * 0x02186cb8 http_functions) line 2798 + 44 bytes WLAddHttpFunctions(JSContext * 0x03c9c6c0, JSObject * 0x02f9c348) line 646 + 19 bytes CWLCommandManager::JSInitializeForClient(JSContext * 0x03c9c6c0, JSObject * 0x02f9c348, CLEVariablesData * 0x03c9c430) line 2261 + 22 bytes CLoadGeneralThreadInstanceScript::InitProtocols(CWLJSThread & {...}, IGeneralManagerScriptData & {...}, JSContext * 0x03c9c6c0, JSObject * 0x02f9c348, CLEVariablesData * 0x03c9c430) line 400 + 29 bytes CWLJSThread::Init(CJSLoadRuntime & {...}, CLoadGeneralThreadInstanceScript * 0x03c9c900, IGeneralManagerScriptData & {...}, int 0x00000000) line 1224 CLoadThreadInstanceScript::Init() line 593 + 65 bytes CLoadThreadInstanceScriptContainer::Init(CLoadThreadInstance * 0x03c9cb90) line 906 + 14 bytes CLoadThreadInstance::Init() line 81 + 18 bytes CLoadThreadsManager::SetNumThreads(int 0x00000001) line 268 + 15 bytes CLoadThreadsManager::setNumActive(int 0x00000001) line 92 + 12 bytes CLoadGeneratorSlave::MainLoop() line 428 + 21 bytes RWTFunctor0MImp::run() line 46 RWTHREADSH! 1001f9dd() RWTHREADSH! 1000b03d() RWTHREADSH! 1001fcee() RWTHREADSH! 1001fc69() KERNEL32! 77e96523() this is the stack of the GC thread. in js_atom_sweeper() atom==0x03c9d4b0 stopped on the line: return HT_ENUMERATE_REMOVE; js_atom_sweeper(JSHashEntry * 0x03c9d4b0, int 0x000004f2, void * 0x02f7875c) line 404 JS_HashTableEnumerateEntries(JSHashTable * 0x010d85e0, int (JSHashEntry *, int, void *)* 0x00547860 js_atom_sweeper(JSHashEntry *, int, void *), void * 0x02f7875c) line 365 + 15 bytes js_SweepAtomState(JSAtomState * 0x02f7875c) line 414 + 21 bytes js_GC(JSContext * 0x03c98900, unsigned int 0x00000000) line 1210 + 12 bytes js_ForceGC(JSContext * 0x03c98900) line 946 + 11 bytes JS_GC(JSContext * 0x03c98900) line 1635 + 9 bytes cLEJSGCThread::fExecute() line 67 + 13 bytes CLoadGeneratorSlave::JSGCFunc() line 765 RWTFunctor0MImp::run() line 46 RWTHREADSH! 1001f9dd() RWTHREADSH! 1000b03d() RWTHREADSH! 1001fcee() RWTHREADSH! 1001fc69() KERNEL32! 77e96523() .