Subj : js_MarkGCThing crash To : netscape.public.mozilla.jseng From : Shanti Rao Date : Thu Mar 25 2004 09:59 am Hi Brendan, Here's a minimal program to get SM to read from invalid memory. The problem occurs when JS_NewStringCopyN() calls garbage collection. The easy workaround is to set a GC disabler function whenever you are in a native method that needs to create a bunch of JSObjects. I set the pool size to be quite small so that you can see the effect without burning up too much heap. Cheers, Shanti #include "pshpack4.h" #define XP_PC #ifndef WIN32 #define WIN32 #endif #define EXPORT_JS_API #include #include #include JSBool myFunction(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval) { int i, j, size=1024 * 128; char * text = new char[size]; JSString* s[3]; jsval arr[3]; for (j=0; j< 3; j++) { for (i=0; i < size; i++) text[i] = random(64)+32; s[j] = JS_NewStringCopyN(cx,text,size); JS_AddRoot(cx,s); arr[j]= STRING_TO_JSVAL(s[j]); } *rval = OBJECT_TO_JSVAL(JS_NewArrayObject(cx,3,arr)); for (j=0; j< 3; j++) { JS_RemoveRoot(cx,s[j]); } return JS_TRUE; } int main(int argc, char **argv) { JSRuntime* rt = JS_NewRuntime( 16* 1024); JSContext* cx = JS_NewContext(rt, 8192); jsval rval; static JSClass global_class = { "global", JSCLASS_HAS_PRIVATE, JS_PropertyStub, JS_PropertyStub, JS_PropertyStub, JS_PropertyStub, JS_EnumerateStub, JS_ResolveStub, JS_ConvertStub, JS_FinalizeStub }; static JSFunctionSpec myfunctions[] = { {"myFunction", myFunction, 0}, {0,0,0}}; JSObject * global = JS_NewObject(cx, &global_class, NULL, NULL); JS_InitStandardClasses(cx, global); JS_DefineFunctions(cx,global,myfunctions); char * commands = "var s=''; for (i=0;i<3;i++) {s=myFunction();}"; jsval result=0; JS_EvaluateScript(cx,global,commands,strlen(commands),"run",1,&result); JS_DestroyContext(cx); JS_DestroyRuntime(rt); JS_ShutDown(); return 0; } .