Subj : Re: Crashing in JS_EvaluateScript(). Any insight?
To   : netscape.public.mozilla.jseng
From : J.P.
Date : Wed Sep 08 2004 01:34 pm

Brendan Eich wrote:

> J.P. wrote:
> 
>> I built the JS engine with JS_THREADSAFE using VC6. Now, when I call 
>> JS_EvaluateScript(), it will ocasionally crash.
>>
>> The call stack shows that the program crashes at 
>> OBJ_SET_REQUIRED_SLOT(cx, obj, slot, v), because 
>> obj->map->ops->setRequiredSlot is not a valid pointer, with value 
>> 0xcdcdcdcd. Actually other funtion pointers such as getAttributes(), 
>> setAttributes(), deleteProperty()... have the same value too.
>>
>> I just don't know where to start to fix it. Any hint?
> 
> 
> 
> There's not nearly enough information here to help.  It sounds like a 
> dangling object pointer, which usually means you held onto an unrooted 
> pointer in a native data structure, and passed it into the engine after 
> the GC had collected the referenced object.
> 
> You need to show the stack backtrace, and where in the engine the crash 
> happens, and what the flow of parameters from your code into that point 
> in the engine might be.
> 
> /be

Now I am rooting that object after create it, and removing root on it 
before destroy the context. It crashes during destroying context at the 
assertion JS_ASSERT(root_points_to_gcArenaPool).

Here's the stack backtrace.

gc_root_marker(JSDHashTable * 0x01989ec8, JSDHashEntryHdr * 0x01960274, 
unsigned long 2, void * 0x0195c978) line 972 + 41 bytes
JS_DHashTableEnumerate(JSDHashTable * 0x01989ec8, int (JSDHashTable *, 
JSDHashEntryHdr *, unsigned long, void *)* 0x00fe5e90 
gc_root_marker(JSDHashTable *, JSDHashEntryHdr *, unsigned long, void 
*), void * 0x0195c978) line 618 + 34 bytes
js_GC(JSContext * 0x0195c978, unsigned int 0) line 1188 + 21 bytes
js_ForceGC(JSContext * 0x0195c978, unsigned int 0) line 1000 + 13 bytes
js_DestroyContext(JSContext * 0x0195c978, int 2) line 248 + 11 bytes
JS_DestroyContext(JSContext * 0x0195c978) line 905 + 11 bytes

.