Subj : Re: Crashing in JS_EvaluateScript(). Any insight? To : netscape.public.mozilla.jseng From : J.P. Date : Wed Sep 08 2004 02:55 pm J.P. wrote: > Brendan Eich wrote: > >> J.P. wrote: >> >>> I built the JS engine with JS_THREADSAFE using VC6. Now, when I call >>> JS_EvaluateScript(), it will ocasionally crash. >>> >>> The call stack shows that the program crashes at >>> OBJ_SET_REQUIRED_SLOT(cx, obj, slot, v), because >>> obj->map->ops->setRequiredSlot is not a valid pointer, with value >>> 0xcdcdcdcd. Actually other funtion pointers such as getAttributes(), >>> setAttributes(), deleteProperty()... have the same value too. >>> >>> I just don't know where to start to fix it. Any hint? >> >> >> >> >> There's not nearly enough information here to help. It sounds like a >> dangling object pointer, which usually means you held onto an unrooted >> pointer in a native data structure, and passed it into the engine >> after the GC had collected the referenced object. >> >> You need to show the stack backtrace, and where in the engine the >> crash happens, and what the flow of parameters from your code into >> that point in the engine might be. >> >> /be > > > Now I am rooting that object after create it, and removing root on it > before destroy the context. It crashes during destroying context at the > assertion JS_ASSERT(root_points_to_gcArenaPool). > > Here's the stack backtrace. > > gc_root_marker(JSDHashTable * 0x01989ec8, JSDHashEntryHdr * 0x01960274, > unsigned long 2, void * 0x0195c978) line 972 + 41 bytes > JS_DHashTableEnumerate(JSDHashTable * 0x01989ec8, int (JSDHashTable *, > JSDHashEntryHdr *, unsigned long, void *)* 0x00fe5e90 > gc_root_marker(JSDHashTable *, JSDHashEntryHdr *, unsigned long, void > *), void * 0x0195c978) line 618 + 34 bytes > js_GC(JSContext * 0x0195c978, unsigned int 0) line 1188 + 21 bytes > js_ForceGC(JSContext * 0x0195c978, unsigned int 0) line 1000 + 13 bytes > js_DestroyContext(JSContext * 0x0195c978, int 2) line 248 + 11 bytes > JS_DestroyContext(JSContext * 0x0195c978) line 905 + 11 bytes > After carefully reading API doc, I finally find the reason. In stead of pass a pointer JS_Object**, I passed JS_Object* to JS_AddRoot() and JS_RemoveRoot(). .