Subj : SpiderMonkey crashes on invalid JSAtom* To : netscape.public.mozilla.jseng From : "itaj sherman" Date : Wed Feb 05 2003 03:50 pm hi, i'm experiencing crashes in my application that have to with the atom table that SpiderMonkey keeps on the JSRuntime. the application compiles a main script and keeps it (with a rooted ScriptObject). then starts many threads which all execute the compiled script over and over until the application is stopped. recently i added native functionality that the main script can use, which evaluates other scripts or functions (the native functionality invokes JS_EvaluateScript or JS_CompileFunction + JS_CallFunctionValue with code supplied by the calling main script). so now the application actually happens to compile other scripts and functions many times as it runs. usually it's a total of about 30 scripts and functions. these crashes never occured before, when it was compiling only at the beginning and then only executing in multithread, only occures when the main script uses this new native functionality and makes the application compile other scripts during the execution. * each thread uses one JSContext. for executing the main script and other scripts that are invoked by the native function. * all JS_*() are protected with JS_BeginRequest() - i have CHECK_REQUEST on with JS_PARANOID_REQUEST. so, now when i execute the application it runs for a while and then crashes on a bad pointer of a JSAtom* that points to unallocated or invalid memory. it always happens during the evaluation of the dynamic scripts by the native function. it happens during execution of scripts for JSAtom*s kept in the bytecode, read by js_Interpret(). usualy inside js_GetProperty which invoked by js_Interpret. sometimes during JS_CompileFunction, inside JS_CompileUCFunctionForPrincipals when it does OBJ_DEFINE_PROPERTY for funAtom, then funAtom is invalid. it was assigned just a few line earlier there: funAtom = js_Atomize(cx, name, strlen(name), 0); * all the functions compiled by the native function are named "anonymus". it seems like a problem with the locking on the atom hash table but i could not find the cause. * it reproduces with version that i downloaded with CVS on 30-dec-2002 and also with an older version i was using from 16-oct-2001. i added that code at the end of js_AtomizeString() to check if the atom was valid right after getting into the hash table. at jsatom.c[614] out: { JS_ASSERT( atom ); { jsval key = ATOM_KEY(atom); if( JSVAL_IS_STRING(key) ) { JSString *_str = JSVAL_TO_STRING(key); JS_ASSERT( _str->length == str->length ); {int i; for( i = 0; i < _str->length; ++i ) { JS_ASSERT( _str->chars[i] == str->chars[i] ); }} } } } JS_UNLOCK(&state->lock,cx); return atom; } but it never failed the assertion, only crashed later after the atom was kept for a while (as before, it the bytecode or funAtom local variable of JS_CompileUCFunctionForPrincipals. i have a special thread for GC that does nothing but calling JS_ForceGC() preodically. i restricted the GC to be done only on that thread (returning JS_FALSE from the GC callback on other threads), but the crashes still occured. .