| 1 | 1 | In fact, what happens is the following: according to my debugging and further testing, `nsObjectLoadingContent::SetupProtoChain` works fine (by successfully calling into the plugin DLL to obtain the JSObject instance) and returns to the caller. And the exact place of the crash is this line: https://github.com/bitwiseworks/mozilla-os2/blob/master/js/src/vm/Interpreter.cpp#L3227. According to the debugger, the value of `regs.fp()` is 0x3 which isn't a valid address. As a result, a call to `isYielding()` causes a SIGSEGV (I found that out by single stepping in IPMD through many assembler lines — why it doesn't pop up upon normal debugger run is another story, perhaps some of the exception handlers f*cks up, but that takes really long to single step through such complex code). |
