Comment 5 for bug 128062

So Martijn stepped through this in a debugger a tad. We're hitting the
ThrowJSException call at
http://lxr.mozilla.org/seamonkey/source/modules/plugin/base/src/nsJSNPRuntime.cpp#1130
with the following stack:

#0 NPObjWrapper_NewResolve(JSContext*, JSObject*, long, unsigned, JSObject**)
    (cx=0xd813d10, obj=0xd5741f8, id=78235236, flags=1, objp=0x22efc8)
    at c:/mozilla/mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:1131
#1 0x6f2710d4 in js_LookupPropertyWithFlags (cx=0xd813d10, obj=0xd5741f8,
    id=78250592, flags=1, objp=0x22f09c, propp=0x22f098)
    at c:/mozilla/mozilla/js/src/jsobj.c:2594
...
#8 0x05206d6d in nsJSContext::CallEventHandler(JSObject*, JSObject*, unsigned,
long*, long*) (this=0xd813c40, aTarget=0xd5560b0, aHandler=0xd574150,
    argc=1, argv=0xd8580c0, rval=0x22fa54)
    at c:/mozilla/mozilla/dom/src/base/nsJSEnvironment.cpp:1427
#9 0x05223e6f in nsGlobalWindow::RunTimeout(nsTimeout*) (this=0xd8e59c8,
    aTimeout=0xeea5428)
    at c:/mozilla/mozilla/dom/src/base/nsGlobalWindow.cpp:6185

At this point, npobj is null. Attempting to get the JSClass of |obj| complains
about invalid memory reads and doesn't return anything (in Martijn's debugger).

Now in frame 1 "id & 3 == 0". So it's an atom. And we have:

> print *(JSAtom*)78250592
$7 = {entry = {next = 0x0, keyHash = 1198838323, key = 0x4a9c664,
    value = 0x0}, flags = 2, number = 4705}
(gdb) print 0x4a9c664
$5 = 78235236

Which matches the value of |id| in the resolve hook. That's great, but:

(gdb) print 78235236 & 7
$6 = 4

So it's a string.

> print *(JSString*)(78235236 & ~7)
$8 = {length = 226573584, chars = 0x20}

Which is not a happy string.

So my best guess is that this string is dead. So is |obj|, most likely. So
somewhere GC happened and things were not protected from it...

Brendan, Blake, want to check this out? There's no Flash 8 for Linux yet, so
I'd need to get a Windows env running to look....