Closed
Bug 111557
Opened 23 years ago
Closed 23 years ago
Mozilla crashes [JS_ArenaRealloc]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla0.9.7
People
(Reporter: zheka, Assigned: brendan)
References
()
Details
(Keywords: crash, js1.5)
Attachments
(2 files)
422.92 KB,
text/plain
|
Details | |
1.49 KB,
patch
|
shaver
:
review+
jband_mozilla
:
superreview+
|
Details | Diff | Splinter Review |
Mozilla crashes on this page
Comment 1•23 years ago
|
||
Confirm crash: TB38399807X (why can't I copy-paste this string???) Build ID: 2001 11 20 03. Windows 2000. Reporter: Can you please change severity to "Critical" and add the keyword "crash".
Stack Signature JS_ArenaRealloc be8c6215 Bug ID Trigger Time 2001-11-22 23:52:03 Email Address svante@nemesis.se URL visited User Comments Build ID 2001112006 Product ID MozillaTrunk Platform Operating System Win32 Module Trigger Reason Access violation Stack Trace JS_ArenaRealloc [d:\builds\seamonkey\mozilla\js\src\jsarena.c, line 231] EmitCheck [d:\builds\seamonkey\mozilla\js\src\jsemit.c, line 124] js_Emit3 [d:\builds\seamonkey\mozilla\js\src\jsemit.c, line 193] js_EmitTree [d:\builds\seamonkey\mozilla\js\src\jsemit.c, line 3009] Statements [d:\builds\seamonkey\mozilla\js\src\jsparse.c, line 931] js_CompileTokenStream [d:\builds\seamonkey\mozilla\js\src\jsparse.c, line 393] CompileTokenStream [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 2833] JS_CompileUCScriptForPrincipals [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 2913] JS_EvaluateUCScriptForPrincipals [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3354] nsJSContext::EvaluateString [d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 654] nsScriptLoader::EvaluateScript [d:\builds\seamonkey\mozilla\content\base\src\nsScriptLoader.cpp, line 576] nsScriptLoader::ProcessRequest [d:\builds\seamonkey\mozilla\content\base\src\nsScriptLoader.cpp, line 484] nsScriptLoader::ProcessScriptElement [d:\builds\seamonkey\mozilla\content\base\src\nsScriptLoader.cpp, line 428] nsHTMLScriptElement::SetDocument [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLScriptElement.cpp, line 159] nsGenericContainerElement::AppendChildTo [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 3725] HTMLContentSink::ProcessSCRIPTTag [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp, line 5133] HTMLContentSink::AddLeaf [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp, line 3495] CNavDTD::AddLeaf [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 3774] CNavDTD::AddHeadLeaf [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 3833] CNavDTD::HandleStartToken [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 1719] CNavDTD::HandleToken [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 895] CNavDTD::BuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 526] nsParser::BuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1989] nsParser::ResumeParse [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1853] nsParser::OnDataAvailable [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 2511] nsDocumentOpenInfo::OnDataAvailable [d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 242] nsStreamListenerTee::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp, line 57] nsHttpChannel::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 2351] nsOnDataAvailableEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp, line 203] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 591] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 524] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 1072] nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp, line 303] main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1316] main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1633] WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1651] WinMainCRTStartup() KERNEL32.DLL + 0x192a6 (0x77e992a6)
changing component, OS: All, adding to summary, confirming. Still crashes on linux. Can't find a dup.
Assignee: asa → rogerl
Status: UNCONFIRMED → NEW
Component: Browser-General → Javascript Engine
Ever confirmed: true
OS: Linux → All
QA Contact: doronr → pschwartau
Summary: Mozilla crashes → Mozilla crashes [JS_ArenaRealloc]
Comment 4•23 years ago
|
||
I also crash on WinNT. Using a debug build from 2001-11-19, I got this stack trace: js_FinishCodeGenerator(JSContext * 0x0459c760, JSCodeGenerator * 0x0012efe0) line 97 + 42 bytes CompileTokenStream(JSContext * 0x0459c760, JSObject * 0x0284c9c0, JSTokenStream * 0x02749ac0, void * 0x0459c7e0, int * 0x00000000) line 2846 + 16 bytes JS_CompileUCScriptForPrincipals(JSContext * 0x0459c760, JSObject * 0x0284c9c0, JSPrincipals * 0x045c3400, const unsigned short * 0x050e0040, unsigned int 294240, const char * 0x04542eb0, unsigned int 5291) line 2911 + 23 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x0459c760, JSObject * 0x0284c9c0, JSPrincipals * 0x045c3400, const unsigned short * 0x050e0040, unsigned int 294240, const char * 0x04542eb0, unsigned int 5291, long * 0x0012f1a0) line 3353 + 33 bytes nsJSContext::EvaluateString(nsJSContext * const 0x0459c910, const nsAString & {...}, void * 0x0284c9c0, nsIPrincipal * 0x045c33fc, const char * 0x04542eb0, unsigned int 5291, const char * 0x00e2269c, nsAString & {...}, int * 0x0012f20c) line 653 + 85 bytes nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x04540660, const nsAFlatString & {...}) line 576 nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x04540660) line 483 + 22 bytes nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x045c3550, nsIDOMHTMLScriptElement * 0x045530e8, nsIScriptLoaderObserver * 0x045530ec) line 426 + 15 bytes nsHTMLScriptElement::SetDocument(nsHTMLScriptElement * const 0x045530c0, nsIDocument * 0x045c14e0, int 0, int 1) line 159 nsGenericHTMLContainerElement::AppendChildTo(nsGenericHTMLContainerElement * const 0x045c4f70, nsIContent * 0x045530c0, int 0, int 0) line 3881 HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 5133 HTMLContentSink::AddLeaf(HTMLContentSink * const 0x045c3610, const nsIParserNode & {...}) line 3494 + 12 bytes CNavDTD::AddLeaf(const nsIParserNode * 0x040342b8) line 3767 + 22 bytes CNavDTD::AddHeadLeaf(nsIParserNode * 0x040342b8) line 3825 + 15 bytes CNavDTD::HandleStartToken(CToken * 0x0402eff8) line 1713 + 12 bytes CNavDTD::HandleToken(CNavDTD * const 0x045c81c0, CToken * 0x00000000, nsIParser * 0x045c3b10) line 881 + 12 bytes CNavDTD::BuildModel(CNavDTD * const 0x045c81c0, nsIParser * 0x045c3b10, nsITokenizer * 0x045c8060, nsITokenObserver * 0x00000000, nsIContentSink * 0x045c3610) line 517 + 20 bytes nsParser::BuildModel() line 1985 + 34 bytes nsParser::ResumeParse(int 1, int 0) line 1851 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x045c3b14, nsIRequest * 0x0376f510, nsISupports * 0x00000000, nsIInputStream * 0x045c88c0, unsigned int 427525, unsigned int 5512) line 2507 + 19 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x0376c1a0, nsIRequest * 0x0376f510, nsISupports * 0x00000000, nsIInputStream * 0x045c88c0, unsigned int 427525, unsigned int 5512) line 240 + 46 bytes nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x045c8a60, nsIRequest * 0x0376f510, nsISupports * 0x00000000, nsIInputStream * 0x0376ce20, unsigned int 427525, unsigned int 5512) line 56 + 51 bytes nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x0376f514, nsIRequest * 0x03769d94, nsISupports * 0x00000000, nsIInputStream * 0x0376ce20, unsigned int 427525, unsigned int 5512) line 2349 + 57 bytes nsOnDataAvailableEvent::HandleEvent() line 193 + 70 bytes nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x04565dc4) line 80 PL_HandleEvent(PLEvent * 0x04565dc4) line 590 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x009c8670) line 520 + 9 bytes _md_EventReceiverProc(HWND__ * 0x029801cc, unsigned int 49599, unsigned int 0, long 10258032) line 1071 + 9 bytes USER32! 77e7124c() 009c8670()
Comment 5•23 years ago
|
||
This looks to be a JS Engine issue. The problem occurs in the frame http://developer.novell.com/ndk/doc/ndslib/code.html This frame builds a navigation tree with dynamic JavaScript. I have copied the code and modified it to be a standalone JS shell script that I will attach below. It crashes with the same stack trace as originally reported above -
Comment 6•23 years ago
|
||
Here is the stack trace for the standalone JS shell test: NTDLL! 77f762e8() JS_ArenaRealloc(JSArenaPool * 0x00301dd8, void * 0x004244a4, unsigned int 2048, unsigned int 2048) line 237 + 40 bytes EmitCheck(JSContext * 0x00301da0, JSCodeGenerator * 0x0012e1b8, int 127, int 3) line 122 + 138 bytes js_Emit3(JSContext * 0x00301da0, JSCodeGenerator * 0x0012e1b8, int 127, unsigned char 8, unsigned char 201) line 191 + 19 bytes js_EmitTree(JSContext * 0x00301da0, JSCodeGenerator * 0x0012e1b8, JSParseNode * 0x004626a8) line 3008 + 37 bytes Statements(JSContext * 0x00301da0, JSTokenStream * 0x00466a90, JSTreeContext * 0x0012e1b8) line 927 + 61 bytes js_CompileTokenStream(JSContext * 0x00301da0, JSObject * 0x002fb340, JSTokenStream * 0x00466a90, JSCodeGenerator * 0x0012e1b8) line 392 + 17 bytes CompileTokenStream(JSContext * 0x00301da0, JSObject * 0x002fb340, JSTokenStream * 0x00466a90, void * 0x00301e20, int * 0x00000000) line 2831 + 24 bytes JS_CompileFile(JSContext * 0x00301da0, JSObject * 0x002fb340, const char * 0x00307d60) line 2976 + 23 bytes Load(JSContext * 0x00301da0, JSObject * 0x002fb340, unsigned int 1, long * 0x00420064, long * 0x0012e364) line 633 + 18 bytes js_Invoke(JSContext * 0x00301da0, unsigned int 1, unsigned int 0) line 832 + 23 bytes js_Interpret(JSContext * 0x00301da0, long * 0x0012fed8) line 2791 + 15 bytes js_Execute(JSContext * 0x00301da0, JSObject * 0x002fb340, JSScript * 0x00349cc0, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fed8) line 1012 + 13 bytes JS_ExecuteScript(JSContext * 0x00301da0, JSObject * 0x002fb340, JSScript * 0x00349cc0, long * 0x0012fed8) line 3251 + 25 bytes Process(JSContext * 0x00301da0, JSObject * 0x002fb340, char * 0x00000000) line 371 + 22 bytes ProcessArgs(JSContext * 0x00301da0, JSObject * 0x002fb340, char * * 0x00301f24, int 0) line 529 + 17 bytes main(int 0, char * * 0x00301f24) line 2111 + 21 bytes JS! mainCRTStartup + 227 bytes KERNEL32! 77f1b9ea()
Comment 7•23 years ago
|
||
Comment 8•23 years ago
|
||
Reassigning to Kenton; cc'ing Brendan on this JS crash
Assignee: rogerl → khanson
Comment 9•23 years ago
|
||
On closer inspection of Rhino, the JS standalone test does pass in interpreted mode, but fails in compiled mode with this error: Complete testcase output was: java.lang.RuntimeException: java.lang.ClassFormatError: c47 (Code of a method longer than 65535 bytes) at org.mozilla.javascript.optimizer.Codegen.compile(Codegen.java:135) at org.mozilla.javascript.Context.compile(Context.java:1829) at org.mozilla.javascript.Context.compile(Context.java:1754) at org.mozilla.javascript.Context.compileReader(Context.java:856) at org.mozilla.javascript.Context.evaluateReader(Context.java:774) at org.mozilla.javascript.tools.shell.Main.evaluateReader(Main.java:312) at org.mozilla.javascript.tools.shell.Main.processFile(Main.java:303) etc. The test is pretty big (425K). But the website does load in IE6 and NN4.7! And the problem frame, http://developer.novell.com/ndk/doc/ndslib/code.html, does seem to use the same codepath for Mozilla/N6 as for NN4.7: /****************************************************************************** * Global variables. Not to be altered unless you know what you're doing. * * User-configurable options are at the end of this document. * ******************************************************************************/ var MTMLoaded = false; var MTMLevel; var MTMBar = new Array(); var MTMIndices = new Array(); var MTMBrowser = null; var MTMNN3 = false; var MTMNN4 = false; var MTMIE4 = false; var MTMUseStyle = true; if(navigator.appName == "Netscape" && navigator.userAgent.indexOf("WebTV") == -1) { if(parseInt(navigator.appVersion) == 3 && (navigator.userAgent.indexOf("Opera") == -1)) { MTMBrowser = true; MTMNN3 = true; MTMUseStyle = false; } else if(parseInt(navigator.appVersion) >= 4) { MTMBrowser = true; MTMNN4 = true; } } else if (navigator.appName == "Microsoft Internet Explorer" && parseInt(navigator.appVersion) >= 4) { MTMBrowser = true; MTMIE4 = true; }
Updated•23 years ago
|
Attachment #59280 -
Attachment description: JS testcase; loads OK in Rhino but crashes in SpiderMonkey → JS testcase; loads in rhinoi; crashes in rhino and SpiderMonkey
Comment 10•23 years ago
|
||
Testcase added to JS testsuite: mozilla/js/tests/js1_5/Regress/regress-111557.js
Assignee | ||
Comment 11•23 years ago
|
||
Mine, I'm sure. /be
Assignee: khanson → brendan
Keywords: js1.5,
mozilla0.9.7
Priority: -- → P1
Target Milestone: --- → mozilla0.9.7
Assignee | ||
Comment 12•23 years ago
|
||
I'm a dumbass -- if during JS_ArenaRealloc, realloc "moves the arena", and there's a "next" arena that is oversized, the next arena's header contains a back-pointer to the moved arena's old address. Forgot to update that! /be
Comment 13•23 years ago
|
||
Comment on attachment 59288 [details] [diff] [review] proposed fix r/sr=jband
Attachment #59288 -
Flags: superreview+
Comment 14•23 years ago
|
||
Comment on attachment 59288 [details] [diff] [review] proposed fix r=shaver
Attachment #59288 -
Flags: review+
Assignee | ||
Comment 15•23 years ago
|
||
Phil, are we thinking of doing another RC (RC4)? We need to, but if it's off the 0.9.6 branch, we'll want to pull this fix. /be
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 16•23 years ago
|
||
Verified Fixed. The JS testcase now passes on WinNT, Linux, and Mac9.1; in both the debug and optimized JS shell. In addition, Mozilla trunk binaries 20011203xx on WinNT, Linux, and 20011126xx on Mac9.1 have no trouble loading the URL above. When I make the next JS tarball, I will be pulling off the trunk, so this fix will definitely be included -
Status: RESOLVED → VERIFIED
Updated•19 years ago
|
Flags: testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•