Closed Bug 169534 Opened 23 years ago Closed 21 years ago

crash on opening page

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dick-curtis, Assigned: rogerl)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [QA note: see Comment #12])

Attachments

(3 files, 1 obsolete file)

Talkback ID
56 bytes, text/plain
Details
Talkback stack traces from Comments #3 and #6
7.20 KB, text/plain
Details
Standalone JS shell testcase. Load it and crash -
197 bytes, text/plain
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910 Page contains only JavaScript that uses a regular expression to edit a string. Reproducible: Always Steps to Reproduce: 1.simply attempt to load page 2. 3. Actual Results: get message that Mozilla has created an error and will shut down. Message states that a lod entry will be made, but I cannot find the log. Expected Results: Display result of editing string. If there is an error in the regular expression, report to me the error. The page loads correctly in IE 5.5 and Netscape 4.7. I don't have the Talkback crash ID. I will attempt again and amend this report.
Attached file data from Talkback after crash (obsolete) —
Keywords: crash, stackwanted
no crash on WinXP testing with build 2002091808 trunk. WFM. Reporter: If you submitted a talkback to Netscape, you can read the talkback ID by starting something like C:\programfiles\mozilla.org\Mozilla\components\talkback.exe (It tends to transmit the talkback and then close again faster than the receipt (the ID) can be read)
confirming this crash with trunk 2002091808 on win2k. TB11162671Z
Status: UNCONFIRMED → NEW
Ever confirmed: true
ntdll.dll + 0x4b317 (0x77fcb317) MSVCRT.DLL + 0x10a8 (0x780010a8) MSVCRT.DLL + 0x1045 (0x78001045) nsScannerString::nsScannerString [c:/builds/seamonkey/mozilla/htmlparser/src/nsScanner.cpp, line 53] nsScanner::AppendToBuffer [c:/builds/seamonkey/mozilla/htmlparser/src/nsScanner.cpp, line 1405] nsScanner::nsScanner [c:/builds/seamonkey/mozilla/htmlparser/src/nsScanner.cpp, line 116] nsParser::Parse [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1589] nsHTMLDocument::WriteCommon [c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 2667] nsHTMLDocument::ScriptWriteCommon [c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 2766] nsHTMLDocument::Write [c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 2790] XPTC_InvokeByIndex [c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 106] XPCWrappedNative::CallMethod [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 1996] XPC_WN_CallMethod [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1267] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 841] js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2804] js_Execute [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 1022] JS_EvaluateUCScriptForPrincipals [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3384] nsJSContext::EvaluateString [c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 702] nsScriptLoader::EvaluateScript [c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 570] nsScriptLoader::ProcessRequest [c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 478] nsScriptLoader::ProcessScriptElement [c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 422] nsHTMLScriptElement::MaybeProcessScript [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 427] nsHTMLScriptElement::SetDocument [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 198] nsGenericContainerElement::AppendChildTo [c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 3995] HTMLContentSink::ProcessSCRIPTTag [c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 5112] HTMLContentSink::AddLeaf [c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 3332] CNavDTD::AddLeaf [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 3806] CNavDTD::HandleScriptToken [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 2277] CNavDTD::OpenContainer [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 3451] CNavDTD::HandleDefaultStartToken [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 1352] CNavDTD::HandleStartToken [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 1757] CNavDTD::HandleToken [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 913] CNavDTD::BuildModel [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 530] nsParser::BuildModel [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1890] nsParser::ResumeParse [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1754] nsParser::OnDataAvailable [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 2390] nsDocumentOpenInfo::OnDataAvailable [c:/builds/seamonkey/mozilla/uriloader/base/nsURILoader.cpp, line 246] nsStreamListenerTee::OnDataAvailable [c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 98] nsHttpChannel::OnDataAvailable [c:/builds/seamonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 3032] nsOnDataAvailableEvent::HandleEvent [c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamListenerProxy.cpp, line 204] PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 644] PL_ProcessPendingEvents [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 577] _md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 1309] nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 472] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1524] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1872] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1892] WinMainCRTStartup() KERNEL32.DLL + 0x1ca90 (0x77e9ca90)
Keywords: stackwanted
A little digging in the Talkback DB turns up four incidents from the reporter with a feeble stack in comparison to Michael's. Considering the regular expression syntax, there might be a connection to bug 163323. The reporter's most recent Talkback incident: #11099990 Product ID MozillaTrunk Build ID 2002091014 Operating System Windows NT 5.0 build 2195 URL visited www.gangaji.org/2003/test/test_ann.htm User Comments going to the above page which contains JavaScript using Regular Expressions: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Untitled</title> <script language="JavaScript" type="text/javascript"> function db_to_html(s) { var re_link = /(\|)([\w\x81-\xff ]*)(\|)([\/a-z][\w:\/\.]*\.[a-z]{3,4})(\|)/ig; return s.replace(re_link, "<a href='$4'>$2</a>"); } </script> </head> <body> <script language="JavaScript"> <!-- var a_item = "To sign up click |here|https://www.xxxx.org/subscribe.htm|"; document.write(db_to_html(a_item)); //--> </script> </body> </html> Stack Trace ntdll.dll + 0x4b317 (0x77fcb317)
Attached file Talkback ID
Attachment #99720 - Attachment is obsolete: true
Here is the standalone JS shell testcase: var re = /(\|)([\w\x81-\xff ]*)(\|)([\/a-z][\w:\/\.]*\.[a-z]{3,4})(\|)/ig; var str = "To sign up click |here|https://www.xxxx.org/subscribe.htm|"; print(str.replace(re, "<a href='$4'>$2</a>")); This crashes in the current JS shell every time I load it. Here's the stack trace I keep getting on WinNT in the current debug JS shell: MSVCRT! 7800cb04() MSVCRT! 7800c6cd() JS_free(JSContext * 0x00301d60, void * 0x00307470) line 1443 + 10 bytes js_FinalizeObject(JSContext * 0x00301d60, JSObject * 0x002fb7f0) line 1845 + 19 bytes js_GC(JSContext * 0x00301d60, unsigned int 2) line 1311 + 11 bytes js_ForceGC(JSContext * 0x00301d60, unsigned int 2) line 993 + 13 bytes js_DestroyContext(JSContext * 0x00301d60, int 2) line 225 + 11 bytes JS_DestroyContext(JSContext * 0x00301d60) line 895 + 11 bytes main(int 2, char * * 0x00300014) line 2119 + 10 bytes JS! mainCRTStartup + 227 bytes KERNEL32! 77f1b9ea() If I build the JS shell with the big RegExp patch in bug 85721, I cannot reproduce this crash. Roger, what do you think? Should this bug be marked as a duplicate of bug 85721? If so, why don't we see any reference to RexExp code in the above stack trace? And why is this stack trace so different from the Talkback traces above? Is JS just corrupting memory or something? As Tom mentioned above, we might compare bug 163323, "Mozilla and xpcshell crash on string.split(/\b\W+(\b|$)/g) [@ str_split]" However, I have never been able to crash in the JS shell on that one. We could also compare bug 122076, "RegExp crash when following link". However, that one seemed to center on the use of \\/ in the regexp, which I don't see here. Plus, the stack trace was different than here -
Testcase added to JS testsuite: mozilla/js/tests/ecma_3/RegExp/regress-169534.js Currently passing in: 1. debug and opt JS shell with patch for bug 85721 applied 2. rhino and rhinoi shells (where this patch has already been applied) Crashing 100% of the time in: 1. current debug and opt JS shell
Yes, I believe the RegExp is likely corrupting memory, hence wildly arbitrary crashes. I'm going to track it down further in case the mega-patch has the bug but doesn't present in as dependable a manner. We're going to have to change the title on 85721 soon.
Status: NEW → ASSIGNED
Depends on: RegExpPerf
I've just noticed, the testcase above: mozilla/js/tests/ecma_3/RegExp/regress-169534.js is only failing for me on WinNT. On Linux and Mac OSX, the test passes whether run from the Perl test driver, via the -f option to the JS shell, or via the load() function within the JS shell. I think this is not too much of a surprise, given a bug like this that involves random memory corruption. I just wanted to note the fact here in case I forget about this later -
Whiteboard: [QA note: see Comment #12]
Fixed with bug 85721. /be
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: