Closed Bug 245426 Opened 20 years ago Closed 20 years ago

ABR crash opening url causes memory exception [@ _int_malloc]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 244470

People

(Reporter: vendors, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Stacktrace Mozilla debug build 20040604
2.70 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2) Gecko/20040602 Firefox/0.8.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2) Gecko/20040602 Firefox/0.8.0+

opening the url causes exception:
Firefox.exe - Application Error
The instruction "0x77fcb7b0" referenced memory at "0x00000069"
The memory could not be written.
Only happens on that url. 
My PC has only 128 M of ram so this may be an interaction with windows page
swapping but I don't know for sure. 

Reproducible: Always
Steps to Reproduce:
1.open the url from firefox
2.it crashes
3.

Actual Results:  
memory exception as already desfcribed

Expected Results:  
opened the URL correctly like it does in IE

I checked the other bugs but none seems to mention memory exception with opening
a url.
I also posted a message about this on the forum and most others had the same
problem but not everyone here's the discussion
http://forums.mozillazine.org/viewtopic.php?p=556997#556997
WFM: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040602
Firefox/0.8.0+

Haven't tested on trunk.
(In reply to comment #0)
> User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2)
Gecko/20040602 Firefox/0.8.0+
> Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2)
Gecko/20040602 Firefox/0.8.0+
> 
> opening the url causes exception:
> Firefox.exe - Application Error
> The instruction "0x77fcb7b0" referenced memory at "0x00000069"
> The memory could not be written.
> Only happens on that url. 
> My PC has only 128 M of ram so this may be an interaction with windows page
> swapping but I don't know for sure. 
> 
> Reproducible: Always
> Steps to Reproduce:
> 1.open the url from firefox
> 2.it crashes
> 3.
> 
> Actual Results:  
> memory exception as already desfcribed
> 
> Expected Results:  
> opened the URL correctly like it does in IE
> 
> I checked the other bugs but none seems to mention memory exception with opening
> a url.
> I also posted a message about this on the forum and most others had the same
> problem but not everyone here's the discussion
> http://forums.mozillazine.org/viewtopic.php?p=556997#556997


Also tested with old Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1)
Gecko/20021130 and it doesn't happen.
Got this on current Seamonkey cvs build.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1083075552 (LWP 14413)]
0x4074adac in _int_malloc () from /lib/tls/libc.so.6
(gdb) bt
#0  0x4074adac in _int_malloc () from /lib/tls/libc.so.6
#1  0x4074ba75 in _int_realloc () from /lib/tls/libc.so.6
#2  0x4074c8fd in realloc () from /lib/tls/libc.so.6
#3  0x40029928 in JS_realloc (cx=0x87320e8, p=0x38, nbytes=76) at
/home/clfenwi/moz/mozilla/js/src/jsapi.c:1472
#4  0x4006abd4 in js_AllocSlot (cx=0x87320e8, obj=0x84d1d48, slotp=0x65) at
/home/clfenwi/moz/mozilla/js/src/jsobj.c:2115
#5  0x4008674e in js_AddScopeProperty (cx=0x87320e8, scope=0x8d56e28, id=17,
getter=0, setter=0, slot=4294967295, attrs=1, flags=0, shortid=0) at
/home/clfenwi/moz/mozilla/js/src/jsscope.c:1120
#6  0x4006cbd2 in js_SetProperty (cx=0x87320e8, obj=0x84d1d48, id=17,
vp=0xbfffd7d4) at /home/clfenwi/moz/mozilla/js/src/jsobj.c:2871
#7  0x4006070e in js_Interpret (cx=0x87320e8, result=0xbfffd968) at
/home/clfenwi/moz/mozilla/js/src/jsinterp.c:4499
#8  0x40052761 in js_Execute (cx=0x87320e8, chain=0x87a3c78, script=0x8d57818,
down=0x0, flags=101, result=0xbfffd968) at
/home/clfenwi/moz/mozilla/js/src/jsinterp.c:1507
#9  0x4002dc5b in JS_EvaluateUCScriptForPrincipals (cx=0x87320e8, obj=0x87a3c78,
principals=0x8ad0474, chars=0x43100010, length=123488, filename=0x8baae80
"http://groups-beta.google.com/group/alt.coffee/index/browse_frm/month/2004-05?",
lineno=99, rval=0xbfffd968) at /home/clfenwi/moz/mozilla/js/src/jsapi.c:3582
#10 0x414c0312 in nsJSContext::EvaluateString (this=0x8734500,
aScript=@0xbfffdb60, aScopeObject=0x87a3c78, aPrincipal=0x8ad0470,
aURL=0x8baae80
"http://groups-beta.google.com/group/alt.coffee/index/browse_frm/month/2004-05?",
aLineNo=99, aVersion=0x400911a2 "1.2", aRetValue=@0xbfffda80,
aIsUndefined=0xbfffda1c) at
/home/clfenwi/moz/mozilla/dom/src/base/nsJSEnvironment.cpp:912
#11 0x41348e59 in nsScriptLoader::EvaluateScript (this=0x8734500,
aRequest=0x8663490, aScript=@0xbfffdb60) at
/home/clfenwi/moz/mozilla/content/base/src/nsScriptLoader.cpp:681
#12 0x41348a83 in nsScriptLoader::ProcessRequest (this=0x8cd5508,
aRequest=0x8663490) at
/home/clfenwi/moz/mozilla/content/base/src/nsScriptLoader.cpp:598
#13 0x413488b0 in nsScriptLoader::ProcessScriptElement (this=Variable "this" is
not available.
) at /home/clfenwi/moz/mozilla/content/base/src/nsScriptLoader.cpp:544
#14 0x413ba64b in nsHTMLScriptElement::MaybeProcessScript (this=0x88184e8) at
/home/clfenwi/moz/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:620
#15 0x413b9ef0 in nsHTMLScriptElement::SetDocument (this=0x88184e8,
aDocument=0x8bd3478, aDeep=0, aCompileEventHandlers=1) at
/home/clfenwi/moz/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:446
#16 0x412f6c20 in nsGenericElement::AppendChildTo (this=0x8c21180,
aKid=0x88184e8, aNotify=0, aDeepSetDocument=0) at
/home/clfenwi/moz/mozilla/content/base/src/nsGenericElement.cpp:2511
#17 0x413deecf in HTMLContentSink::ProcessSCRIPTTag (this=0x8ad06a8,
aNode=@0x8bde440) at
/home/clfenwi/moz/mozilla/content/html/document/src/nsHTMLContentSink.cpp:4306
#18 0x413dc08a in HTMLContentSink::AddLeaf (this=0x8ad06a8, aNode=@0x8bde440) at
/home/clfenwi/moz/mozilla/content/html/document/src/nsHTMLContentSink.cpp:3163
#19 0x41c39bc5 in CNavDTD::AddLeaf (this=0x8cd3748, aNode=0x8bde440) at
/home/clfenwi/moz/mozilla/parser/htmlparser/src/CNavDTD.cpp:3745
#20 0x41c37e6d in CNavDTD::HandleScriptToken (this=0x8cd3748, aNode=0x8bde440)
at /home/clfenwi/moz/mozilla/parser/htmlparser/src/CNavDTD.cpp:2298
#21 0x41c3952e in CNavDTD::OpenContainer (this=0x8cd3748, aNode=0x8bde440,
aTag=eHTMLTag_script, aClosedByStartTag=1, aStyleStack=0x0) at
/home/clfenwi/moz/mozilla/parser/htmlparser/src/CNavDTD.cpp:3397
#22 0x41c36760 in CNavDTD::HandleDefaultStartToken (this=0x8cd3748,
aToken=0x8bc7988, aChildTag=eHTMLTag_script, aNode=0x8bde440) at
/home/clfenwi/moz/mozilla/parser/htmlparser/src/CNavDTD.cpp:1430
#23 0x41c3723a in CNavDTD::HandleStartToken (this=0x8cd3748, aToken=0x8bc7988)
at /home/clfenwi/moz/mozilla/parser/htmlparser/src/CNavDTD.cpp:1808
#24 0x41c35cbb in CNavDTD::HandleToken (this=0x8cd3748, aToken=0x0,
aParser=0x8cd5908) at
/home/clfenwi/moz/mozilla/parser/htmlparser/src/CNavDTD.cpp:992
#25 0x41c35110 in CNavDTD::BuildModel (this=0x8cd3748, aParser=0x8cd5908,
aTokenizer=0x8c51bd8, anObserver=0x0, aSink=0x8ad06f8) at
/home/clfenwi/moz/mozilla/parser/htmlparser/src/CNavDTD.cpp:477
#26 0x41c49700 in nsParser::BuildModel (this=0x8cd5908) at
/home/clfenwi/moz/mozilla/parser/htmlparser/src/nsParser.cpp:1895
#27 0x41c49417 in nsParser::ResumeParse (this=0x8cd5908, allowIteration=1,
aIsFinalChunk=0, aCanInterrupt=1) at
/home/clfenwi/moz/mozilla/parser/htmlparser/src/nsParser.cpp:1762
#28 0x41c4a7e5 in nsParser::OnDataAvailable (this=0x8cd5908, request=0x8bb2920,
aContext=0x0, pIStream=0x85ab7c0, sourceOffset=38338, aLength=17087) at
/home/clfenwi/moz/mozilla/parser/htmlparser/src/nsParser.cpp:2427
#29 0x41de973e in nsDocumentOpenInfo::OnDataAvailable (this=0x86679a8,
request=0x8bb2920, aCtxt=0x0, inStr=0x85ab7c0, sourceOffset=38338, count=17087)
at /home/clfenwi/moz/mozilla/uriloader/base/nsURILoader.cpp:342
#30 0x40dc060e in nsHTTPCompressConv::do_OnDataAvailable (this=0x8cd51f8,
request=0x8bb2920, aContext=0x0, aSourceOffset=38338, buffer=0x8c411b0 "  \n   
\n  \n  \n\n\n\n  \n    \n  \n  \n\n  \n    \n  \n  \n\n\n\n\n\n\n\n  \n    \n 
\n  \n\n  \n    \n  \n  \n\n  \n    \n  \n  \n\n\n\n\n\n\n\n  \n    \n  \n  \n\n
 \n    \n  \n  \n\n\n\n\n\n  \n    \n  \n  \n\n  \n    \n  \n  \n\n  \n    \n 
\n  \n\n\n\n\n\n\n\n  \n    \n  \n"..., aCount=17087) at
/home/clfenwi/moz/mozilla/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:368
#31 0x40dc0441 in nsHTTPCompressConv::OnDataAvailable (this=0x8cd51f8,
request=0x8bb2920, aContext=0x0, iStr=0x8bf18a8, aSourceOffset=38338,
aCount=148136072) at
/home/clfenwi/moz/mozilla/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:304
#32 0x40d9e32d in nsStreamListenerTee::OnDataAvailable (this=0x40e54f28,
request=0x8bb2920, context=0x0, input=0x8cd51f8, offset=38338, count=1430) at
/home/clfenwi/moz/mozilla/netwerk/base/src/nsStreamListenerTee.cpp:97
#33 0x40e238c9 in nsHttpChannel::OnDataAvailable (this=0x8bb2920,
request=0x8cd5158, ctxt=0x0, input=0x8c05d0c, offset=38338, count=1430) at
/home/clfenwi/moz/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp:3698
#34 0x40d7c3d1 in nsInputStreamPump::OnStateTransfer (this=0x8c05dd0) at
/home/clfenwi/moz/mozilla/netwerk/base/src/nsInputStreamPump.cpp:434
#35 0x40d7c0b5 in nsInputStreamPump::OnInputStreamReady (this=0x8c05dd0,
stream=0x8c05d0c) at
/home/clfenwi/moz/mozilla/netwerk/base/src/nsInputStreamPump.cpp:337
#36 0x40aa6e77 in nsInputStreamReadyEvent::EventHandler (plevent=0x65) at
/home/clfenwi/moz/mozilla/xpcom/io/nsStreamUtils.cpp:118
#37 0x40ac39b9 in PL_HandleEvent (self=0x881145c) at
/home/clfenwi/moz/mozilla/xpcom/threads/plevent.c:692
#38 0x40ac3892 in PL_ProcessPendingEvents (self=0x80fd2e8) at
/home/clfenwi/moz/mozilla/xpcom/threads/plevent.c:627
#39 0x40ac6248 in nsEventQueueImpl::ProcessPendingEvents (this=0x8115208) at
/home/clfenwi/moz/mozilla/xpcom/threads/nsEventQueue.cpp:391
#40 0x41a786ba in event_processor_callback (source=0x831f968, condition=G_IO_IN,
data=0x8d46088) at /home/clfenwi/moz/mozilla/widget/src/gtk2/nsAppShell.cpp:67
#41 0x404e086f in g_io_unix_dispatch () from /opt/gnome/lib/libglib-2.0.so.0
#42 0x404bd9ca in g_main_context_dispatch () from /opt/gnome/lib/libglib-2.0.so.0
#43 0x404bfadb in g_main_context_iterate () from /opt/gnome/lib/libglib-2.0.so.0
#44 0x404bfd07 in g_main_loop_run () from /opt/gnome/lib/libglib-2.0.so.0
#45 0x401eb11f in gtk_main () from /opt/gnome/lib/libgtk-x11-2.0.so.0
#46 0x081bb490 in ?? ()
#47 0x00000000 in ?? ()
#48 0x00000000 in ?? ()
#49 0x41a523ec in ?? () from
/home/clfenwi/moz/mozilla/mozgtk2/dist/bin/components/libwidget_gtk2.so
#50 0x081bb490 in ?? ()
#51 0x00000000 in ?? ()
#52 0x41a5b409 in ?? () from
/home/clfenwi/moz/mozilla/mozgtk2/dist/bin/components/libwidget_gtk2.so
#53 0x40125498 in ?? () from /opt/gnome/lib/libgtk-x11-2.0.so.0
#54 0x41a9ba48 in __JCR_LIST__ () from
/home/clfenwi/moz/mozilla/mozgtk2/dist/bin/components/libwidget_gtk2.so
#55 0x081755f8 in ?? ()
#56 0xbfffee10 in ?? ()
#57 0xbfffecb8 in ?? ()
#58 0x4000ca40 in _dl_runtime_resolve () from /lib/ld-linux.so.2
#59 0x41a78c64 in nsAppShell::Run (this=0x81755f8) at
/home/clfenwi/moz/mozilla/widget/src/gtk2/nsAppShell.cpp:142
Previous frame inner to this frame (corrupt stack?)
Assignee: firefox → general
Component: General → Browser-General
Keywords: crash
Product: Firefox → Browser
QA Contact: firefox.general → general
Version: unspecified → Trunk
Assignee: general → general
Component: Browser-General → JavaScript Engine
QA Contact: general → pschwartau
Summary: crash opening url causes memory exception → crash opening url causes memory exception [@ _int_malloc]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040827

confirming.
Talkback ID: TB684900M
Status: UNCONFIRMED → NEW
Ever confirmed: true
[E] ABW: Array bounds write in js_Interpret {3 occurrences}
        Writing 4 bytes to 0x05a7e740 (4 bytes at 0x05a7e740 illegal)
        Address 0x05a7e740 is 2 bytes past the end of a 14039 byte block at
0x05a7b068
        Address 0x05a7e740 points to a HeapAlloc'd block in heap 0x00340000
        Thread ID: 0xcb78
        Error location
            js_Interpret+0xf704  [r:\mozilla\js\src\jsinterp.c:4174 ip=0x03cb744b]
                                                     ? (JSPropertyOp) obj
                                                     : NULL,
                                                     attrs,
                                                     &prop);
                            if (!ok)
                                goto out;
                            if (attrs == (JSPROP_ENUMERATE | JSPROP_PERMANENT) &&
                                script->numGlobalVars) {
                                /*
                                 * As with JSOP_DEFVAR and JSOP_DEFCONST
(above), fast globals
                                 * use fp->vars to map the global function
name's atomIndex to
                                 * its permanent fp->varobj slot number, tagged
as a jsval.
                                 */
                                sprop = (JSScopeProperty *) prop;
             =>                 fp->vars[atomIndex] = INT_TO_JSVAL(sprop->slot);
                            }
                            OBJ_DROP_PROPERTY(cx, parent, prop);
                            break;
                          }
                
                #if JS_HAS_LEXICAL_CLOSURE
                          case JSOP_DEFLOCALFUN:
                            /*
                             * Define a local function (i.e., one nested at the
top level of
                             * another function), parented by the current scope
chain, and
                             * stored in a local variable slot that the compiler
allocated.
                             * This is an optimization over JSOP_DEFFUN that
avoids requiring
                             * a call object for the outer function's activation.
                             */
        Allocation location
            HeapAlloc+0xc        [C:\WINDOWS\System32\KERNEL32.dll ip=0x67e633c8]
            calloc+0x54         
[f:\vs70builds\9466\vc\crtbld\crt\src\msize.c:120 ip=0x7c00171f]
            JS_ArenaAllocate+0x2b3 [r:\mozilla\js\src\jsarena.c:215 ip=0x03c5f0f9]
            js_AllocRawStack+0xc9 [r:\mozilla\js\src\jsinterp.c:330 ip=0x03ca481e]
            js_Execute+0x3c0     [r:\mozilla\js\src\jsinterp.c:1462 ip=0x03cba2a4]
            JS_EvaluateUCScriptForPrincipals+0x102
[r:\mozilla\js\src\jsapi.c:3664 ip=0x03c5823d]
            nsJSContext::EvaluateString(nsAString const&,void *,nsIPrincipal
*,char const*,UINT,char const*,nsAString *,int *)+0x5e8
[r:\mozilla\dom\src\base\nsjsenvironment.cpp:1001 ip=0x049cc06b]
            nsScriptLoader::EvaluateScript(nsScriptLoadRequest *,nsString
const&)+0x29f [r:\mozilla\content\base\src\nsscriptloader.cpp:670 ip=0x04812d32]
            nsScriptLoader::ProcessRequest(nsScriptLoadRequest *)+0x11b
[r:\mozilla\content\base\src\nsscriptloader.cpp:586 ip=0x04812f6e]

my winembed hasn't crashed yet, but ...
Summary: crash opening url causes memory exception [@ _int_malloc] → ABR crash opening url causes memory exception [@ _int_malloc]

*** This bug has been marked as a duplicate of 244470 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ _int_malloc]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: