Closed Bug 14501 Opened 25 years ago Closed 25 years ago

[blocker] intermittant crash

Categories

(Core :: JavaScript Engine, defect, P1)

x86
Windows NT
defect

Tracking

()

VERIFIED WORKSFORME

People

(Reporter: buster, Assigned: norrisboyd)

References

()

Details

I have seen this crash twice in the past 2 days.  It seems that what I do to
trigger it is bring up the browser, let it sit for a few minutes without doing
anything to it (may be a coincidence, then use the task bar to bring up the
editor.  The crash occurs before the editor is fully initialized.

Looks like a timing issue?  Maybe a bug in nspr?  cc'd some folks who might be
interested.

The strings being passed into PR_sprintf_append are legit.

stack:

__sbh_free_block(tagHeader * 0x00a406ec, void * 0x0377f240) line 350 + 6 bytes
_realloc_base(void * 0x0377f240, unsigned int 100) line 101 + 13 bytes
realloc_help(void * 0x0377f260, unsigned int 64, int 1, const char * 0x00000000,
int 0, int 1) line 636 + 16 bytes
_realloc_dbg(void * 0x0377f260, unsigned int 64, int 1, const char * 0x00000000,
int 0) line 806 + 27 bytes
realloc(void * 0x0377f260, unsigned int 64) line 755 + 19 bytes
PR_Realloc(void * 0x0377f260, unsigned int 64) line 57 + 14 bytes
GrowStuff(SprintfStateStr * 0x0012dd38, const char * 0x017f1530, unsigned int
11) line 1066 + 16 bytes
fill2(SprintfStateStr * 0x0012dd38, const char * 0x017f1530, int 11, int -11,
int 0) line 122 + 17 bytes
cvt_s(SprintfStateStr * 0x0012dd38, const char * 0x017f1530, int 0, int -1, int
0) line 378 + 46 bytes
dosprintf(SprintfStateStr * 0x0012dd38, const char * 0x00c68859, char *
0x0012dd88) line 972 + 25 bytes
PR_vsprintf_append(char * 0x00000000, const char * 0x00c68844, char *
0x0012dd80) line 1218 + 17 bytes
PR_sprintf_append(char * 0x00000000, const char * 0x00c68844) line 1197 + 17
bytes
nsScriptSecurityManager::AddSecPolicyPrefix(JSContext * 0x033d7200, char *
0x017f1530) line 626 + 20 bytes
nsScriptSecurityManager::GetSecurityLevel(JSContext * 0x033d7200, char *
0x017f1530, int 0) line 579 + 16 bytes
nsScriptSecurityManager::CheckScriptAccess(nsScriptSecurityManager * const
0x01f63190, nsIScriptContext * 0x033d7370, void * 0x01d3fa18, const char *
0x017f1530, int 0, int * 0x0012de28) line 88 + 18 bytes
WindowDump(JSContext * 0x033d7200, JSObject * 0x01d3fa18, unsigned int 1, long *
0x02380d9c, long * 0x0012df90) line 1001
js_Invoke(JSContext * 0x033d7200, unsigned int 1, unsigned int 0) line 655 + 26
bytes
js_Interpret(JSContext * 0x033d7200, long * 0x0012e808) line 2232 + 15 bytes
js_Invoke(JSContext * 0x033d7200, unsigned int 1, unsigned int 0) line 671 + 13
bytes
js_Interpret(JSContext * 0x033d7200, long * 0x0012f03c) line 2232 + 15 bytes
js_Invoke(JSContext * 0x033d7200, unsigned int 1, unsigned int 2) line 671 + 13
bytes
js_InternalCall(JSContext * 0x033d7200, JSObject * 0x02382fe8, long 37236720,
unsigned int 1, long * 0x0012f1bc, long * 0x0012f174) line 748 + 15 bytes
JS_CallFunction(JSContext * 0x033d7200, JSObject * 0x02382fe8, JSFunction *
0x03550eb0, unsigned int 1, long * 0x0012f1bc, long * 0x0012f174) line 2634 + 32
bytes
nsJSContext::CallFunction(nsJSContext * const 0x033d7370, void * 0x02382fe8,
void * 0x03550eb0, unsigned int 1, void * 0x0012f1bc, int * 0x0012f1b8) line 231
+ 39 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x037536d0) line 103 + 48 bytes
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012f4d8, nsIDOMEvent * * 0x0012f484, unsigned int 7, nsEventStatus &
nsEventStatus_eIgnore) line 937 + 21 bytes
RDFElementImpl::HandleDOMEvent(RDFElementImpl * const 0x0354ff90, nsIPresContext
& {...}, nsEvent * 0x0012f4d8, nsIDOMEvent * * 0x0012f484, unsigned int 1,
nsEventStatus & nsEventStatus_eIgnore) line 2872
RDFElementImpl::ExecuteJSCode(nsIDOMElement * 0x0354ff80) line 3273
RDFElementImpl::ExecuteOnChangeHandler(nsIDOMElement * 0x0354ddf0, const
nsString & {...}) line 3196 + 14 bytes
RDFElementImpl::SetAttribute(RDFElementImpl * const 0x0354e050, int 0, nsIAtom *
0x028f7670, const nsString & {...}, int 1) line 2420
RDFElementImpl::SetAttribute(RDFElementImpl * const 0x0354e040, const nsString &
{...}, const nsString & {...}) line 1211 + 35 bytes
setAttribute(nsIWebShell * 0x033d8ce0, const char * 0x01c15cb8, const char *
0x01c15cb0, const nsString & {...}) line 259 + 55 bytes
nsArgCallbacks::ConstructBeforeJavaScript(nsArgCallbacks * const 0x033daeb0,
nsIWebShell * 0x033d8ce0) line 291 + 39 bytes
nsWebShellWindow::ExecuteStartupCode() line 2229
nsWebShellWindow::OnEndDocumentLoad(nsWebShellWindow * const 0x033d894c,
nsIDocumentLoader * 0x037257a0, nsIChannel * 0x03726a20, unsigned int 0,
nsIDocumentLoaderObserver * 0x03725e24) line 1977
nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x03725e24, nsIDocumentLoader *
0x037257a0, nsIChannel * 0x03726a20, unsigned int 0, nsIDocumentLoaderObserver *
0x03725e24) line 3381
nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x037257a0, unsigned
int 0) line 863
nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x037257a4, nsIChannel *
0x03726a20, nsISupports * 0x00000000, unsigned int 0, const unsigned short *
0x00000000) line 748
nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x03725730, nsIChannel *
0x03726a20, nsISupports * 0x00000000, unsigned int 0, const unsigned short *
0x00000000) line 597 + 39 bytes
nsInputStreamChannel::OnStopRequest(nsInputStreamChannel * const 0x03726a24,
nsIChannel * 0x03726810, nsISupports * 0x00000000, unsigned int 0, const
unsigned short * 0x00000000) line 331
nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x03727d20) line
283
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x03727cd0) line 152 + 12 bytes
PL_HandleEvent(PLEvent * 0x03727cd0) line 541 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00a9cb70) line 500 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x02a10706, unsigned int 49308, unsigned int 0,
long 11127664) line 970 + 9 bytes
I'm not sure how I ended up on this cc list, but I'm adding Norris, since it
looks like his stuff.
Assignee: vidur → norris
I'll one-up warren and actually reassign the bug to norris. Though, I couldn't
recreate it for the life of me.
Status: NEW → ASSIGNED
I'll take it, but I don't know what I can do about it.
Summary: intermittant crash → [blocker] intermittant crash
I just got a similar crash with a similar stack that does not have any of
norris' code on the stack.  I really think the crash is down in the javascript
engine itself.

Crash du jour:
__sbh_free_block(tagHeader * 0x01df2f64, void * 0x0451b9d0) line 350 + 6 bytes
_realloc_base(void * 0x0451b9d0, unsigned int 144) line 101 + 13 bytes
realloc_help(void * 0x0451b9f0, unsigned int 108, int 1, const char *
0x00000000, int 0, int 1) line 636 + 16 bytes
_realloc_dbg(void * 0x0451b9f0, unsigned int 108, int 1, const char *
0x00000000, int 0) line 806 + 27 bytes
realloc(void * 0x0451b9f0, unsigned int 108) line 755 + 19 bytes
JS_realloc(JSContext * 0x05c0feb0, void * 0x0451b9f0, unsigned int 108) line 946
+ 14 bytes
js_AllocSlot(JSContext * 0x05c0feb0, JSObject * 0x04ae7de8, unsigned long *
0x0012f860) line 1373 + 20 bytes
js_NewScopeProperty(JSContext * 0x05c0feb0, JSScope * 0x040eeaf0, long 24638480,
int (JSContext *, JSObject *, long, long *)* 0x00340340
GetDocumentProperty(JSContext *, JSObject *, long, long *), int (JSContext *,
JSObject *, long, long *)* 0x00340800 SetDocumentProperty(JSContext *, JSObject
*, long, long *), unsigned int 0) line 445 + 20 bytes
js_DefineProperty(JSContext * 0x05c0feb0, JSObject * 0x04ae7de8, long 24638480,
long 78544448, int (JSContext *, JSObject *, long, long *)* 0x00340340
GetDocumentProperty(JSContext *, JSObject *, long, long *), int (JSContext *,
JSObject *, long, long *)* 0x00340800 SetDocumentProperty(JSContext *, JSObject
*, long, long *), unsigned int 0, JSProperty * * 0x00000000) line 1527 + 29
js_DefineFunction(JSContext * 0x05c0feb0, JSObject * 0x04ae7de8, JSAtom *
0x0177f410, int (JSContext *, JSObject *, unsigned int, long *, long *)*
0x0033fdb0 NSDocumentCreateElementWithNameSpace(JSContext *, JSObject *,
unsigned int, long *, long *), unsigned int 2, unsigned int 0) line 1750 + 40
bytes
JS_DefineFunction(JSContext * 0x05c0feb0, JSObject * 0x04ae7de8, const char *
0x003d5220, int (JSContext *, JSObject *, unsigned int, long *, long *)*
0x0033fdb0 NSDocumentCreateElementWithNameSpace(JSContext *, JSObject *,
unsigned int, long *, long *), unsigned int 2, unsigned int 0) line 2165 + 29
bytes
JS_DefineFunctions(JSContext * 0x05c0feb0, JSObject * 0x04ae7de8, JSFunctionSpec
* 0x003d5104) line 2147 + 44 bytes
JS_InitClass(JSContext * 0x05c0feb0, JSObject * 0x037b1698, JSObject *
0x037b1f78, JSClass * 0x003d5000 struct JSClass  DocumentClass, int (JSContext
*, JSObject *, unsigned int, long *, long *)* 0x00340a90 Document(JSContext *,
JSObject *, unsigned int, long *, long *), unsigned int 0, JSPropertySpec *
0x003d5048 DocumentProperties, JSFunctionSpec * ...) line 1255 + 53 bytes
NS_InitDocumentClass(nsIScriptContext * 0x05c0b080, void * * 0x00000000) line
917 + 44 bytes
nsJSContext::InitClasses(nsJSContext * const 0x05c0b080) line 356 + 79 bytes
nsJSContext::InitContext(nsJSContext * const 0x05c0b080, nsIScriptGlobalObject *
0x05c08814) line 284 + 12 bytes
NS_CreateScriptContext(nsIScriptGlobalObject * 0x05c08814, nsIScriptContext * *
0x05ad1e40) line 583
nsWebShell::CreateScriptEnvironment() line 3181 + 20 bytes
nsWebShell::GetScriptGlobalObject(nsWebShell * const 0x05ad1e20,
nsIScriptGlobalObject * * 0x0012fae0) line 3212 + 11 bytes
DocumentViewerImpl::Init(DocumentViewerImpl * const 0x05c15ab0, void *
0x017c05d0, nsIDeviceContext * 0x05ad17e0, nsIPref * 0x0123a7a0, const nsRect &
{...}, nsScrollPreference nsScrollPreference_kAuto) line 354 + 16 bytes
nsWebShell::Embed(nsWebShell * const 0x05ad1e10, nsIContentViewer * 0x05c15ab0,
const char * 0x05ad2c20, nsISupports * 0x00000000) line 886 + 69 bytes
nsDocumentBindInfo::OnStartRequest(nsDocumentBindInfo * const 0x05ad2b80,
nsIChannel * 0x05ad2a30, nsISupports * 0x00000000) line 1309 + 36 bytes
nsChannelListener::OnStartRequest(nsChannelListener * const 0x05ad2b00,
nsIChannel * 0x05ad2a30, nsISupports * 0x00000000) line 1560 + 43 bytes
nsHTTPResponseListener::FinishedResponseHeaders() line 680 + 37 bytes
nsHTTPResponseListener::OnDataAvailable(nsHTTPResponseListener * const
0x05c16fb0, nsIChannel * 0x05c139c0, nsISupports * 0x05ad2a30, nsIInputStream *
0x05c10478, unsigned int 0, unsigned int 202) line 166 + 8 bytes
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x05c15150)
line 359
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x05c110f0) line 152 + 12 bytes
PL_HandleEvent(PLEvent * 0x05c110f0) line 541 + 10 bytes

This crash needs some attention, it'll kill our MTBF.
The crash is not necessarily in the JS engine, although that's what trips over
the heap corruption (maybe guilty, maybe not; the core engine itself is one of
the oldest and most debugged pieces of code in the product).  This looks like a
job for purify.  Who has a purify licensed and ready to go?

/be
Buster, do you have purify?  Can you run under purify and try to reproduce
(doesn't sound magic, maybe everyone on the cc: list who has purify and uses
it could do the startup/sit-idle/task-menu/editor thing)?  If this doesn't show
up under purify, we're going to have to analyze heap skidmarks.

Who should own this bug?  Norris, do you have purify?

/be
Summary: [blocker] intermittant crash → [blocker] intermittant crash launching editor from taskbar.
buster/jband/norris , can you try under purify?

leger/sujay, can we check for other crashes trying to launch other apps
from the taskbar, or figure out if this seams to be editor launch specific
I have extra copies of purify and quantify for anyone who needs them.
If this is specific to the Editor, then we should not be spending any time on
it until M14, since Editor is explicitly out for 'beta'. The beta PRD
explicitly requires removing all Editor UI for 'beta', including the taskbar
button, so there would be no way to reproduce this.
I tried a few times under purify on my office machine, no luck.  My home machine
doesn't have the horsepower, so I won't get the chance to try again until
Monday.
Priority: P3 → P1
Summary: [blocker] intermittant crash launching editor from taskbar. → [blocker] intermittant crash
changed the summary back to original text.
note my comment 09/23/99 23:01 and the stack trace included.  That looks like
the same corruption, but had nothing to do with launching the editor. It
happened while running browser buster.
I don't think this should wait.
I haven't yet been able to reproduce it.
Is anyone seeing this? I can't reproduce it.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → VERIFIED
Target Milestone: M10
Marking Verified as WorksForMe.  No one has seen this is sometime.
You need to log in before you can comment on or make changes to this bug.