223166 - [@ js_ValueToNumber]

Status: RESOLVED WORKSFORME

(Core :: XUL, defect)

Description

[timeless]

I'd like to blame xul, but i can't figure out how :(

Incident ID        24598953
Stack Signature    4068b859
Product ID         MozillaTrunk
Build ID           2003101904
Trigger Time       2003-10-20 18:21:00
Platform           Win32
Operating System   Windows NT 5.1 build 2600
Module             js3250.dll
User Comments      Tried to open Mail from the Quickstart
Trigger Reason     Access violation
Source File Name   c:/builds/seamonkey/mozilla/js/src/jsnum.c
Trigger Line No.   625
Stack Trace

js_ValueToNumber
[c:/builds/seamonkey/mozilla/js/src/jsnum.c, line 625]
js_Interpret
[c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2414]
js_Execute
[c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 1054]
JS_ExecuteScript
[c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3419]
nsJSContext::ExecuteScript
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1022]
nsXULDocument::ExecuteScript
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 3423]
nsXULDocument::LoadScript
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 3209]
nsXULDocument::ResumeWalk
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 2954]
nsXULDocument::EndLoad
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 757]
XULContentSinkImpl::DidBuildModel
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULContentSink.cpp, line
461]
nsExpatDriver::DidBuildModel
[c:/builds/seamonkey/mozilla/htmlparser/src/nsExpatDriver.cpp, line 1035]
nsParser::DidBuildModel
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1247]
nsParser::ResumeParse
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1819]
nsParser::ContinueParsing
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1360]
CSSLoaderImpl::SheetComplete

Incident ID        24606821
Stack Signature    js_ValueToNumber 834954e4
Product ID         MozillaTrunk
Build ID           2003092514
Trigger Time       2003-10-21 00:55:35
Platform           Win32
Operating System   Windows NT 5.0 build 2195
Module             js3250.dll
Trigger Reason     Access violation
Source File Name   c:/builds/seamonkey/mozilla/js/src/jsnum.c
Trigger Line No.   667
Stack Trace

js_ValueToNumber
[c:/builds/seamonkey/mozilla/js/src/jsnum.c, line 667]
js_ValueToECMAInt32
[c:/builds/seamonkey/mozilla/js/src/jsnum.c, line 678]
js_Interpret
[c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2175]
js_Execute
[c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 1057]
JS_ExecuteScript
[c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3386]
nsJSContext::ExecuteScript
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1022]
nsXULDocument::ExecuteScript
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 3444]
nsXULDocument::LoadScript
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 3230]
nsXULDocument::ResumeWalk
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 2975]
nsXULDocument::EndLoad
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULDocument.cpp, line 757]
XULContentSinkImpl::DidBuildModel
[c:/builds/seamonkey/mozilla/content/xul/document/src/nsXULContentSink.cpp, line
461]
nsExpatDriver::DidBuildModel
[c:/builds/seamonkey/mozilla/htmlparser/src/nsExpatDriver.cpp, line 1035]
nsParser::DidBuildModel
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1259]
nsParser::ResumeParse
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1831]
nsParser::ContinueParsing
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1372]

We probably need registers

Comment 1

[David Bradley]

Registers and assembler would be great.

If someone can get the assembler I can pin point it if it's not obvious.

Comment 2

[Christopher Aillon (sabbatical, not receiving bugmail)]

Registers:
EAX:	000edbb0 	EBX:	0151d7a8 	ECX:	0012f6e8 	EDX:	ffffff76
ESI:	fffffff8 	EDI:	01316623 	ESP:	0012fff8 	EBP:	00000000
EIP:	00000000 	cf pf af zf sf of IF df nt RF vm   IOPL: 0
CS:	001b	DS:	0023	SS:	0023	ES:	0023	FS:	0038	GS:	0000


Stack Dump:
0x0012fff0:                         0C 16 41 00 00 00 00 00 [         ..A..... ]

Comment 3

[David Bradley]

Caillon do you know which crash the registers came from, there's two stacks. I'm
going to assume the first because that's the only one that would make sense.

Since EIP is null that most likely means the macro is calling into the object's
ops table and the function pointer is null. So it was called on a dead object or
invalid object. Anyone know what script is being executed, and what object or
thing would be trying to be converted to a number?

Comment 4

[Christopher Aillon (sabbatical, not receiving bugmail)]

Yes, the registers are from the first.  I am not sure I was aware there were two
stacks.  :)

Comment 5

[David Bradley]

Well something went terribly wrong. EBP and EIP are 0x0 so something trashed the
stack a bit. Given the decent stack looks like it wasn't too bad. The last
function called might be correct or it might not, but it does sync with the
previous caller. So best guess is something it called or a subsequent function
trashed the stack and we ended up in this state when we returned back to
js_initNumberClass.

If by some chance that's just screwy talkback data and you want to trust the
other stuff. The esi register is negative which according to my build holds the
JS Runtime pointer  rt. Which would mean the JS Context was deleted or trashed.

Unfortunately all that doesn't buy us a lot except the need to catch this under
something like valgrind/Purify or a debugger.

Comment 6

[Samuel Sidler (old account; do not CC)]

I still see this topcrash in Thunderbird and Sunbird, but it doesn't appear in Firefox. We don't really have any way to reproduce it though.

Comment 7

[Robert Kaiser]

The signature still appears on Firefox, but only on 3.6, not in newer versions.