Closed
Bug 308111
Opened 19 years ago
Closed 19 years ago
browser crash when searching large e4x tree [@ GetProperty]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.8beta5
People
(Reporter: boogs, Assigned: brendan)
Details
(Keywords: crash, verified1.8)
Crash Data
Attachments
(6 files)
51.30 KB,
text/html
|
Details | |
51.59 KB,
text/plain
|
Details | |
3.26 KB,
patch
|
mrbkap
:
review+
shaver
:
superreview+
|
Details | Diff | Splinter Review |
2.83 KB,
patch
|
Details | Diff | Splinter Review | |
7.76 KB,
patch
|
Details | Diff | Splinter Review | |
7.15 KB,
patch
|
mrbkap
:
review+
shaver
:
superreview+
asa
:
approval1.8b5+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 Searches using foo.bar.(baz == 'hotdog') over large trees crashes DPb1. Reproducible: Always Steps to Reproduce: 1. Open attached file in FFb1 2. Say yes to security confirmation Actual Results: FF crashes. Expected Results: Printed out the name of each item in the tree, followed by ": 1" (because the match it is perforing should produce one result). It stops crashing if you make the source input significantly smaller (about a quarter the size worked forme).
Reporter | ||
Comment 1•19 years ago
|
||
Incident ID: 9264453 Stack Signature GetProperty() 1392ea8b Product ID FirefoxTrunk Build ID 2005091006 Trigger Time 2005-09-11 23:52:28.0 Platform MacOSX Operating System Darwin 8.2.0 Module libmozjs.dylib.1.0.0 + (00070d74) URL visited User Comments Since Last Crash 515 sec Total Uptime 93976 sec Trigger Reason SIGBUS: Bus Error: (signal 10) Source File, Line No. /builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4002 Stack Trace GetProperty() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4002] GetProperty() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4001] js_FilterXMLList() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 7871] js_Interpret() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line 5068] js_Invoke() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line 1183] js_InternalInvoke() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line 1261] JS_CallFunctionValue() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsapi.c, line 4024] nsJSContext::CallEventHandler() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1430] nsJSEventListener::HandleEvent() nsEventListenerManager::HandleEventSubType() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 848] nsEventListenerManager::HandleEvent() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1766] nsGlobalWindow::HandleDOMEvent() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1523] DocumentViewerImpl::LoadComplete() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 842] nsDocShell::EndPageLoad() nsWebShell::EndPageLoad() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/docshell/base/nsWebShell.cpp, line 496] nsDocShell::OnStateChange() nsDocLoader::FireOnStateChange() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 848] nsDocLoader::doStopDocumentLoad() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 839] nsDocLoader::DocLoaderIsEmpty() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 741] nsDocLoader::OnStopRequest() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 662] nsLoadGroup::RemoveRequest() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/netwerk/base/src/nsLoadGroup.cpp, line 848] nsDocument::DoUnblockOnload() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/base/src/nsDocument.cpp, line 388] nsDocument::HandleOnloadBlockerEvent() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/base/src/nsDocument.cpp, line 5142] PL_HandleEvent() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/xpcom/threads/plevent.c, line 689] PL_ProcessPendingEvents() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/xpcom/threads/plevent.c, line 623] CoreFoundation.368.12.0 + 0x23c8c (0x9074bc8c) CoreFoundation.368.12.0 + 0x231bc (0x9074b1bc) CoreFoundation.368.12.0 + 0x22c3c (0x9074ac3c) HIToolbox.221.0.0 + 0x8ac0 (0x93129ac0) HIToolbox.221.0.0 + 0xed768 (0x9320e768) HIToolbox.221.0.0 + 0xed51c (0x9320e51c) HIToolbox.221.0.0 + 0xed47c (0x9320e47c) nsMacMessagePump::GetEvent() nsMacMessagePump::DoMessagePump() nsAppShell::Run() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/widget/src/mac/nsAppShell.cpp, line 114] nsAppStartup::Run() XRE_main() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/toolkit/xre/nsAppRunner.cpp, line 2311] _start() start()
Severity: normal → critical
Keywords: crash
Summary: browser crash when searching large e4x tree → browser crash when searching large e4x tree [@ GetProperty]
Assignee | ||
Updated•19 years ago
|
Assignee: general → brendan
Flags: blocking1.8b5+
Assignee | ||
Comment 3•19 years ago
|
||
Assignee | ||
Comment 4•19 years ago
|
||
Oops, js_MarkLocalRoots marked only the top local root scope! There's another bug peculiar to filtering predicate expressions. Patch for that soon, I hope. /be
Attachment #195954 -
Flags: superreview?(shaver)
Attachment #195954 -
Flags: review?(mrbkap)
Assignee | ||
Comment 5•19 years ago
|
||
Assignee | ||
Comment 6•19 years ago
|
||
The patch might fix crashes Bob is seeing trying to test the patch for bug 280769. /be
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta5
Comment 7•19 years ago
|
||
Comment on attachment 195954 [details] [diff] [review] fix one of the bugs biting here, and possibly elsewhere r=mrbkap
Attachment #195954 -
Flags: review?(mrbkap) → review+
Comment on attachment 195954 [details] [diff] [review] fix one of the bugs biting here, and possibly elsewhere sr=shaver
Attachment #195954 -
Flags: superreview?(shaver)
Attachment #195954 -
Flags: superreview+
Attachment #195954 -
Flags: review?(mrbkap)
Attachment #195954 -
Flags: review+
Updated•19 years ago
|
Attachment #195954 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 9•19 years ago
|
||
diff -w version next. /be
Assignee | ||
Comment 10•19 years ago
|
||
I thought about relayering js_Interpret so common-case calls go through another level that allocates the stack frame, but that penalizes those cases even worse than adding two branch-tests. So to make up for that, I copied NS_*LIKELY macros from nscore.h into jstypes.h. /be
Attachment #196094 -
Flags: superreview?(shaver)
Attachment #196094 -
Flags: review?(mrbkap)
Comment 11•19 years ago
|
||
Comment on attachment 196094 [details] [diff] [review] diff -w version of last patch r=mrbkap
Attachment #196094 -
Flags: review?(mrbkap) → review+
Comment on attachment 196094 [details] [diff] [review] diff -w version of last patch sr=shaver
Attachment #196094 -
Flags: superreview?(shaver) → superreview+
Assignee | ||
Comment 13•19 years ago
|
||
Fixed on trunk. /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 14•19 years ago
|
||
Comment on attachment 196094 [details] [diff] [review] diff -w version of last patch We can let this bake, but E4X testing is required to find it, and the testcase is here (thanks, Aaron!), and this patch fixes it. /be
Attachment #196094 -
Flags: approval1.8b5?
Updated•19 years ago
|
Attachment #196094 -
Flags: approval1.8b5? → approval1.8b5+
Comment 16•19 years ago
|
||
Checking in regress-308111.js; /cvsroot/mozilla/js/tests/e4x/Regress/regress-308111.js,v <-- regress-308111.js initial revision: 1.1 done
Flags: testcase+
Updated•13 years ago
|
Crash Signature: [@ GetProperty]
You need to log in
before you can comment on or make changes to this bug.
Description
•