Closed
Bug 314887
Opened 19 years ago
Closed 19 years ago
crash if I open this site [@ js_GetGCThingFlags]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.8rc1
People
(Reporter: nemu.asakura, Assigned: brendan)
References
()
Details
(Keywords: crash, js1.6, verified1.8)
Crash Data
Attachments
(3 files)
|
81 bytes,
text/javascript
|
Details | |
|
150 bytes,
text/html
|
Details | |
|
1.32 KB,
patch
|
mrbkap
:
review+
mtschrep
:
approval1.8rc2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051102 Firefox/1.5 (tete009) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051102 Firefox/1.5 (tete009) same as summary. Reproducible: Always
|
||
Comment 1•19 years ago
|
||
Happens for me with trunk nightly. TB11394596Y Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1 Stack: js_GetGCThingFlags [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 231] js_GC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1801] js_ForceGC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1510] nsAppStartup::Run [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162] main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Assignee: nobody → general
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Summary: crash if I open this site. → crash if I open this site [@ js_GetGCThingFlags]
Version: unspecified → Trunk
|
||
Comment 2•19 years ago
|
||
Assertion failure: JSVAL_IS_GCTHING(lrc->roots[m]), at c:/work/mozilla/builds/ff/trunk/mozilla/js/src/jscntxt.c:660
Stack to assert:
js_MarkLocalRoots(JSContext * 0x0411aee8, JSLocalRootStack * 0x040a86b0) line 660 + 55 bytes
js_GC(JSContext * 0x0411aee8, unsigned int 0x00000000) line 1801 + 19 bytes
js_ForceGC(JSContext * 0x0411aee8, unsigned int 0x00000000) line 1510 + 13 bytes
JS_GC(JSContext * 0x0411aee8) line 1830 + 11 bytes
nsJSContext::Notify(nsJSContext * const 0x0411ae78, nsITimer * 0x0416da88) line 2161 + 13 bytes
nsTimerImpl::Fire() line 398
nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x012c54c0) line 628
nsAppShell::Run(nsAppShell * const 0x032e6a20) line 142
nsAppStartup::Run(nsAppStartup * const 0x032e6980) line 161 + 26 bytes
XRE_main(int 0x00000003, char * * 0x003f6f48, const nsXREAppData * 0x0042101c kAppData) line 2289 + 35 bytes
main(int 0x00000003, char * * 0x003f6f48) line 61 + 18 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()
+ name 0x00000000 ""
+ cx 0x0411aee8
- lrs 0x040a86b0
scopeMark 0x00000000
rootCount 0x0000009f
+ topChunk 0x040a86bc
+ firstChunk {...}
n 0x0000009e
m 0x0000009e
mark 0x00000000
+ lrc 0x040a86bc
lrc->roots[m] 0x80000001
|
|
||
Comment 3•19 years ago
|
||
|
|
||
Comment 4•19 years ago
|
||
top.htm crashed as soon as it loaded when it referenced base.js from the local file system, but when loaded from bugzilla, you need to view source after it loads.
|
||
Comment 5•19 years ago
|
||
No crash in: 1.9a1_2005102721 Crash in: 1.9a1_2005102813
|
||
Comment 6•19 years ago
|
||
(In reply to comment #5) > No crash in: 1.9a1_2005102721 > Crash in: 1.9a1_2005102813 no crash in 1.9a1: 2005102809 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051028 SeaMonkey/1.1a crash in current nightly: TB11409480Y Checkins: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=SeaMonkeyAll&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-10-28+08%3A00&maxdate=2005-10-28+14%3A00&cvsroot=%2Fcvsroot maybe Bug 313952: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=SeaMonkeyAll&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-10-28+11%3A07&maxdate=2005-10-28+11%3A14&cvsroot=%2Fcvsroot
|
Assignee | |
Comment 7•19 years ago
|
||
Big dumb inconsistency, obvious fix, safe for 1.8 and must fix -- this will be a topcrash. /be
Attachment #201768 -
Flags: review?(mrbkap)
Attachment #201768 -
Flags: approval1.8rc2?
|
|
Assignee | |
Updated•19 years ago
|
Assignee: general → brendan
Flags: blocking1.8rc2+
Keywords: js1.6
Priority: -- → P1
Target Milestone: --- → mozilla1.8rc1
|
||
Updated•19 years ago
|
Attachment #201768 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 8•19 years ago
|
||
Fixed on trunk. /be
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
||
Comment 9•19 years ago
|
||
This probably already is a topcrash over in bug 314484. I should have caught this when I did the original review :-/
|
|
Assignee | |
Comment 10•19 years ago
|
||
(In reply to comment #9) > This probably already is a topcrash over in bug 314484. Don't think so -- bug 314484 happens only on branch, and started spiking talkback on 11-oct, IIRC. The checkin that caused this bug hit the trunk on 28-oct. /be
|
||
Updated•19 years ago
|
Attachment #201768 -
Flags: approval1.8rc2? → approval1.8rc2+
|
|
||
Comment 12•19 years ago
|
||
Checking in regress-314887.js; /cvsroot/mozilla/js/tests/js1_6/Regress/regress-314887.js,v <-- regress-314887.js initial revision: 1.1 done
Flags: testcase+
|
||
Updated•13 years ago
|
Crash Signature: [@ js_GetGCThingFlags]
You need to log in
before you can comment on or make changes to this bug.
Description
•