Closed
Bug 335429
Opened 18 years ago
Closed 17 years ago
Crash in js1_5/Regress/regress-312588.js browser only
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: crash)
I am seeing this crash on the win2k3 qa server only on the 1.8 branch opt builds but can't reproduce locally. Filing to keep on the radar. js1_5/Regress/regress-312588.js: result: CRASHED 5 (551.343000 seconds) type: browser description: none : peachssh/2006-04-19-17-15-37-firefox-2.0-opt-1.8_2006041901
|
Reporter | |
Updated•18 years ago
|
Flags: in-testsuite+
|
|
Reporter | |
Comment 1•18 years ago
|
||
I now see this crash on windows and macppc in 1.8.0.5, 1.8, 1.9 and can reproduce it locally on trunk winxp now that I have oodles of ram. This test consumes 2.6G on my local machine.
In a trunk opt build it first alerts with the abort dialog, then the debug dialog but I was not able to attach the debugger to the crashed instance. Running the test with the debugger attached to process gives
strgcmps.dll!021e5bbb()
[Frames below may be incorrect and/or missing, no symbols loaded for strgcmps.dll]
A trunk debug build crashes as well, but I can't attach the debugger after teh crash either. Running the test with the debugger attached crashes after a very long wait with
+ pOp 0x000000f0 {opcode=??? p1=??? p2=??? ...} VdbeOp *
> strgcmps.dll!sqlite3WhereEnd(WhereInfo * pWInfo=0x04a2b518) Line 2116 + 0x6 bytes C
Restarting with a new session after session restore gives Debug Error: Invalid allocation size with a really really really large size.
Jan, Dietrich: I don't know if you care about this crash but I've ccd you just to keep you in the loop.
In windows debug 1.8 build I crash with a global object that has a garbage collected vtable after the out of memory error.
*/
=> nsIDocShell *docShell = globalObject->GetDocShell();
if (docShell &&
- globalObject 0x0033002d nsIScriptGlobalObject *
- nsISupports {...} nsISupports
+ __vfptr 0xcccccccc *
> gklayout.dll!NS_ScriptErrorReporter(JSContext * cx=0x033db5e8, const char * message=0x1010ab88, JSErrorReport * report=0x0012e804) Line 204 + 0x8 bytes C++
js3250.dll!js_ReportOutOfMemory(JSContext * cx=0x033db5e8) Line 878 + 0xf bytes C
js3250.dll!JS_ReportOutOfMemory(JSContext * cx=0x033db5e8) Line 4733 + 0x9 bytes C
js3250.dll!JS_malloc(JSContext * cx=0x033db5e8, unsigned int nbytes=88) Line 1651 + 0x9 bytes C
js3250.dll!js_NewScope(JSContext * cx=0x033db5e8, long nrefs=0, JSObjectOps * ops=0x1012e3e0, JSClass * clasp=0x10108290, JSObject * obj=0x2ff83198) Line 144 + 0xb bytes C
js3250.dll!js_GetMutableScope(JSContext * cx=0x033db5e8, JSObject * obj=0x2ff83198) Line 71 + 0x69 bytes C
js3250.dll!js_DefineNativeProperty(JSContext * cx=0x033db5e8, JSObject * obj=0x2ff83198, long id=12376664, long value=3, int (JSContext *, JSObject *, long, long *)* getter=0x10017ef0, int (JSContext *, JSObject *, long, long *)* setter=0x10018050, unsigned int attrs=4, unsigned int flags=0, int shortid=0, JSProperty * * propp=0x00000000) Line 2831 + 0xd bytes C
js3250.dll!js_DefineProperty(JSContext * cx=0x033db5e8, JSObject * obj=0x2ff83198, long id=12376664, long value=3, int (JSContext *, JSObject *, long, long *)* getter=0x10017ef0, int (JSContext *, JSObject *, long, long *)* setter=0x10018050, unsigned int attrs=4, JSProperty * * propp=0x00000000) Line 2735 + 0x29 bytes C
js3250.dll!InitArrayObject(JSContext * cx=0x033db5e8, JSObject * obj=0x2ff83198, unsigned long length=1, long * vector=0x0475e024) Line 687 + 0x29 bytes C
js3250.dll!Array(JSContext * cx=0x033db5e8, JSObject * obj=0x2ff83198, unsigned int argc=1, long * argv=0x0475e024, long * rval=0x0012ea54) Line 1933 + 0x15 bytes C
js3250.dll!js_Invoke(JSContext * cx=0x033db5e8, unsigned int argc=1, unsigned int flags=1) Line 1349 + 0x1a bytes C
js3250.dll!js_InvokeConstructor(JSContext * cx=0x033db5e8, long * vp=0x0475e01c, unsigned int argc=1) Line 1893 + 0xf bytes C
js3250.dll!js_Interpret(JSContext * cx=0x033db5e8, unsigned char * pc=0x0346ca82, long * result=0x0012f5d8) Line 3528 + 0x14 bytes C
js3250.dll!js_Execute(JSContext * cx=0x033db5e8, JSObject * chain=0x03e08c20, JSScript * script=0x0346c9e0, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x0012f6e8) Line 1598 + 0x13 bytes C
js3250.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=0x033db5e8, JSObject * obj=0x03e08c20, JSPrincipals * principals=0x00b318d4, const unsigned short * chars=0x0346b8b0, unsigned int length=2176, const char * filename=0x047c2588, unsigned int lineno=1, long * rval=0x0012f6e8) Line 4322 + 0x19 bytes C
gklayout.dll!nsJSContext::EvaluateString(const nsAString_internal & aScript={...}, void * aScopeObject=0x03e08c20, nsIPrincipal * aPrincipal=0x00b318d0, const char * aURL=0x047c2588, unsigned int aLineNo=1, const char * aVersion=0x100f49ec, nsAString_internal * aRetValue=0x00000000, int * aIsUndefined=0x0012f74c) Line 1124 + 0x43 bytes C++
gklayout.dll!nsScriptLoader::EvaluateScript(nsScriptLoadRequest * aRequest=0x04761a18, const nsString & aScript={...}) Line 772 + 0x53 bytes C++
gklayout.dll!nsScriptLoader::ProcessRequest(nsScriptLoadRequest * aRequest=0x04761a18) Line 673 + 0x16 bytes C++
gklayout.dll!nsScriptLoader::OnStreamComplete(nsIStreamLoader * aLoader=0x04799600, nsISupports * aContext=0x04761a18, unsigned int aStatus=0, unsigned int stringLen=2176, const unsigned char * string=0x0346aff8) Line 1040 C++
necko.dll!nsStreamLoader::OnStopRequest(nsIRequest * request=0x047c2658, nsISupports * ctxt=0x04761a18, unsigned int aStatus=0) Line 137 C++
Brendan & Blake: please let me know how you want to handle this bug. The trunk issue may not be js related at all, but the Group: security
OS: Windows Server 2003 → All
Summary: Crash in js1_5/Regress/regress-312588.js Windows browser only → Crash in js1_5/Regress/regress-312588.js browser only
Version: 1.8 Branch → Trunk
|
|
Reporter | |
Comment 2•18 years ago
|
||
1.8.0.5 (Firefox 1.5.0.5 cvs debug winxp) crashes with the same stack as 1.8 (Firefox 2) with a garbage collected vtable pointer in globalObject.
|
|
Reporter | |
Comment 3•18 years ago
|
||
Note that js1_5/Regress/regress-271716-n.js also crashes Windows/MacPPC 1.8.1 browser in NS_ScriptErrorReporter
Windows has the same stack with
- globalObject 0x0032002d nsIScriptGlobalObject *
- nsISupports {...} nsISupports
+ __vfptr 0xcccccccc *
|
|
Reporter | |
Comment 4•18 years ago
|
||
*** Bug 343842 has been marked as a duplicate of this bug. ***
|
|
Reporter | |
Comment 5•18 years ago
|
||
1.8/win from today crashes in js1_5/Regress/regress-312588.js with a similar stack with a bogus docshell
- docShell 0x7c90fb78 nsIDocShell *
- nsISupports {...} nsISupports
+ __vfptr 0xffffffff *
|
|
Reporter | |
Updated•18 years ago
|
Severity: normal → major
|
||
Comment 6•17 years ago
|
||
If you are not the right person to assign this to, please help us find someone that is.
Assignee: general → crowder
|
||
Comment 7•17 years ago
|
||
Not sure if I'm the right guy for this one; doesn't even seem obvious to me that it is a bug in JS Engine.
Assignee: crowder → general
|
|
Reporter | |
Comment 8•17 years ago
|
||
I don't see the original issue any more. However on winxp 1.9.0 debug the test terminated with JavaScript error: http://test.mozilla.com/tests/mozilla.org/js/js1_5/Regress/regress-312588.js, line 54: out of memory ************************************************************ * Call to xpconnect wrapped JSObject produced this error: * [Exception... "[JavaScript Error: "out of memory" {file: "chrome://global/content/bindings/progressmeter.xml" line: 37}]" nsresult: "0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)" location: "JS frame :: chrome://global/content/bindings/progressmeter.xm l :: set_value :: line 37" data: yes] ************************************************************ JavaScript error: , line 0: out of memory ************************************************************ * Call to xpconnect wrapped JSObject produced this error: * [Exception... "[JavaScript Error: "Cc['@mozilla.org/browser/annotation-service;1'] has no properties" {file: "file:///c:/work/mozill a/builds/1.9.0/mozilla/firefox-debug/dist/bin/components/nsMicrosummaryService.js" line: 48}]" nsresult: "0x80570021 (NS_ERROR_XPC_ JAVASCRIPT_ERROR_WITH_DETAILS)" location: "JS frame :: file:///c:/work/mozilla/builds/1.9.0/mozilla/firefox-debug/dist/bin/componen ts/nsMicrosummaryService.js :: anonymous :: line 48" data: yes] ************************************************************ ************************************************************ * Call to xpconnect wrapped JSObject produced this error: * [Exception... "[JavaScript Error: "out of memory" {file: "file:///c:/work/mozilla/builds/1.9.0/mozilla/firefox-debug/dist/bin/compon ents/nsUrlClassifierLib.js" line: 48}]" nsresult: "0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)" location: "JS frame :: file:///c:/work/mozilla/builds/1.9.0/mozilla/firefox-debug/dist/bin/components/nsUrlClassifierLib.js :: anonymous :: line 48" data : yes] ************************************************************ Assertion failure: !rt->gcRunning, at c:/work/mozilla/builds/1.9.0/mozilla/js/src/jsgc.c:1352
|
|
Reporter | |
Comment 9•17 years ago
|
||
That assertion may not be related to this test or winxp only, since I was just crashed linux 1.9.0 debug with the same assertion during "normal" browsing. If I can get it to happen again on linux, I'll mark this bug wfm and file a new one on the assertion.
|
|
Reporter | |
Comment 10•17 years ago
|
||
Marking works for me since the original issue is long gone. dvedtiz, should we go ahead and open this up?
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Updated•16 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•