Closed
Bug 111557
Opened 23 years ago
Closed 23 years ago
Mozilla crashes [JS_ArenaRealloc]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla0.9.7
People
(Reporter: zheka, Assigned: brendan)
References
()
Details
(Keywords: crash, js1.5)
Attachments
(2 files)
|
422.92 KB,
text/plain
|
Details | |
|
1.49 KB,
patch
|
shaver
:
review+
jband_mozilla
:
superreview+
|
Details | Diff | Splinter Review |
Mozilla crashes on this page
|
||
Comment 1•23 years ago
|
||
Confirm crash: TB38399807X (why can't I copy-paste this string???)
Build ID: 2001 11 20 03. Windows 2000.
Reporter: Can you please change severity to "Critical" and add the keyword "crash".
Stack Signature JS_ArenaRealloc be8c6215
Bug ID
Trigger Time 2001-11-22 23:52:03
Email Address svante@nemesis.se
URL visited
User Comments
Build ID 2001112006
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
Stack Trace
JS_ArenaRealloc [d:\builds\seamonkey\mozilla\js\src\jsarena.c, line 231]
EmitCheck [d:\builds\seamonkey\mozilla\js\src\jsemit.c, line 124]
js_Emit3 [d:\builds\seamonkey\mozilla\js\src\jsemit.c, line 193]
js_EmitTree [d:\builds\seamonkey\mozilla\js\src\jsemit.c, line 3009]
Statements [d:\builds\seamonkey\mozilla\js\src\jsparse.c, line 931]
js_CompileTokenStream [d:\builds\seamonkey\mozilla\js\src\jsparse.c, line 393]
CompileTokenStream [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 2833]
JS_CompileUCScriptForPrincipals [d:\builds\seamonkey\mozilla\js\src\jsapi.c,
line 2913]
JS_EvaluateUCScriptForPrincipals [d:\builds\seamonkey\mozilla\js\src\jsapi.c,
line 3354]
nsJSContext::EvaluateString
[d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 654]
nsScriptLoader::EvaluateScript
[d:\builds\seamonkey\mozilla\content\base\src\nsScriptLoader.cpp, line 576]
nsScriptLoader::ProcessRequest
[d:\builds\seamonkey\mozilla\content\base\src\nsScriptLoader.cpp, line 484]
nsScriptLoader::ProcessScriptElement
[d:\builds\seamonkey\mozilla\content\base\src\nsScriptLoader.cpp, line 428]
nsHTMLScriptElement::SetDocument
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLScriptElement.cpp,
line 159]
nsGenericContainerElement::AppendChildTo
[d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 3725]
HTMLContentSink::ProcessSCRIPTTag
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp,
line 5133]
HTMLContentSink::AddLeaf
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp,
line 3495]
CNavDTD::AddLeaf [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line
3774]
CNavDTD::AddHeadLeaf [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp,
line 3833]
CNavDTD::HandleStartToken
[d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 1719]
CNavDTD::HandleToken [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp,
line 895]
CNavDTD::BuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp,
line 526]
nsParser::BuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp,
line 1989]
nsParser::ResumeParse [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp,
line 1853]
nsParser::OnDataAvailable
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 2511]
nsDocumentOpenInfo::OnDataAvailable
[d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 242]
nsStreamListenerTee::OnDataAvailable
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp, line 57]
nsHttpChannel::OnDataAvailable
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line
2351]
nsOnDataAvailableEvent::HandleEvent
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp, line
203]
PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 591]
PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c,
line 524]
_md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c,
line 1072]
nsAppShellService::Run
[d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp, line 303]
main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1316]
main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1633]
WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1651]
WinMainCRTStartup()
KERNEL32.DLL + 0x192a6 (0x77e992a6)
changing component, OS: All, adding to summary, confirming.
Still crashes on linux. Can't find a dup.
Assignee: asa → rogerl
Status: UNCONFIRMED → NEW
Component: Browser-General → Javascript Engine
Ever confirmed: true
OS: Linux → All
QA Contact: doronr → pschwartau
Summary: Mozilla crashes → Mozilla crashes [JS_ArenaRealloc]
|
||
Comment 4•23 years ago
|
||
I also crash on WinNT. Using a debug build from 2001-11-19, I got this
stack trace:
js_FinishCodeGenerator(JSContext * 0x0459c760, JSCodeGenerator * 0x0012efe0)
line 97 + 42 bytes
CompileTokenStream(JSContext * 0x0459c760, JSObject * 0x0284c9c0, JSTokenStream
* 0x02749ac0, void * 0x0459c7e0, int * 0x00000000) line 2846 + 16 bytes
JS_CompileUCScriptForPrincipals(JSContext * 0x0459c760, JSObject * 0x0284c9c0,
JSPrincipals * 0x045c3400, const unsigned short * 0x050e0040, unsigned int
294240, const char * 0x04542eb0, unsigned int 5291) line 2911 + 23 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x0459c760, JSObject * 0x0284c9c0,
JSPrincipals * 0x045c3400, const unsigned short * 0x050e0040, unsigned int
294240, const char * 0x04542eb0, unsigned int 5291, long * 0x0012f1a0) line 3353
+ 33 bytes
nsJSContext::EvaluateString(nsJSContext * const 0x0459c910, const nsAString &
{...}, void * 0x0284c9c0, nsIPrincipal * 0x045c33fc, const char * 0x04542eb0,
unsigned int 5291, const char * 0x00e2269c, nsAString & {...}, int * 0x0012f20c)
line 653 + 85 bytes
nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x04540660, const
nsAFlatString & {...}) line 576
nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x04540660) line 483 + 22
bytes
nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x045c3550,
nsIDOMHTMLScriptElement * 0x045530e8, nsIScriptLoaderObserver * 0x045530ec) line
426 + 15 bytes
nsHTMLScriptElement::SetDocument(nsHTMLScriptElement * const 0x045530c0,
nsIDocument * 0x045c14e0, int 0, int 1) line 159
nsGenericHTMLContainerElement::AppendChildTo(nsGenericHTMLContainerElement *
const 0x045c4f70, nsIContent * 0x045530c0, int 0, int 0) line 3881
HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 5133
HTMLContentSink::AddLeaf(HTMLContentSink * const 0x045c3610, const nsIParserNode
& {...}) line 3494 + 12 bytes
CNavDTD::AddLeaf(const nsIParserNode * 0x040342b8) line 3767 + 22 bytes
CNavDTD::AddHeadLeaf(nsIParserNode * 0x040342b8) line 3825 + 15 bytes
CNavDTD::HandleStartToken(CToken * 0x0402eff8) line 1713 + 12 bytes
CNavDTD::HandleToken(CNavDTD * const 0x045c81c0, CToken * 0x00000000, nsIParser
* 0x045c3b10) line 881 + 12 bytes
CNavDTD::BuildModel(CNavDTD * const 0x045c81c0, nsIParser * 0x045c3b10,
nsITokenizer * 0x045c8060, nsITokenObserver * 0x00000000, nsIContentSink *
0x045c3610) line 517 + 20 bytes
nsParser::BuildModel() line 1985 + 34 bytes
nsParser::ResumeParse(int 1, int 0) line 1851 + 11 bytes
nsParser::OnDataAvailable(nsParser * const 0x045c3b14, nsIRequest * 0x0376f510,
nsISupports * 0x00000000, nsIInputStream * 0x045c88c0, unsigned int 427525,
unsigned int 5512) line 2507 + 19 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x0376c1a0,
nsIRequest * 0x0376f510, nsISupports * 0x00000000, nsIInputStream * 0x045c88c0,
unsigned int 427525, unsigned int 5512) line 240 + 46 bytes
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x045c8a60,
nsIRequest * 0x0376f510, nsISupports * 0x00000000, nsIInputStream * 0x0376ce20,
unsigned int 427525, unsigned int 5512) line 56 + 51 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x0376f514, nsIRequest *
0x03769d94, nsISupports * 0x00000000, nsIInputStream * 0x0376ce20, unsigned int
427525, unsigned int 5512) line 2349 + 57 bytes
nsOnDataAvailableEvent::HandleEvent() line 193 + 70 bytes
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x04565dc4) line 80
PL_HandleEvent(PLEvent * 0x04565dc4) line 590 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x009c8670) line 520 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x029801cc, unsigned int 49599, unsigned int 0,
long 10258032) line 1071 + 9 bytes
USER32! 77e7124c()
009c8670()
|
|
||
Comment 5•23 years ago
|
||
This looks to be a JS Engine issue. The problem occurs in the
frame http://developer.novell.com/ndk/doc/ndslib/code.html
This frame builds a navigation tree with dynamic JavaScript.
I have copied the code and modified it to be a standalone JS shell
script that I will attach below. It crashes with the same stack
trace as originally reported above -
|
|
||
Comment 6•23 years ago
|
||
Here is the stack trace for the standalone JS shell test:
NTDLL! 77f762e8()
JS_ArenaRealloc(JSArenaPool * 0x00301dd8, void * 0x004244a4, unsigned int 2048,
unsigned int 2048) line 237 + 40 bytes
EmitCheck(JSContext * 0x00301da0, JSCodeGenerator * 0x0012e1b8, int 127, int 3)
line 122 + 138 bytes
js_Emit3(JSContext * 0x00301da0, JSCodeGenerator * 0x0012e1b8, int 127, unsigned
char 8, unsigned char 201) line 191 + 19 bytes
js_EmitTree(JSContext * 0x00301da0, JSCodeGenerator * 0x0012e1b8, JSParseNode *
0x004626a8) line 3008 + 37 bytes
Statements(JSContext * 0x00301da0, JSTokenStream * 0x00466a90, JSTreeContext *
0x0012e1b8) line 927 + 61 bytes
js_CompileTokenStream(JSContext * 0x00301da0, JSObject * 0x002fb340,
JSTokenStream * 0x00466a90, JSCodeGenerator * 0x0012e1b8) line 392 + 17 bytes
CompileTokenStream(JSContext * 0x00301da0, JSObject * 0x002fb340, JSTokenStream
* 0x00466a90, void * 0x00301e20, int * 0x00000000) line 2831 + 24 bytes
JS_CompileFile(JSContext * 0x00301da0, JSObject * 0x002fb340, const char *
0x00307d60) line 2976 + 23 bytes
Load(JSContext * 0x00301da0, JSObject * 0x002fb340, unsigned int 1, long *
0x00420064, long * 0x0012e364) line 633 + 18 bytes
js_Invoke(JSContext * 0x00301da0, unsigned int 1, unsigned int 0) line 832 + 23
bytes
js_Interpret(JSContext * 0x00301da0, long * 0x0012fed8) line 2791 + 15 bytes
js_Execute(JSContext * 0x00301da0, JSObject * 0x002fb340, JSScript * 0x00349cc0,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fed8) line 1012 + 13
bytes
JS_ExecuteScript(JSContext * 0x00301da0, JSObject * 0x002fb340, JSScript *
0x00349cc0, long * 0x0012fed8) line 3251 + 25 bytes
Process(JSContext * 0x00301da0, JSObject * 0x002fb340, char * 0x00000000) line
371 + 22 bytes
ProcessArgs(JSContext * 0x00301da0, JSObject * 0x002fb340, char * * 0x00301f24,
int 0) line 529 + 17 bytes
main(int 0, char * * 0x00301f24) line 2111 + 21 bytes
JS! mainCRTStartup + 227 bytes
KERNEL32! 77f1b9ea()
|
|
||
Comment 7•23 years ago
|
||
|
|
||
Comment 8•23 years ago
|
||
Reassigning to Kenton; cc'ing Brendan on this JS crash
Assignee: rogerl → khanson
|
|
||
Comment 9•23 years ago
|
||
On closer inspection of Rhino, the JS standalone test does pass in
interpreted mode, but fails in compiled mode with this error:
Complete testcase output was:
java.lang.RuntimeException: java.lang.ClassFormatError: c47 (Code of a method
longer than 65535 bytes)
at org.mozilla.javascript.optimizer.Codegen.compile(Codegen.java:135)
at org.mozilla.javascript.Context.compile(Context.java:1829)
at org.mozilla.javascript.Context.compile(Context.java:1754)
at org.mozilla.javascript.Context.compileReader(Context.java:856)
at org.mozilla.javascript.Context.evaluateReader(Context.java:774)
at org.mozilla.javascript.tools.shell.Main.evaluateReader(Main.java:312)
at org.mozilla.javascript.tools.shell.Main.processFile(Main.java:303)
etc.
The test is pretty big (425K). But the website does load in IE6 and NN4.7!
And the problem frame, http://developer.novell.com/ndk/doc/ndslib/code.html,
does seem to use the same codepath for Mozilla/N6 as for NN4.7:
/******************************************************************************
* Global variables. Not to be altered unless you know what you're doing. *
* User-configurable options are at the end of this document. *
******************************************************************************/
var MTMLoaded = false;
var MTMLevel;
var MTMBar = new Array();
var MTMIndices = new Array();
var MTMBrowser = null;
var MTMNN3 = false;
var MTMNN4 = false;
var MTMIE4 = false;
var MTMUseStyle = true;
if(navigator.appName == "Netscape" && navigator.userAgent.indexOf("WebTV") ==
-1) {
if(parseInt(navigator.appVersion) == 3 &&
(navigator.userAgent.indexOf("Opera") == -1)) {
MTMBrowser = true;
MTMNN3 = true;
MTMUseStyle = false;
} else if(parseInt(navigator.appVersion) >= 4) {
MTMBrowser = true;
MTMNN4 = true;
}
} else if (navigator.appName == "Microsoft Internet Explorer" &&
parseInt(navigator.appVersion) >= 4) {
MTMBrowser = true;
MTMIE4 = true;
}
|
|
||
Updated•23 years ago
|
Attachment #59280 -
Attachment description: JS testcase; loads OK in Rhino but crashes in SpiderMonkey → JS testcase; loads in rhinoi; crashes in rhino and SpiderMonkey
|
|
||
Comment 10•23 years ago
|
||
Testcase added to JS testsuite:
mozilla/js/tests/js1_5/Regress/regress-111557.js
|
Assignee | |
Comment 11•23 years ago
|
||
Mine, I'm sure.
/be
Assignee: khanson → brendan
Keywords: js1.5,
mozilla0.9.7
Priority: -- → P1
Target Milestone: --- → mozilla0.9.7
|
|
Assignee | |
Comment 12•23 years ago
|
||
I'm a dumbass -- if during JS_ArenaRealloc, realloc "moves the arena", and
there's a "next" arena that is oversized, the next arena's header contains a
back-pointer to the moved arena's old address. Forgot to update that!
/be
|
||
Comment 13•23 years ago
|
||
Comment on attachment 59288 [details] [diff] [review]
proposed fix
r/sr=jband
Attachment #59288 -
Flags: superreview+
|
||
Comment 14•23 years ago
|
||
Comment on attachment 59288 [details] [diff] [review]
proposed fix
r=shaver
Attachment #59288 -
Flags: review+
|
|
Assignee | |
Comment 15•23 years ago
|
||
Phil, are we thinking of doing another RC (RC4)? We need to, but if it's off
the 0.9.6 branch, we'll want to pull this fix.
/be
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
|
||
Comment 16•23 years ago
|
||
Verified Fixed. The JS testcase now passes on WinNT, Linux, and Mac9.1;
in both the debug and optimized JS shell.
In addition, Mozilla trunk binaries 20011203xx on WinNT, Linux,
and 20011126xx on Mac9.1 have no trouble loading the URL above.
When I make the next JS tarball, I will be pulling off the trunk,
so this fix will definitely be included -
Status: RESOLVED → VERIFIED
|
||
Updated•20 years ago
|
Flags: testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•