Closed Bug 128273 Opened 23 years ago Closed 22 years ago

Various crashes showing up again in Trunk, M098, N621 at [@ js_Interpret ]

Categories

(Core :: XUL, defect)

x86
Windows 2000
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 132216

People

(Reporter: greer, Assigned: hyatt)

Details

(Keywords: crash, qawanted, topcrash)

Crash Data

Attachments

(3 files)

Bug 106820 handled the infinite recursion issue at this signature, but still the Talkback reports are showing tons of crashes at this signature. (Keeping component from bug 106820, but wll probably end up somewhere else.) The user comments are wildy varying from launching browser/mail from the tray icon to viewing PDF files and simple surfing. In the hopes of finding something, I will include the user comments from the most recent releases (N621 - 665, M098 - 273, Trunk - 85) in an attachment below. This is a huge set of problems with no clear direction. The comments for each release are followed by internal folks who have crashed at this signature, that may be helpful. Stack Trace: js_Interpret [d:\builds\seamonkey\mozilla\js\src\jsinterp.c line 1226] js_Execute [d:\builds\seamonkey\mozilla\js\src\jsinterp.c line 970] JS_ExecuteScript [d:\builds\seamonkey\mozilla\js\src\jsapi.c line 3229] nsJSContext::ExecuteScript [d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp line 824] nsXULDocument::ExecuteScript [d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp line 6207] nsXULDocument::LoadScript [d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp line 5998] nsXULDocument::ResumeWalk [d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp line 5777] nsXULDocument::OnStreamComplete [d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp line 6165] nsStreamLoader::OnStopRequest [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamLoader.cpp line 163] nsJARChannel::OnStopRequest [d:\builds\seamonkey\mozilla\netwerk\protocol\jar\src\nsJARChannel.cpp line 614] nsOnStopRequestEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsRequestObserverProxy.cpp line 213] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 591] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 524] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 1072] nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp line 308] main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1301] main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1628] WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1646] WinMainCRTStartup() KERNEL32.DLL + 0xd326 (0x77e8d326) Source File : http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsinterp.c line :1226
One interesting question is why all of these reports are Windows-only. I had been thinking it might have been due to the memory flusher code. However, that code wasn't hooked up. But now I'm wondering whether it might have something to do with turbo. (One of the user comments mentions turbo.) I don't quite see how, though. Then again, I'm not exactly sure what state things are supposed to be in when we're in the "shut down" state in turbo, especially now that profile-switching is supported.
Er, wait. There are some Linux stacks in attachment 71888 [details]. Never mind. Although the Linux stacks could be a different stack -- they show ups a black in the detailed crash reports.
Attached file Stack Trace of a crash
I crashed in this area. I had just hit ctrl-m. In this case, the script object that was passed into nsJSContext::ExecuteScript, the code member is set to 2. This causes a crash at line 1269 when it tries to dereference it: op = (JSOp)*pc; I do see crashes in Talkback at 1269 as well. It could be the they stem from the same cause and it just depends on how bad the script object has been corrupted. Is the script object getting collected by accident? Dump of fp->script: code = 0x00000002 length = 0x04072438 main = 0x0 version = 0x44fcc28 atomMap = { vector = 0x0, length = 0x5 } filename = 0x023f3858 "" lineno = 0x0 depth = 0x00050007 notes = 0x00080105 (Invalid address) trynotes = 0x00ebfa28 { start = 0x02477c40, length = 0xa6983d6a, catchStart = 0x00ebbf74 } principals = 0x00ec59e0 { codebase = 0x0 getPrincipalArray = 0x65a64523 globalPrivilegesEnabled = 0x00ebc14c refcount = 0x0 destroy = 0x02 } fun = 0x0 thisp = 0x031813c0 (Looks valid) argc = 0x0 argv = 0x0 rval = 0x80000001 nvars = 0x0 vars = 0x0 down = 0x0 annotation = 0x0 scopeChain = 0x031813c0 (looks valid) pc = 0x00000002 sp = 0x05a20050 spbase = 0x05a20050 sharpDepth = 0x0 sharpArray = 0x0 flags = 0x0 domainNext = 0x0
I looked at the talkback data for the crash at line 1226. It's actually crashing during the assignment of currentVersion = script->version. Optimization throws things off a bit. So these two do look to be the same problem. There's something wrong with the script object being executed, either it was corrupted, or more likely, collected and the memory is being reused.
I think this and bug 127047 are probably different symptoms of the same problem
Adding topcrash, qawanted keywords and marking dup of bug 132216 per Comment #7. This is simply for future reference and to get this off the radar. If this is not a dup, please feel free to reopen. *** This bug has been marked as a duplicate of 132216 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Keywords: qawanted, topcrash
Resolution: --- → DUPLICATE
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: jrgmorrison → xptoolkit.widgets
Crash Signature: [@ js_Interpret ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: