Closed
Bug 14501
Opened 25 years ago
Closed 25 years ago
[blocker] intermittant crash
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
WORKSFORME
M10
People
(Reporter: buster, Assigned: norrisboyd)
References
()
Details
I have seen this crash twice in the past 2 days. It seems that what I do to trigger it is bring up the browser, let it sit for a few minutes without doing anything to it (may be a coincidence, then use the task bar to bring up the editor. The crash occurs before the editor is fully initialized. Looks like a timing issue? Maybe a bug in nspr? cc'd some folks who might be interested. The strings being passed into PR_sprintf_append are legit. stack: __sbh_free_block(tagHeader * 0x00a406ec, void * 0x0377f240) line 350 + 6 bytes _realloc_base(void * 0x0377f240, unsigned int 100) line 101 + 13 bytes realloc_help(void * 0x0377f260, unsigned int 64, int 1, const char * 0x00000000, int 0, int 1) line 636 + 16 bytes _realloc_dbg(void * 0x0377f260, unsigned int 64, int 1, const char * 0x00000000, int 0) line 806 + 27 bytes realloc(void * 0x0377f260, unsigned int 64) line 755 + 19 bytes PR_Realloc(void * 0x0377f260, unsigned int 64) line 57 + 14 bytes GrowStuff(SprintfStateStr * 0x0012dd38, const char * 0x017f1530, unsigned int 11) line 1066 + 16 bytes fill2(SprintfStateStr * 0x0012dd38, const char * 0x017f1530, int 11, int -11, int 0) line 122 + 17 bytes cvt_s(SprintfStateStr * 0x0012dd38, const char * 0x017f1530, int 0, int -1, int 0) line 378 + 46 bytes dosprintf(SprintfStateStr * 0x0012dd38, const char * 0x00c68859, char * 0x0012dd88) line 972 + 25 bytes PR_vsprintf_append(char * 0x00000000, const char * 0x00c68844, char * 0x0012dd80) line 1218 + 17 bytes PR_sprintf_append(char * 0x00000000, const char * 0x00c68844) line 1197 + 17 bytes nsScriptSecurityManager::AddSecPolicyPrefix(JSContext * 0x033d7200, char * 0x017f1530) line 626 + 20 bytes nsScriptSecurityManager::GetSecurityLevel(JSContext * 0x033d7200, char * 0x017f1530, int 0) line 579 + 16 bytes nsScriptSecurityManager::CheckScriptAccess(nsScriptSecurityManager * const 0x01f63190, nsIScriptContext * 0x033d7370, void * 0x01d3fa18, const char * 0x017f1530, int 0, int * 0x0012de28) line 88 + 18 bytes WindowDump(JSContext * 0x033d7200, JSObject * 0x01d3fa18, unsigned int 1, long * 0x02380d9c, long * 0x0012df90) line 1001 js_Invoke(JSContext * 0x033d7200, unsigned int 1, unsigned int 0) line 655 + 26 bytes js_Interpret(JSContext * 0x033d7200, long * 0x0012e808) line 2232 + 15 bytes js_Invoke(JSContext * 0x033d7200, unsigned int 1, unsigned int 0) line 671 + 13 bytes js_Interpret(JSContext * 0x033d7200, long * 0x0012f03c) line 2232 + 15 bytes js_Invoke(JSContext * 0x033d7200, unsigned int 1, unsigned int 2) line 671 + 13 bytes js_InternalCall(JSContext * 0x033d7200, JSObject * 0x02382fe8, long 37236720, unsigned int 1, long * 0x0012f1bc, long * 0x0012f174) line 748 + 15 bytes JS_CallFunction(JSContext * 0x033d7200, JSObject * 0x02382fe8, JSFunction * 0x03550eb0, unsigned int 1, long * 0x0012f1bc, long * 0x0012f174) line 2634 + 32 bytes nsJSContext::CallFunction(nsJSContext * const 0x033d7370, void * 0x02382fe8, void * 0x03550eb0, unsigned int 1, void * 0x0012f1bc, int * 0x0012f1b8) line 231 + 39 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x037536d0) line 103 + 48 bytes nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent * 0x0012f4d8, nsIDOMEvent * * 0x0012f484, unsigned int 7, nsEventStatus & nsEventStatus_eIgnore) line 937 + 21 bytes RDFElementImpl::HandleDOMEvent(RDFElementImpl * const 0x0354ff90, nsIPresContext & {...}, nsEvent * 0x0012f4d8, nsIDOMEvent * * 0x0012f484, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 2872 RDFElementImpl::ExecuteJSCode(nsIDOMElement * 0x0354ff80) line 3273 RDFElementImpl::ExecuteOnChangeHandler(nsIDOMElement * 0x0354ddf0, const nsString & {...}) line 3196 + 14 bytes RDFElementImpl::SetAttribute(RDFElementImpl * const 0x0354e050, int 0, nsIAtom * 0x028f7670, const nsString & {...}, int 1) line 2420 RDFElementImpl::SetAttribute(RDFElementImpl * const 0x0354e040, const nsString & {...}, const nsString & {...}) line 1211 + 35 bytes setAttribute(nsIWebShell * 0x033d8ce0, const char * 0x01c15cb8, const char * 0x01c15cb0, const nsString & {...}) line 259 + 55 bytes nsArgCallbacks::ConstructBeforeJavaScript(nsArgCallbacks * const 0x033daeb0, nsIWebShell * 0x033d8ce0) line 291 + 39 bytes nsWebShellWindow::ExecuteStartupCode() line 2229 nsWebShellWindow::OnEndDocumentLoad(nsWebShellWindow * const 0x033d894c, nsIDocumentLoader * 0x037257a0, nsIChannel * 0x03726a20, unsigned int 0, nsIDocumentLoaderObserver * 0x03725e24) line 1977 nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x03725e24, nsIDocumentLoader * 0x037257a0, nsIChannel * 0x03726a20, unsigned int 0, nsIDocumentLoaderObserver * 0x03725e24) line 3381 nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x037257a0, unsigned int 0) line 863 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x037257a4, nsIChannel * 0x03726a20, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 748 nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x03725730, nsIChannel * 0x03726a20, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 597 + 39 bytes nsInputStreamChannel::OnStopRequest(nsInputStreamChannel * const 0x03726a24, nsIChannel * 0x03726810, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 331 nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x03727d20) line 283 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x03727cd0) line 152 + 12 bytes PL_HandleEvent(PLEvent * 0x03727cd0) line 541 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00a9cb70) line 500 + 9 bytes _md_EventReceiverProc(HWND__ * 0x02a10706, unsigned int 49308, unsigned int 0, long 11127664) line 970 + 9 bytes
Comment 1•25 years ago
|
||
I'm not sure how I ended up on this cc list, but I'm adding Norris, since it looks like his stuff.
Updated•25 years ago
|
Assignee: vidur → norris
Comment 2•25 years ago
|
||
I'll one-up warren and actually reassign the bug to norris. Though, I couldn't recreate it for the life of me.
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•25 years ago
|
||
I'll take it, but I don't know what I can do about it.
I just got a similar crash with a similar stack that does not have any of norris' code on the stack. I really think the crash is down in the javascript engine itself. Crash du jour: __sbh_free_block(tagHeader * 0x01df2f64, void * 0x0451b9d0) line 350 + 6 bytes _realloc_base(void * 0x0451b9d0, unsigned int 144) line 101 + 13 bytes realloc_help(void * 0x0451b9f0, unsigned int 108, int 1, const char * 0x00000000, int 0, int 1) line 636 + 16 bytes _realloc_dbg(void * 0x0451b9f0, unsigned int 108, int 1, const char * 0x00000000, int 0) line 806 + 27 bytes realloc(void * 0x0451b9f0, unsigned int 108) line 755 + 19 bytes JS_realloc(JSContext * 0x05c0feb0, void * 0x0451b9f0, unsigned int 108) line 946 + 14 bytes js_AllocSlot(JSContext * 0x05c0feb0, JSObject * 0x04ae7de8, unsigned long * 0x0012f860) line 1373 + 20 bytes js_NewScopeProperty(JSContext * 0x05c0feb0, JSScope * 0x040eeaf0, long 24638480, int (JSContext *, JSObject *, long, long *)* 0x00340340 GetDocumentProperty(JSContext *, JSObject *, long, long *), int (JSContext *, JSObject *, long, long *)* 0x00340800 SetDocumentProperty(JSContext *, JSObject *, long, long *), unsigned int 0) line 445 + 20 bytes js_DefineProperty(JSContext * 0x05c0feb0, JSObject * 0x04ae7de8, long 24638480, long 78544448, int (JSContext *, JSObject *, long, long *)* 0x00340340 GetDocumentProperty(JSContext *, JSObject *, long, long *), int (JSContext *, JSObject *, long, long *)* 0x00340800 SetDocumentProperty(JSContext *, JSObject *, long, long *), unsigned int 0, JSProperty * * 0x00000000) line 1527 + 29 js_DefineFunction(JSContext * 0x05c0feb0, JSObject * 0x04ae7de8, JSAtom * 0x0177f410, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x0033fdb0 NSDocumentCreateElementWithNameSpace(JSContext *, JSObject *, unsigned int, long *, long *), unsigned int 2, unsigned int 0) line 1750 + 40 bytes JS_DefineFunction(JSContext * 0x05c0feb0, JSObject * 0x04ae7de8, const char * 0x003d5220, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x0033fdb0 NSDocumentCreateElementWithNameSpace(JSContext *, JSObject *, unsigned int, long *, long *), unsigned int 2, unsigned int 0) line 2165 + 29 bytes JS_DefineFunctions(JSContext * 0x05c0feb0, JSObject * 0x04ae7de8, JSFunctionSpec * 0x003d5104) line 2147 + 44 bytes JS_InitClass(JSContext * 0x05c0feb0, JSObject * 0x037b1698, JSObject * 0x037b1f78, JSClass * 0x003d5000 struct JSClass DocumentClass, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x00340a90 Document(JSContext *, JSObject *, unsigned int, long *, long *), unsigned int 0, JSPropertySpec * 0x003d5048 DocumentProperties, JSFunctionSpec * ...) line 1255 + 53 bytes NS_InitDocumentClass(nsIScriptContext * 0x05c0b080, void * * 0x00000000) line 917 + 44 bytes nsJSContext::InitClasses(nsJSContext * const 0x05c0b080) line 356 + 79 bytes nsJSContext::InitContext(nsJSContext * const 0x05c0b080, nsIScriptGlobalObject * 0x05c08814) line 284 + 12 bytes NS_CreateScriptContext(nsIScriptGlobalObject * 0x05c08814, nsIScriptContext * * 0x05ad1e40) line 583 nsWebShell::CreateScriptEnvironment() line 3181 + 20 bytes nsWebShell::GetScriptGlobalObject(nsWebShell * const 0x05ad1e20, nsIScriptGlobalObject * * 0x0012fae0) line 3212 + 11 bytes DocumentViewerImpl::Init(DocumentViewerImpl * const 0x05c15ab0, void * 0x017c05d0, nsIDeviceContext * 0x05ad17e0, nsIPref * 0x0123a7a0, const nsRect & {...}, nsScrollPreference nsScrollPreference_kAuto) line 354 + 16 bytes nsWebShell::Embed(nsWebShell * const 0x05ad1e10, nsIContentViewer * 0x05c15ab0, const char * 0x05ad2c20, nsISupports * 0x00000000) line 886 + 69 bytes nsDocumentBindInfo::OnStartRequest(nsDocumentBindInfo * const 0x05ad2b80, nsIChannel * 0x05ad2a30, nsISupports * 0x00000000) line 1309 + 36 bytes nsChannelListener::OnStartRequest(nsChannelListener * const 0x05ad2b00, nsIChannel * 0x05ad2a30, nsISupports * 0x00000000) line 1560 + 43 bytes nsHTTPResponseListener::FinishedResponseHeaders() line 680 + 37 bytes nsHTTPResponseListener::OnDataAvailable(nsHTTPResponseListener * const 0x05c16fb0, nsIChannel * 0x05c139c0, nsISupports * 0x05ad2a30, nsIInputStream * 0x05c10478, unsigned int 0, unsigned int 202) line 166 + 8 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x05c15150) line 359 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x05c110f0) line 152 + 12 bytes PL_HandleEvent(PLEvent * 0x05c110f0) line 541 + 10 bytes This crash needs some attention, it'll kill our MTBF.
Comment 5•25 years ago
|
||
The crash is not necessarily in the JS engine, although that's what trips over the heap corruption (maybe guilty, maybe not; the core engine itself is one of the oldest and most debugged pieces of code in the product). This looks like a job for purify. Who has a purify licensed and ready to go? /be
Comment 6•25 years ago
|
||
Buster, do you have purify? Can you run under purify and try to reproduce (doesn't sound magic, maybe everyone on the cc: list who has purify and uses it could do the startup/sit-idle/task-menu/editor thing)? If this doesn't show up under purify, we're going to have to analyze heap skidmarks. Who should own this bug? Norris, do you have purify? /be
Updated•25 years ago
|
Summary: [blocker] intermittant crash → [blocker] intermittant crash launching editor from taskbar.
Comment 7•25 years ago
|
||
buster/jband/norris , can you try under purify? leger/sujay, can we check for other crashes trying to launch other apps from the taskbar, or figure out if this seams to be editor launch specific
Comment 8•25 years ago
|
||
I have extra copies of purify and quantify for anyone who needs them.
Comment 9•25 years ago
|
||
If this is specific to the Editor, then we should not be spending any time on it until M14, since Editor is explicitly out for 'beta'. The beta PRD explicitly requires removing all Editor UI for 'beta', including the taskbar button, so there would be no way to reproduce this.
Reporter | ||
Comment 10•25 years ago
|
||
I tried a few times under purify on my office machine, no luck. My home machine doesn't have the horsepower, so I won't get the chance to try again until Monday.
Priority: P3 → P1
Summary: [blocker] intermittant crash launching editor from taskbar. → [blocker] intermittant crash
Reporter | ||
Comment 11•25 years ago
|
||
changed the summary back to original text. note my comment 09/23/99 23:01 and the stack trace included. That looks like the same corruption, but had nothing to do with launching the editor. It happened while running browser buster. I don't think this should wait.
Assignee | ||
Comment 12•25 years ago
|
||
I haven't yet been able to reproduce it.
Assignee | ||
Comment 13•25 years ago
|
||
Is anyone seeing this? I can't reproduce it.
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
Comment 14•25 years ago
|
||
Marking Verified as WorksForMe. No one has seen this is sometime.
You need to log in
before you can comment on or make changes to this bug.
Description
•