Closed Bug 14788 Opened 25 years ago Closed 25 years ago

Crash in JavaScript when loading Test 13.

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
Other
Other
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: kinmoz, Assigned: mike+mozilla)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: waiting for more info from reporter) 

To reproduce crash in viewer:

1. Run Viewer
2. Select File-> Samples-> demo #13  from the menus.

To reproduce crash in apprunner:

1. Run the apprunner browser.
2. Select Debug-> Viewer Demos-> #13 DHTML from the menus.

Here's the stack trace of the crash:

js_SuspendThread(JSThinLock * 0x01297c84) line 504 + 3 bytes

js_Enqueue(JSThinLock * 0x01297c84, long 19538288) line 548 + 9 bytes

js_Lock(JSThinLock * 0x01297c84, long 19538288) line 581 + 13 bytes

js_LockScope1(JSContext * 0x03aee770, JSScope * 0x01297c60, long 19538288) line
634 + 13 bytes
js_LockObj(JSContext * 0x03aee770, JSObject * 0x03b0cf50) line
702 + 17 bytes
js_GetSlotWhileLocked(JSContext * 0x03aee770, JSObject *
0x03b0cf50, unsigned long 1) line 259 + 13 bytes
js_Invoke(JSContext *
0x03aee770, unsigned int 1, unsigned int 2) line 444 + 128 bytes

js_InternalCall(JSContext * 0x03aee770, JSObject * 0x03687ab8, long 61919056,
unsigned int 1, long * 0x03b73ed0, long * 0x0012fbd0) line 748 + 15 bytes

JS_CallFunction(JSContext * 0x03aee770, JSObject * 0x03687ab8, JSFunction *
0x035f4568, unsigned int 1, long * 0x03b73ed0, long * 0x0012fbd0) line 2634 + 32
 bytes
nsJSContext::CallFunction(nsJSContext * const 0x03aee720, void *
0x03687ab8, void * 0x035f4568, unsigned int 1, void * 0x03b73ed0, int *
0x0012fc14) line 231 + 39 bytes
GlobalWindowImpl::RunTimeout(nsTimeoutImpl *
0x03b73e60) line 1713 + 68 bytes
nsGlobalWindow_RunTimeout(nsITimer *
0x03b73f40, void * 0x03b73e60) line 1617 + 15 bytes
TimerImpl::Fire(unsigned
long 1814420625) line 308 + 17 bytes
TimerImpl::ProcessTimeouts(unsigned long
1814420625) line 187
FireTimeout(HWND__ * 0x00000000, unsigned int 275, unsigned
 int 4756, unsigned long 1814420625) line 101 + 9 bytes
USER32! 77e7128c()

nsAppShellService::Run(nsAppShellService * const 0x014015b0) line 462
main1(int
1, char * * 0x012a4120) line 591 + 12 bytes
main(int 1, char * * 0x012a4120)
line 702 + 13 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77f1b304()
roger (or brendan) -- can you take a look at this since mccabe is out?
Whiteboard: waiting for more info from reporter
kin, what platform are you on, and what build are you using?

i clobbered and built last night, and i'm not crashing on that page.  i'm on
winnt.
Sorry 'bout the missing info. I was running my debug build from 8am yesterday
morning on Windows NT.

I just tried my build from this morning, and it seems to be fixed.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
glad to hear it!
I ran this yesterday on a build that was a couple days old and it was crashing
as shown. It looked like the funcobj was semi-bogus. The scope had some bogus
looking ops and the lock had a 'fat' pointer of 0x0a (which is the immediate
cause of the crash.

This is all in the context of a timer firing. If it is really fixed then great.
If it is just hiding then bad.
-	scope	0x00d81028
-	map	{...}
        nrefs	0x02b6bdb0
-	ops	0x02b6e440
        newObjectMap	0x00d812f8
        destroyObjectMap	0x00e24608
        lookupProperty	0x0049d109
        defineProperty	0x02b6e271
        getProperty	0x00d811c8
        setProperty	0x80000001
        getAttributes	0x80000001
        setAttributes	0x80000001
        deleteProperty	0x80000001
        defaultValue	0x80000001
        enumerate	0x00d812b8
        checkAccess	0x00d812c8
        thisObject	0x00d812d8
        dropProperty	0x00d812e8
        call	0xcdcdcdcd
        construct	0xcdcdcdcd
        xdrObject	0xcdcdcdcd
        hasInstance	0xcdcdcdcd
+	spare	0x02b6e488
        nslots	0x00000002
        freeslot	0x00edd780
-	object	0x00edd590
-	map	0x00000001
        nrefs	CXX0030: Error: expression cannot be evaluated
        ops	CXX0030: Error: expression cannot be evaluated
        nslots	CXX0030: Error: expression cannot be evaluated
        freeslot	CXX0030: Error: expression cannot be evaluated
+	slots	0x004a1d80 _js_ObjectOps
-	props	0x00edebd0
        nrefs	0x00d80340
        id	0x00d81020
        getter	0x0049d109
        setter	0x00edd6e1
        slot	0x80000001
        attrs	0x01 ''
        spare	0x00 ''
+	symbols	0x80000001
+	next	0x80000001
+	prevp	0x80000001
+	proptail	0x00000003
-	ops	0x00edd660
        lookup	0x00740073
        add	0x00000072
        remove	0xfdfdfdfd
        clear	0x00000000
        data	0x00000005
-	lock	{...}
        owner	0x00edd4b1
-	fat	0x0000000a
        susp	CXX0030: Error: expression cannot be evaluated
        slock	CXX0017: Error: symbol "PRLock" not found
        svar	CXX0017: Error: symbol "PRCondVar" not found
        next	CXX0030: Error: expression cannot be evaluated
        prev	CXX0030: Error: expression cannot be evaluated
        count	0x00edd320
+	file	0x00d81058
+	line	0x00d81068
This worksforme too in a fresh build.
Adding crash keyword
Keywords: crash
Verified worksforme.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.