15 years ago
13 years ago


(Reporter: Patrick, Assigned: asa)



Windows NT

Firefox Tracking Flags

(Not tracked)




(4 attachments)



15 years ago
Browser version 20020818 crashes at that address.

Comment 1

15 years ago
Created attachment 96178 [details]
Screen shot of crash window

Comment 2

15 years ago
WFM, 1.1 RC (20020818) - WinXP

Comment 3

15 years ago
Confirming bug, 2002-08-21-04 trunk Windows 2000.
TB 9654983X
Severity: major → critical
Ever confirmed: true
Keywords: crash, stackwanted

Comment 4

15 years ago
worksforme, linux trunk build 20020821

Comment 5

15 years ago
WFM 2002082008/trunk/W2K
Stephen, should I ask you for TB9654983X?
ntdll.dll + 0x491b6 (0x77fc91b6)
ntdll.dll + 0x4a1c1 (0x77fca1c1)
ntdll.dll + 0x4a47f (0x77fca47f)
MSVCRT.DLL + 0x1089 (0x78001089)
MSVCRT.DLL + 0x1026 (0x78001026)
NewParseNode [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 145]
Statement [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 1183]
Statement [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 1448]
Statement [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 1195]
Statements [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 887]
FunctionBody [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 558]
FunctionDef [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 722]
FunctionStmt [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 857]
Statement [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 1172]
Statements [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 887]
js_CompileTokenStream [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 394]
CompileTokenStream [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 2851]
JS_CompileUCScriptForPrincipals [c:/builds/seamonkey/mozilla/js/src/jsapi.c,
line 2931]
JS_EvaluateUCScriptForPrincipals [c:/builds/seamonkey/mozilla/js/src/jsapi.c,
line 3380]
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 702]
[c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 570]
[c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 478]
[c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 781]
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamLoader.cpp, line 163]
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 66]
[c:/builds/seamonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 2972]
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsRequestObserverProxy.cpp, line 213]
PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 597]
PL_ProcessPendingEvents [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c,
line 530]
_md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line
[c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 452]
main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1523]
main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1874]
WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1892]
KERNEL32.DLL + 0x7903 (0x77e87903) 
Keywords: stackwanted

Comment 7

15 years ago
Crash on 2002082109 trunk with WinXP


OS -> All
OS: Windows NT → All

Comment 8

15 years ago
Also crashing on 1.0 branch: 
2002082109/1.0branch/W2K -> TB9723975E, TB9723622Y, TB9723619M
2002082208/trunk/W2K -> TB9724191K

Comment 9

15 years ago
Based on the filename "jsparse.c" I'm guessing --> JavaScript Engine.
Assignee: asa → rogerl
Component: Browser-General → JavaScript Engine
QA Contact: asa → pschwartau

Comment 10

15 years ago
Created attachment 96530 [details]
Talkback stack traces (5)

Comment 11

15 years ago
Note: some stack traces are unreliable because so much heap corruption
has occurred: you have corrupted memory running through the entire stack. 

With a Mozilla debug build, one tipoff is the presence of
function calls like this in the stack:

_free_dbg_lk(void * 0x04fa6ba0, int 1) line 1062 + 11 bytes
_free_dbg(void * 0x04fa6ba0, int 1) line 970 + 13 bytes
free(void * 0x04fa6ba0) line 926 + 11 bytes

I'm seeing that in a (non-current) debug Mozilla build. Also note
that the Talkback stack traces are, for the most part, completely 
different from each other. Reassigning back to Browser-General.

I think that to progress further, we need to run Purify on the site.
cc'ing Stephen: do you have Purify available by any chance?
Assignee: rogerl → asa
Component: JavaScript Engine → Browser-General
QA Contact: pschwartau → asa

Comment 12

15 years ago
Win NT + Win XP = Win NT (All means more than just Windows)

valgrind under linux shows bad things, but nothing that would result in heap
corruption or a crash.  filed bug 164381
OS: All → Windows NT
Under Purify, I get:

[E] ABW: Array bounds write in memcpy {2 occurrences}
        Writing 8 bytes to 0x0f3c37c0 (8 bytes at 0x0f3c37c0 illegal)
        Address 0x0f3c37c0 is 8 bytes before the beginning of a 496 byte block
at 0x0f3c37c8
        Address 0x0f3c37c0 points to a C++ new block in heap 0x02770000
        Thread ID: 0x58c
        Error location
            memcpy         [memcpy.asm:109]
            gfxImageFrame::SetAlphaData(BYTE const*,UINT,int)
            nsICODecoder::SetAlphaData(void) [nsICODecoder.cpp:118]
            nsICODecoder::Flush(void) [nsICODecoder.cpp:187]
            imgRequest::OnStopRequest(nsIRequest *,nsISupports *,UINT)
            ProxyListener::OnStopRequest(nsIRequest *,nsISupports *,UINT)
            nsStreamListenerTee::OnStopRequest(nsIRequest *,nsISupports *,UINT)
            nsHttpChannel::OnStopRequest(nsIRequest *,nsISupports *,UINT)
            nsOnStopRequestEvent::HandleEvent(void) [nsRequestObserverProxy.cpp:212]
            nsARequestObserverEvent::HandlePLEvent(PLEvent *)
        Allocation location
            new(UINT)      [new.cpp:23]
            nsImageWin::Init(int,int,int,nsMaskRequirements) [nsImageWin.cpp:218]
            gfxImageFrame::Init(int,int,int,int,int) [gfxImageFrame.cpp:120]
            nsICODecoder::ProcessData(char const*,UINT) [nsICODecoder.cpp:307]
            nsICODecoder::ReadSegCb(nsIInputStream *,void *,char
const*,UINT,UINT,UINT *) [nsICODecoder.cpp:200]
            nsInputStreamTee::WriteSegmentFun(nsIInputStream *,void *,char
const*,UINT,UINT,UINT *) [nsInputStreamTee.cpp:104]
            nsPipe::nsPipeInputStream::ReadSegments((*)(nsIInputStream *,void
*,char const*,UINT,UINT,UINT *),void *,UINT,UINT *) [nsPipe2.cpp:419]
            nsInputStreamTee::ReadSegments((*)(nsIInputStream *,void *,char
const*,UINT,UINT,UINT *),void *,UINT,UINT *) [nsInputStreamTee.cpp:158]
            nsICODecoder::WriteFrom(nsIInputStream *,UINT,UINT *)
            imgRequest::OnDataAvailable(nsIRequest *,nsISupports
*,nsIInputStream *,UINT,UINT) [imgRequest.cpp:752]


[E] IPW: Invalid pointer write in memcpy {2 occurrences}
        Writing 188 bytes to 0x0f3e1e8c (4 bytes at 0x0f3e1e8c illegal)
        Address 0x0f3e1e8c points into a HeapAlloc'd block in unallocated region
of heap 0x02770000
        Thread ID: 0x58c
        Error location
            memcpy         [memcpy.asm:109]
            gfxImageFrame::SetImageData(BYTE const*,UINT,int)
            nsICODecoder::SetImageData(void) [nsICODecoder.cpp:109]
            nsICODecoder::Flush(void) [nsICODecoder.cpp:188]
            imgRequest::OnStopRequest(nsIRequest *,nsISupports *,UINT)
            ProxyListener::OnStopRequest(nsIRequest *,nsISupports *,UINT)
            nsStreamListenerTee::OnStopRequest(nsIRequest *,nsISupports *,UINT)
            nsHttpChannel::OnStopRequest(nsIRequest *,nsISupports *,UINT)
            nsOnStopRequestEvent::HandleEvent(void) [nsRequestObserverProxy.cpp:212]
            nsARequestObserverEvent::HandlePLEvent(PLEvent *)


[E] EXU: Unhandled exception in free_base {1 occurrence}
        Exception code: 0xc0000005 [Error: access violation]
        Exception address: RtlFreeHeap    [ntdll.dll]
        Filter: mainCRTStartup [crtexe.c:345]
        Exception location
            RtlFreeHeap    [ntdll.dll]
            RtlAllocateHeap [ntdll.dll]
            free_base      [free.c:92]
            free_dbg       [dbgheap.c:993]
            free           [dbgheap.c:955]
            delete(void *) [delop.cpp:6]
            nsCacheEntryDescriptor::nsOutputStreamWrapper::`vector deleting
destructor'(UINT) [nkcache.dll]
            nsCOMPtr<nsIOutputStream>::assign_assuming_AddRef(nsIOutputStream *)
            nsCOMPtr<nsIOutputStream>::assign_with_AddRef(nsISupports *)

DISCLAIMER:  I'm not totally sure the latter is valid (actually, or the others).
 Purify can sometimes be quite erroneous.  I'm clearing cache and rerunning to

Comment 14

15 years ago
Loading crashes on 2002082308, but
saving it locally and opening = no crash. Something network related, or a timing
issue? Nothing looks unusual in the headers.

Document headers:
HTTP/1.1 200 OK
Date: Sat, 24 Aug 2002 06:53:40 GMT
Server: Apache/1.3.14 (Unix)  (Red-Hat/Linux)
Set-Cookie: jsessionid=135391030172020899;path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: Keep-alive
Cache-Control: no-cache="set-cookie,set-cookie2"
Content-Length: 7102
Content-Type: text/html; charset=ISO-8859-1

Comment 15

15 years ago
OK guys! I figured it out. The problem is with the xoip.ico file that Mozilla
tries to load when it loads that site. I will attach a testcase here.

Comment 16

15 years ago
Created attachment 96541 [details]
ico file to be used with HTML testcase

Leaving text/plain as on original site (don't know if it's relevant)

Comment 17

15 years ago
Created attachment 96543 [details]

This should crash Mozilla right away. The odd thing is that if I change the
indentation of the HTML code, or if I get rid of the leading CRLFs, the crash
is not a sure thing anymore.

Comment 18

15 years ago
If the MIME-type for the ico file is set to image/bmp, Mozilla promptly crashes
upon accessing it directly.

Comment 19

15 years ago
This has been going on for awhile. Some of the traces on bug 159256 look similar.

*** This bug has been marked as a duplicate of 159256 ***
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.