165313 - mozilla crashes on Adobe Acrobat Reader download page

Status: VERIFIED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Mirek Hankus]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1b) Gecko/20020828
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1b) Gecko/20020828

Mozilla crashes when trying to fill form for 
downloading Adobe Acrobat REader (it uses some javascript 
and probably it kills somehow Mozilla)



Reproducible: Always

Steps to Reproduce:

 1 open page http://www.adobe.com/products/acrobat/readstep2.html
 2. From step 2 (column in the middle) from country combobox choose other
 3. wait about 2 seconds 
 4. Mozilla is gone.

Comment 1

[Mirek Hankus]

Here is what gdb displays when mozilla crashes (build is 2002082808)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 1358)]
0x400946c8 in js_Interpret () from /usr/local/mozilla/libmozjs.so
(gdb) bt
#0  0x400946c8 in js_Interpret () from /usr/local/mozilla/libmozjs.so
#1  0x4008c033 in js_Invoke () from /usr/local/mozilla/libmozjs.so
#2  0x400914d6 in js_Interpret () from /usr/local/mozilla/libmozjs.so
#3  0x4008c033 in js_Invoke () from /usr/local/mozilla/libmozjs.so
#4  0x4008c23c in js_InternalInvoke () from /usr/local/mozilla/libmozjs.so
#5  0x4006dafb in JS_CallFunctionValue () from /usr/local/mozilla/libmozjs.so
#6  0x40fb9c3e in NSGetModule () from /usr/local/mozilla/components/libjsdom.so
#7  0x40fe6679 in NSGetModule () from /usr/local/mozilla/components/libjsdom.so
#8  0x4091034b in NSGetModule () from /usr/local/mozilla/components/libgkcontent.so
#9  0x40911d6c in NSGetModule () from /usr/local/mozilla/components/libgkcontent.so
#10 0x40ab83ba in NSGetModule () from /usr/local/mozilla/components/libgkcontent.so
#11 0x409715dc in NSGetModule () from /usr/local/mozilla/components/libgkcontent.so
#12 0x41409caa in NSGetModule () from /usr/local/mozilla/components/libgklayout.so
#13 0x41409b54 in NSGetModule () from /usr/local/mozilla/components/libgklayout.so
#14 0x41440f2a in NSGetModule () from /usr/local/mozilla/components/libgklayout.so
#15 0x41440e46 in NSGetModule () from /usr/local/mozilla/components/libgklayout.so
#16 0x414419bd in NSGetModule () from /usr/local/mozilla/components/libgklayout.so
#17 0x414430f9 in NSGetModule () from /usr/local/mozilla/components/libgklayout.so
#18 0x40910999 in NSGetModule () from /usr/local/mozilla/components/libgkcontent.so
#19 0x40ab83ba in NSGetModule () from /usr/local/mozilla/components/libgkcontent.so
#20 0x409715dc in NSGetModule () from /usr/local/mozilla/components/libgkcontent.so
#21 0x40ab8563 in NSGetModule () from /usr/local/mozilla/components/libgkcontent.so
#22 0x41409caa in NSGetModule () from /usr/local/mozilla/components/libgklayout.so
#23 0x41409ad1 in NSGetModule () from /usr/local/mozilla/components/libgklayout.so
#24 0x415a43d1 in NSGetModule () from /usr/local/mozilla/components/libgkview.so
#25 0x41599e99 in NSGetModule () from /usr/local/mozilla/components/libgkview.so
#26 0x415a3a68 in NSGetModule () from /usr/local/mozilla/components/libgkview.so
#27 0x415999cd in NSGetModule () from /usr/local/mozilla/components/libgkview.so
#28 0x40c8eb5a in NSGetModule () from /usr/local/mozilla/components/libwidget_gtk.so
#29 0x40c8ea55 in NSGetModule () from /usr/local/mozilla/components/libwidget_gtk.so
#30 0x40c8ebd7 in NSGetModule () from /usr/local/mozilla/components/libwidget_gtk.so
#31 0x40c8f574 in NSGetModule () from /usr/local/mozilla/components/libwidget_gtk.so
#32 0x40c927f5 in NSGetModule () from /usr/local/mozilla/components/libwidget_gtk.so
#33 0x40c92a8c in NSGetModule () from /usr/local/mozilla/components/libwidget_gtk.so
#34 0x40c89ad7 in NSGetModule () from /usr/local/mozilla/components/libwidget_gtk.so
#35 0x40c89929 in NSGetModule () from /usr/local/mozilla/components/libwidget_gtk.so
#36 0x4035d253 in gdk_event_dispatch () from /usr/X11R6/lib/libgdk-1.2.so.0
#37 0x4038b806 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#38 0x4038be33 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#39 0x4038bfec in g_main_run () from /usr/lib/libglib-1.2.so.0
#40 0x402ab6ab in gtk_main () from /usr/X11R6/lib/libgtk-1.2.so.0
#41 0x40c8250c in NSGetModule () from /usr/local/mozilla/components/libwidget_gtk.so
#42 0x40c59d66 in NSGetModule () from /usr/local/mozilla/components/libnsappshell.so
#43 0x080510a0 in getCountry ()
#44 0x08051887 in main ()
#45 0x4050f3dd in __libc_start_main () from /lib/libc.so.6
(gdb)

Comment 2

[Adam Hauner]

-> JS Engine

Comment 3

[Phil Schwartau]

Confirming crash with Mozilla trunk binary 20020828xx WinNT.
OS: Linux ---> All. I've reduced the crash to two lines:

                    <script>
                     var x = /a/;
                     var y = {p: /b/};
                    </script>

Both lines seem to be necessary to crash. It seems necessary
to wrap one of the regexps in an object, as in |y| above.

However, I can only crash on this in the browser or the xpcshell.
I cannot crash in the JS shell, either debug or optimized.

Could this be related to bug 163323?
"Mozilla and xpcshell crash on string.split(/\b\W+(\b|$)/g) [@ str_split]"

That is also impossible for me to duplicate in the JS shell.

Comment 4

[Phil Schwartau]

Attachment: Reduced HTML testcase. Crashes Mozilla on load.

Comment 5

[Phil Schwartau]

It turns out this bug was fixed on the very day of Mirek's build: 2002-08-28.
It is necessary to have a build date of 2002-08-29 or higher to see the fix.

See http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/js/src/jsinterp.c
Version 3.110: "Disable new fp->objAtomMap code to relieve blocker bug 165201"

By "backing in" this code and backing it out again, rogerl was able to
trace the crash to this part of the code. 

Resolving as WORKSFORME. Both the reduced testcase and the Adobe site
work fine now. Using Mozilla trunk binary 20020903xx on WinNT.

Comment 6

[Phil Schwartau]

Marking Verified.

Mirek, could you confirm this behavior? Please try a current build
and see if the problem is fixed for you, too. If the problem is not
fixed, please reopen this bug; thanks -