Bugzilla

Comment 10

•

20 years ago

Attached file Talback crash incident1 (obsolete) — Details

This thing is crashing again for me. 
Somehow I can't get the talkback incident to send it to Mozilla, so I put it
here as attachment.

Comment 11

•

20 years ago

I think they have changed a little since the 2002. The original url is being
redirected.
This is the official url:
http://xopus.com/demo/index.html
Click on Simple Document Demo.

I've investigated that demo a bit. I've squeezed the immense amount of
javascript down to this testcase I will attach.

This crashes, but when you remove the media folder you get an alert box with the
text:
The file c:\\...\...wrongbrowser.html could not be found, etc...
So I guess the crash happens, at the moment you are being redirected.


R.Pronk@ewi.tudelft.nl has a debug build and gets this callstack for it:

crasht in jsinterp.c on 1933:
           OBJ_ENUMERATE(cx, obj, JSENUMERATE_NEXT, &iter_state, &rval);

Ik weet niks van de JS module maar obj == 0x0000000 en dat zal vast niet goed zijn.

Ik krijg deze callstack:

js_Interpret(JSContext * 0x03077eb0, long * 0x0012ef6c) line 1933 + 30 bytes
js_Execute(JSContext * 0x03077eb0, JSObject * 0x03011828, JSScript * 0x042eb888,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012ef6c) line 1155 + 13 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x03077eb0, JSObject * 0x03011828,
JSPrincipals * 0x02f85ea4, const unsigned short * 0x03bb0040, unsigned int
419541, const char * 0x0328af00, unsigned int 79, long * 0x0012ef6c) line 3543 +
25 bytes
nsJSContext::EvaluateString(const nsAString & {...}, void * 0x03011828,
nsIPrincipal * 0x02f85ea0, const char * 0x0328af00, unsigned int 79, const char
* 0x00cb4430, nsAString & {...}, int * 0x0012efa8) line 916 + 85 bytes
nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x0328ae40, const
nsAFlatString & {...}) line 658
nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x0328ae40) line 574 + 22 bytes
nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x02f85d08,
nsIDOMHTMLScriptElement * 0x03282d10, nsIScriptLoaderObserver * 0x03282d14) line
520 + 20 bytes
nsHTMLScriptElement::MaybeProcessScript() line 646 + 118 bytes
nsHTMLScriptElement::SetDocument(nsIDocument * 0x02f83f88, int 0, int 1) line 471
nsGenericElement::AppendChildTo(nsIContent * 0x03282cf0, int 0, int 0) line 2583
HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 4353
HTMLContentSink::AddLeaf(HTMLContentSink * const 0x02f85b60, const nsIParserNode
& {...}) line 3210 + 15 bytes
CNavDTD::AddLeaf(const nsIParserNode * 0x0328aaa8) line 3787 + 25 bytes
CNavDTD::HandleScriptToken(const nsIParserNode * 0x0328aaa8) line 2325 + 12 bytes
CNavDTD::OpenContainer(const nsCParserNode * 0x0328aaa8, nsHTMLTag
eHTMLTag_script, int 1, nsEntryStack * 0x00000000) line 3439 + 12 bytes
CNavDTD::HandleDefaultStartToken(CToken * 0x0313b770, nsHTMLTag eHTMLTag_script,
nsCParserNode * 0x0328aaa8) line 1457 + 20 bytes
CNavDTD::HandleStartToken(CToken * 0x0313b770) line 1835 + 20 bytes
CNavDTD::HandleToken(CNavDTD * const 0x0312fab8, CToken * 0x00000000, nsIParser
* 0x02f85870) line 1019 + 12 bytes
CNavDTD::BuildModel(CNavDTD * const 0x0312fab8, nsIParser * 0x02f85870,
nsITokenizer * 0x031301a0, nsITokenObserver * 0x00000000, nsIContentSink *
0x02f85b60) line 511 + 20 bytes
nsParser::BuildModel(nsParser * const 0x02f85870) line 1894 + 34 bytes
nsParser::ResumeParse(int 1, int 0, int 1) line 1761 + 12 bytes
nsParser::OnDataAvailable(nsParser * const 0x02f85874, nsIRequest * 0x03021e10,
nsISupports * 0x00000000, nsIInputStream * 0x03114760, unsigned int 415524,
unsigned int 7862) line 2426 + 21 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x030160a0,
nsIRequest * 0x03021e10, nsISupports * 0x00000000, nsIInputStream * 0x03114760,
unsigned int 415524, unsigned int 7862) line 335 + 46 bytes
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x030b9918,
nsIRequest * 0x03021e10, nsISupports * 0x00000000, nsIInputStream * 0x0304f29c,
unsigned int 415524, unsigned int 7862) line 97 + 51 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x03021e18, nsIRequest *
0x030486f8, nsISupports * 0x00000000, nsIInputStream * 0x0304f29c, unsigned int
415524, unsigned int 7862) line 3455 + 63 bytes
nsInputStreamPump::OnStateTransfer() line 433 + 65 bytes
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x030486fc,
nsIAsyncInputStream * 0x0304f29c) line 336 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x030b5f3c) line 119
PL_HandleEvent(PLEvent * 0x030b5f3c) line 671 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00a06ed0) line 606 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x0004017a, unsigned int 49360, unsigned int 0,
long 10514128) line 1412 + 9 bytes
USER32! 77d43a50()
USER32! 77d43b1f()
USER32! 77d43d79()
USER32! 77d43ddf()
nsAppShellService::Run(nsAppShellService * const 0x00a4e2c8) line 484
main1(int 1, char * * 0x002e2638, nsISupports * 0x009aeed8) line 1291 + 32 bytes
main(int 1, char * * 0x002e2638) line 1678 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e814c7()

Heikki Toivonen (remove -bugzilla when emailing directly)

Comment 12

•

20 years ago

Attached file Simpler testcase crasher (obsolete) — Details

Comment 13

•

20 years ago

Reopening per comments.

Status: RESOLVED → REOPENED

Resolution: WORKSFORME → ---

Assignee

Comment 14

•

20 years ago

*** Bug 237967 has been marked as a duplicate of this bug. ***

Assignee

Comment 15

•

20 years ago

Need a reduced testcase, please -- or at least one where the whole roughly
hundred-thousand-character script is not on one line.

/be

Assignee: harishd → brendan

Status: REOPENED → NEW

Component: XML → JavaScript Engine

Comment 16

•

20 years ago

Attached file very much simpeler testcase — Details

Managed to reduce most of the code.
I don't know if this is the initial cause of the crash, but at least this one
is crashing too.

Attachment #144305 - Attachment is obsolete: true

Attachment #144306 - Attachment is obsolete: true

Assignee

Comment 17

•

20 years ago

Regressed a long time ago:

revision 3.6.4.11
date: 1999/01/28 00:03:51;  author: rogerl%netscape.com;  state: Exp;  lines: +31 -8
Bug #331783 - separate initialization from increment for 'for in' loop
with index expression in order to prevent side-effects from occuring
when the for loop stops (as in 'for (p[i++] in obj)...')

Bug is obvious, patch next.

/be

Status: NEW → ASSIGNED

Flags: blocking1.7+

Keywords: js1.5

Priority: -- → P1

Target Milestone: --- → mozilla1.7final

Assignee

Comment 18

•

20 years ago

Attached patch proposed fix — Details — Splinter Review

Mike Shaver (:shaver -- probably not reading bugmail closely)

Assignee

Comment 19

•

20 years ago

Comment on attachment 144534 [details] [diff] [review]
proposed fix

Nice safe (if long overdue!) crash bug fix for 1.7.

/be

Attachment #144534 - Flags: review?(shaver)

Attachment #144534 - Flags: approval1.7?

Updated

•

20 years ago

Attachment #144534 - Flags: review?(shaver) → review+

chris hofmann

Comment 20

•

20 years ago

Comment on attachment 144534 [details] [diff] [review]
proposed fix

a=chofmann for 1.7

Attachment #144534 - Flags: approval1.7? → approval1.7+

Assignee

Comment 21

•

20 years ago

Fixed.

Could have used this in 1.4.2 (the bug is ancient), but it sounds like it's too
late.  Cc'ing leaf just in case.

/be

Status: ASSIGNED → RESOLVED

Closed: 22 years ago → 20 years ago

Resolution: --- → FIXED

Adam Hauner

Comment 22

•

20 years ago

*** Bug 240582 has been marked as a duplicate of this bug. ***

Comment 23

•

19 years ago

Attached file js1_5/Regress/regress-174709.js (obsolete) — Details

Martijn, with your permission this will be included in the javascript test
library.

Comment 24

•

19 years ago

(In reply to comment #23)
> Martijn, with your permission this will be included in the javascript test
> library.
Sure, no problem.

Lon Boonen

Comment 25

•

19 years ago

(In reply to comment #24)
> (In reply to comment #23)
> > Martijn, with your permission this will be included in the javascript test
> > library.
> Sure, no problem.

Dear Mozilla developers,

I would like to point out that you have taken code owned by Q42 
(http://www.q42.nl), removed the copyright notice, changed the code and added 
the MPL 1.1 license to it.

We, Q42, have never allowed anyone to remove our copyrights nor alter the code 
or parts of it, nor re-license the code nor parts of it.

We, of course, are very sympathetic towards the Mozilla project and would like 
to help them any way we can. But we would like the Mozilla foundation and its 
developers to respect our copyrights as well.

Friendly, yet worried, greetings, Lon Boonen, Q42

Comment 26

•

19 years ago

Oops! Sorry Lon. I've made the reduced testcase indeed from xopus, so I'm not
the owner of that code, so I can't give permission.

Comment 27

•

19 years ago

Comment on attachment 174985 [details]
js1_5/Regress/regress-174709.js

Lon, it was never our intension to take your code which is why I have gone
through this process of vetting the testcases. I will remove the code from the
testcase immediately.

Attachment #174985 - Attachment is obsolete: true

Comment 28

•

19 years ago

Attached file js1_5/Regress/regress-174709.js — Details

testcase with code removed until replacement code can be created.

Lon Boonen

Comment 29

•

19 years ago

We have no objection to Mozilla using this code for fixing bugs and testing.
We just thought it was kind of inappropriate to remove copyrights and to attach 
the MPL to it.

I hereby give Mozilla the right to use the piece of code extracted by Martijn 
for whatever purpose it (Mozilla) seems fit. You can re-license it also if 
that's necessary.

The important thing is that this bug is fixed...
We have another one that we would like fixed, but I guess I have to mention 
that somewhere else.

Greetings and thanks, Lon

Comment 30

•

19 years ago

js1_5/Regress/regress-174709.js checked in.

Updated

•

19 years ago

Flags: testcase+