Closed Bug 228630 Opened 21 years ago Closed 13 years ago

Crash [@ JS_HashString]

Categories

(Core :: JavaScript Engine, defect, P5)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: timeless, Assigned: timeless)

Details

(Keywords: crash)

Crash Data

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031208 Reproducable: Not really, I've had >6(+1) crashes in under a day of use of mozilla1.6b. Most of my crashes have been 10101010 crashes (perhaps 3?+1), I've also had a layout crash and some (2?) crashes which seemed to be plugin related. I think dbradley and I have decided 10101010 is a GC related problem. I'm not sure how my script running slowly experiences today affect our belief. Steps: I wasn't writing down my actions... What I was doing: running venkman soon after running mozilla Settings (global): [x] Show strict JavaScript warnings [x] Show chrome JavaScript errors and warnings Settings (venkman): Debug>Error Trigger>Stop for Errors Debug>Throw Trigger>Trace Exceptions Apps I've been poking on average: navigator composer (probably not this time) all managers addressbook calendar I've been getting the script is running slowly dialog a lot. I generally hit ok, which i believe means 'don't stop the script'. Many of my crashes seem to happen shortly after dismissing that dialog (except the plugin crashes). I believe that this crash was not an exception. All I have is a drwtsn32 log, I've reconstructed the call chain. *----> State Dump for Thread Id 0xd0c <----* eax=00000000 ebx=00a35ae0 ecx=009cf4d8 edx=8dfc4d8b esi=009cf6b8 edi=009cf2b0 eip=00b7aaef esp=0012c3c4 ebp=0012c404 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 js3250!JS_HashString: 00b7aae9 8b542404 mov edx,[esp+0x4] 00b7aaed 33c0 xor eax,eax FAULT ->00b7aaef 8a0a mov cl,[edx] ds:0023:8dfc4d8b=?? 00b7aaf1 84c9 test cl,cl 00b7aaf3 7418 jz js3250!JS_HashString+0x24 (00b7ab0d) 00b7aaf5 56 push esi 00b7aaf6 8bf0 mov esi,eax 00b7aaf8 c1ee1c shr esi,0x1c 00b7aafb c1e004 shl eax,0x4 00b7aafe 33f0 xor esi,eax 00b7ab00 0fb6c1 movzx eax,cl 00b7ab03 33c6 xor eax,esi 00b7ab05 42 inc edx 00b7ab06 8a0a mov cl,[edx] 00b7ab08 84c9 test cl,cl 00b7ab0a 75ea jnz js3250!JS_HashString+0xd (00b7aaf6) 00b7ab0c 5e pop esi 00b7ab0d c3 ret (Foo) ;I believe that Foo was called even though the stack doesn't list it. "Foo" ;While the following line will list a module, function and offset, I believe the actual function is Foo. ;Remember that on windows only exported symbol names appear in the dll. and offsets are calculated from the ;closest exported symbol.... ChildEBP RetAddr Args to Child "JS_HashString" 0012c404 01242129 0012bfd4 00a35ae0 00f2527a js3250!JS_HashString+0x6 "jsd_AddAtom" 0012c41c 00b8753d 00a35ae0 033fb5e8 00000001 jsd3250!JSD_GetValueForObject+0xd45 (_createJSDObject) (jsd_ObjectHook) "js_NewObject" 0012c444 00b795d9 033fb5e8 016d89b8 00a244f8 js3250!resolving_MatchEntry+0xf56 "js_NewFunction" 0012c468 00b63dd0 00a35ae0 00000000 00f45ce6 js3250!js_GetSrcNoteOffset+0x3c83 "JS_NewFunction" 0012c48c 00f43715 00a35ae0 00f45ce6 00000001 js3250!JS_NewFunction+0x22 ;The xpc3250 frames should be the usual xpconnect frames 0012c4d4 00f44e9e 0012c564 00000001 038fe0f0 xpc3250+0x13715 0012c520 00f44a1d 0012c564 033fb5e0 017ca7ac xpc3250+0x14e9e 0012c5dc 00b8809b 021564f0 033fb5e0 017ca7ac xpc3250+0x14a1d 0012c61c 00b884c6 021564f0 033fb5e0 017dc3b0 js3250!js_LookupProperty+0x2f5 0012c654 00b7ffb5 021564f0 033fb5e0 017dc3b0 js3250!js_FindProperty+0x315 0012c7b4 00b7b608 021564f0 0012c84c 00000001 js3250!js_Invoke+0x4fa5 0012c858 00b7b877 00000001 00000001 00000002 js3250!js_Invoke+0x5f8 0012c8d8 00b64971 0215651c 037ed2c0 037ed2d0 js3250!js_Invoke+0x867 0012c900 01564241 021564f0 037ed2c0 037ed2d0 js3250!JS_CallFunctionValue+0x1e "nsJSContext::CallEventHandler" 0012c948 0157fb75 0095f978 037ed2c0 037ed2d0 jsdom+0x4241 "nsJSEventListener::HandleEvent" 0012ca5c 00d7c183 021564f0 03557be0 0012ce04 jsdom+0x1fb75 ;I'm not going to analyze the remainder 0012cb40 00d7c3cb 02ebef90 03557be0 0391f340 gklayout!NSGetModule+0xc94e1 0012cb90 00e01902 029335b0 00000000 00000000 gklayout!NSGetModule+0xc9729 0012ce40 00de362d 025233c0 020cb060 0012cefc gklayout+0x151902 0012cf50 0156a772 02a2ea88 0012cfb8 02ebce80 gklayout+0x13362d 0012cf80 0157eb29 02a2ea88 0012cfb8 1004120f jsdom+0xa772 0012cfa8 0157f47e 02b23380 0012cfb8 100441a0 jsdom+0x1eb29 0012cfc4 00d7da82 02b23380 00000000 00eb584c jsdom+0x1f47e 0012d0bc 00cbc52d 02ea25c8 02b23380 02a31e7c gklayout!NSGetModule+0xcade0 0012d100 00cbc318 00000000 02bd9740 00000001 gklayout!NSGetModule+0x988b 0012d144 00dec467 00000000 02bd9740 0012d2a8 gklayout!NSGetModule+0x9676 0012d1f8 00dee21e 00000001 00000000 00000000 gklayout+0x13c467 0012d254 00dee919 029a5800 02bd9740 0012d26c gklayout+0x13e21e 0012d270 01291ea6 0012d2a8 00000001 02e9ca20 gklayout+0x13e919 0012d298 01295c18 00000000 02e9ca20 00000016 gkwidget+0x1ea6 0012d2e8 01293d8c 0000006b 00000001 00000000 gkwidget+0x5c18 0012d4e4 0129241c 00000007 00220226 00000000 gkwidget+0x3d8c 0012d514 77d43a50 006e029a 00000000 00220226 gkwidget+0x241c 0012d540 77d43b1f 01292371 006e029a 00000007 USER32+0x3a50 0012d5a8 77d444f5 00000000 01292371 006e029a USER32+0x3b1f 0012d5fc 77d44525 00589298 00000007 00220226 USER32!PostMessageA+0xad *----> Raw Stack Dump <----* 000000000012c3c4 39 aa b7 00 8b 4d fc 8d - 00 2b d0 03 cb 14 24 01 9....M...+....$. 000000000012c3d4 b8 f6 9c 00 8b 4d fc 8d - c0 f4 9c 00 b0 f2 9c 00 .....M.......... 000000000012c3e4 00 2b d0 03 67 22 24 01 - b0 f2 9c 00 8b 4d fc 8d .+..g"$......M.. 000000000012c3f4 f8 2a d0 03 b0 f2 9c 00 - e0 5a a3 00 d4 bf 12 00 .*.......Z...... 000000000012c404 1c c4 12 00 29 21 24 01 - d4 bf 12 00 e0 5a a3 00 ....)!$......Z.. 000000000012c414 7a 52 f2 00 e8 b5 3f 03 - 44 c4 12 00 3d 75 b8 00 zR....?.D...=u.. 000000000012c424 e0 5a a3 00 e8 b5 3f 03 - 01 00 00 00 b0 f2 9c 00 .Z....?......... 000000000012c434 e0 5a a3 00 f0 76 a2 03 - 00 00 00 00 00 45 a2 00 .Z...v.......E.. 000000000012c444 68 c4 12 00 d9 95 b7 00 - e8 b5 3f 03 b8 89 6d 01 h.........?...m. 000000000012c454 f8 44 a2 00 30 38 a2 00 - 00 00 00 00 f0 5f 26 03 .D..08......._&. 000000000012c464 d8 5f 26 03 8c c4 12 00 - d0 3d b6 00 e0 5a a3 00 ._&......=...Z.. 000000000012c474 00 00 00 00 e6 5c f4 00 - 01 00 00 00 00 00 00 00 .....\.......... 000000000012c484 00 00 00 00 b0 c3 7d 01 - d4 c4 12 00 15 37 f4 00 ......}......7.. 000000000012c494 e0 5a a3 00 e6 5c f4 00 - 01 00 00 00 00 00 00 00 .Z...\.......... 000000000012c4a4 00 00 00 00 20 9c 1a 02 - f0 5f 26 03 64 c5 12 00 .... ...._&.d... 000000000012c4b4 00 00 00 00 bf 87 00 10 - 5a 1b 06 27 01 00 00 00 ........Z..'.... 000000000012c4c4 88 fa 95 00 e0 5a a3 00 - 00 00 00 00 e6 5c f4 00 .....Z.......\.. 000000000012c4d4 20 c5 12 00 9e 4e f4 00 - 64 c5 12 00 01 00 00 00 ....N..d....... 000000000012c4e4 f0 e0 8f 03 00 00 00 00 - e0 b5 3f 03 97 1c 01 00 ..........?..... 000000000012c4f4 34 c5 12 00 1c 2a f3 00 - ac a7 7c 01 b4 c5 12 00 4....*....|..... fwiw I just crashed writing this comment, I was trying to use DOMI to expand the textarea and domi took too long (silly js errors/warnings) so I got the too long dialog. clicking ok crashed (10101010 sig).
timeless, why don't you take this? It looks like it might be a dialog handling problem (JS_PushArguments/JS_PopArguments being abused), or something akin. /be
Assignee: general → timeless
Hrm, I don't have anything resembling a dev env until I return home. At which point i'm going to be packing for my move to the west coast. There's really only one interesting use of push/pop and it seems legal. I'll have to read about the apis. For my reference, bug 193710 was the last time we accused push/pop of having problems.... I suppose it's worth noting that nsJSEnvironment has had a lot more churn recently than usual: http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/dom/src/base/nsJSEnvironment.cpp&mark=1.201,1.203,1.205,1.208,1.209,1.210 Although to be fair I don't usually spend a day constantly poking things while venkman is running, so this could have been around for a while.
Keywords: crash
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
QA Contact: pschwartau → general
Crash Signature: [@ JS_HashString]
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
There are no crashes with this Stacktrace, crash volume is very low.
You need to log in before you can comment on or make changes to this bug.