237967 - Xopus Xml editor crashes Mozilla and Firebird [@ js_Interpret]

Status: RESOLVED DUPLICATE of bug 174709

(Core :: JavaScript Engine, defect)

Description

[Simon Speich]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040206 Firefox/0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040206 Firefox/0.8

If I access the Xopus Website (http://xopus.com/demo/index.html) and open the
link "Simple Document Demo" Mozilla and Firefox totally crash on my Windows 2000. 

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Actual Results:  
mozilla & firefox crashed


see also http://forums.mozillazine.org/viewtopic.php?t=62368 for additional comments

Comment 1

[Olivier Cahagne]

confirming on Linux using FF 20040317 (non debug build, can't investigate more
with this build)

#0  0x400491ce in js_Interpret () from ./libmozjs.so
#1  0x40047fd9 in js_Execute () from ./libmozjs.so
#2  0x4002b888 in JS_EvaluateUCScriptForPrincipals () from ./libmozjs.so
#3  0x087692a0 in nsJSContext::EvaluateString(nsAString const&, void*,
nsIPrincipal*, char const*, unsigned, char const*, nsAString&, int*) ()
#4  0x085be3a2 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString
const&) ()
#5  0xbfffe5e8 in ?? ()
#6  0x09000148 in ?? ()
#7  0x092cfeb0 in ?? ()
#8  0x08de85e0 in ?? ()
#9  0x0000004f in ?? ()
#10 0x40074f3b in js_valueOf_str () from ./libmozjs.so
#11 0xbfffe508 in ?? ()
#12 0xbfffe4a4 in ?? ()

Stack is similar to bug 234013.

Comment 2

[Martijn Wargers (dead)]

I just added a simpler testcase and explanation to bug 174709
It is definitely about this bug, maybe it is useful.

Comment 3

[Boris Zbarsky [:bzbarsky]]

#0  0x400603ee in js_Interpret (cx=0x87048c8, result=0xbfffdf4c)
    at /home/bzbarsky/mozilla/xlib/mozilla/js/src/jsinterp.c:1933
#1  0x4005e291 in js_Execute (cx=0x87048c8, chain=0x86fa4a8, script=0x919fa18,
down=0x0, 
    special=0, result=0xbfffdf4c)
    at /home/bzbarsky/mozilla/xlib/mozilla/js/src/jsinterp.c:1155
#2  0x4002d1f8 in JS_EvaluateUCScriptForPrincipals (cx=0x87048c8, obj=0x86fa4a8, 
    principals=0x89c0024, chars=0x42b45010, length=419541, 
    filename=0x8b0c9e8
"http://www.xopus.com/demo/xopus/xopus.html#http%3A//www.xopus.com/demo/demos/sample/index.html",
lineno=79, rval=0xbfffdf4c)
    at /home/bzbarsky/mozilla/xlib/mozilla/js/src/jsapi.c:3540
#3  0x4161f55d in nsJSContext::EvaluateString(nsAString const&, void*,
nsIPrincipal*, char const*, unsigned, char const*, nsAString&, int*)
(this=0x8704810, aScript=@0xbfffe1a0, 
    aScopeObject=0x86fa4a8, aPrincipal=0x89c0020, 
    aURL=0x8b0c9e8
"http://www.xopus.com/demo/xopus/xopus.html#http%3A//www.xopus.com/demo/demos/sample/index.html",
aLineNo=79, aVersion=0x400b3cef "default", 
    aRetValue=@0xbfffe090, aIsUndefined=0xbfffe02c)
    at /home/bzbarsky/mozilla/xlib/mozilla/dom/src/base/nsJSEnvironment.cpp:909
#4  0x4142644e in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString
const&) (
    this=0x89bff00, aRequest=0x8b053f0, aScript=@0xbfffe1a0)
    at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsScriptLoader.cpp:656


#0  0x400603ee in js_Interpret (cx=0x87048c8, result=0xbfffdf4c)
    at /home/bzbarsky/mozilla/xlib/mozilla/js/src/jsinterp.c:1933
1933                OBJ_ENUMERATE(cx, obj, JSENUMERATE_NEXT, &iter_state, &rval);
(gdb) p obj
$3 = (struct JSObject *) 0x0
(gdb) p cx
$4 = (struct JSContext *) 0x87048c8

I suspect that obj being null is what does it, since OBJ_ENUMERATE dereferences
the pointer.

Comment 4

[Brendan Eich [:brendan]]

Dup'ing toward the better testcase.

/be

*** This bug has been marked as a duplicate of 174709 ***