Closed
Bug 244470
Opened 20 years ago
Closed 20 years ago
crash on trying to load this page. give an error for "ntdll.dll" [@ js_Interpret]
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8alpha6
People
(Reporter: shuang1, Assigned: brendan)
References
()
Details
(4 keywords, Whiteboard: TB58138Z TB1208597K TB1208693E)
Crash Data
Attachments
(5 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040523 Firefox/0.8.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040523 Firefox/0.8.0+ Displays just fine, gives a good long pause, and promptly crashes the browser. Reproducible: Always Steps to Reproduce: 1.load web page 2. 3. Actual Results: crashes Expected Results: not crashed? Application Violation in ntdll.dll
|
||
Comment 1•20 years ago
|
||
Confirming new. Not Firefox-specific. Also crashes Seamonkey 1.8a1. TB58138Z
Assignee: firefox → general
Status: UNCONFIRMED → NEW
Component: General → Browser-General
Ever confirmed: true
Product: Firefox → Browser
QA Contact: general
Whiteboard: TB58138Z
Version: unspecified → Trunk
|
||
Comment 3•20 years ago
|
||
This is the most minimal testcase I could make. It doesn't have to crash instantly. Most of the times it crashes at least after reloading 10 times or so.
(In reply to comment #3) > It doesn't have to crash instantly. Most of the times it crashes at least after > reloading 10 times or so. Confirming with Mozilla 1.8a2 build 2004052307 on WinNT4. Crashed on the 4th (or so) reload of the testcase. Talkback ID is TB58299Z.
js_Interpret [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 4355] js_Execute [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1509] JS_EvaluateUCScriptForPrincipals [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 3584] nsJSContext::EvaluateString [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnv ironment.cpp, line 921] nsScriptLoader::EvaluateScript [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsS criptLoader.cpp, line 685] nsScriptLoader::ProcessRequest [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsS criptLoader.cpp, line 599] nsScriptLoader::ProcessScriptElement [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsS criptLoader.cpp, line 546] nsHTMLScriptElement::MaybeProcessScript [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content /src/nsHTMLScriptElement.cpp, line 624] nsHTMLScriptElement::SetDocument [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/content /src/nsHTMLScriptElement.cpp, line 448] nsGenericElement::AppendChildTo [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsG enericElement.cpp, line 2512] HTMLContentSink::ProcessSCRIPTTag [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/documen t/src/nsHTMLContentSink.cpp, line 4327] HTMLContentSink::AddLeaf [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/documen t/src/nsHTMLContentSink.cpp, line 3180] CNavDTD::AddLeaf [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/sr c/CNavDTD.cpp, line 3752] CNavDTD::HandleScriptToken [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/sr c/CNavDTD.cpp, line 2300] CNavDTD::OpenContainer [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/sr c/CNavDTD.cpp, line 3398] CNavDTD::HandleDefaultStartToken [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/sr c/CNavDTD.cpp, line 1432] CNavDTD::HandleStartToken [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/sr c/CNavDTD.cpp, line 1805] CNavDTD::HandleToken [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/sr c/CNavDTD.cpp, line 995] CNavDTD::BuildModel [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/sr c/CNavDTD.cpp, line 480] nsParser::BuildModel [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/sr c/nsParser.cpp, line 1900] nsParser::ResumeParse [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/sr c/nsParser.cpp, line 1764] nsParser::OnDataAvailable [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/sr c/nsParser.cpp, line 2431] gkparser.dll + 0x282cc (0x604d82cc) nsExpatDriver::AddRef [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/sr c/nsExpatDriver.cpp, line 303] 0x8556104d
Assignee: general → general
Component: Browser-General → DOM
QA Contact: general → ian
Summary: crash on trying to load this page. give an error for "ntdll.dll" → crash on trying to load this page. give an error for "ntdll.dll" [@ js_Interpret]
|
Assignee | |
Comment 6•20 years ago
|
||
I'm on vacation for a week. Cc'ing jst and peterv. /be
|
||
Comment 7•20 years ago
|
||
This page freeze also my linux GTK2 build : Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a2) Gecko/20040601 Firefox/0.8.0+ So OS→ALL ?
|
||
Comment 8•20 years ago
|
||
Came across this while examining bug 245426 (on current Linux cvs build)
OS: Windows XP → All
|
|
||
Comment 9•20 years ago
|
||
I hope this bug isn't forgotten! This bug seems to be even in the earliest 1.8a builds. I've seen another site which exposes this bug: http://www.jpsoft.com/help/ I've made a simplified testcase from that site: http://home.hccnet.nl/m.wargers/test/mozilla/crash/jphelp_b.htm I believe that's basically this bug. If it doesn't crash instantly, try reloading it a few times.
|
||
Updated•20 years ago
|
Flags: blocking1.8a2?
|
||
Comment 10•20 years ago
|
||
not sure if the UMRs are interesting or valid. the IPW is of course fatal. No
idea why there's no stack for that either. All three are because of the testcase.
[W] UMR: Uninitialized memory read in
nsUnicodeDecodeHelper::ConvertByFastTable(char const*,int *,WORD *,int *,WORD
const*,int) {9 occurrences}
Reading 1 byte from 0x04490c38 (1 byte at 0x04490c38
uninitialized)
Address 0x04490c38 is 3120 bytes into a 4100 byte block at
0x04490008
Address 0x04490c38 points to a HeapAlloc'd block in heap
0x00350000
Thread ID: 0x2ab38
Error location
nsUnicodeDecodeHelper::ConvertByFastTable(char const*,int
*,WORD *,int *,WORD const*,int)+0xa9
[r:\mozilla\intl\uconv\src\nsunicodedecodehelper.cpp:239 ip=0x05521913]
{
PRUint8 * src = (PRUint8 *)aSrc;
PRUint8 * srcEnd = src;
PRUnichar * dest = aDest;
nsresult res;
if (*aSrcLength > *aDestLength) {
srcEnd += (*aDestLength);
res = NS_PARTIAL_MORE_OUTPUT;
} else {
srcEnd += (*aSrcLength);
res = NS_OK;
}
=> for (; src<srcEnd;) *dest++ = aFastTable[*src++];
*aSrcLength = src - (PRUint8 *)aSrc;
*aDestLength = dest - aDest;
return res;
}
NS_IMETHODIMP nsUnicodeDecodeHelper::CreateFastTable(
uShiftTable * aShiftTable,
uMappingTable *
aMappingTable,
PRUnichar * aFastTable,
PRInt32 aTableSize)
{
PRInt32 tableSize = aTableSize;
PRInt32 buffSize = aTableSize;
nsOneByteDecoderSupport::Convert(char const*,int *,WORD
*,int *)+0x16d [r:\mozilla\intl\uconv\util\nsucsupport.cpp:336 ip=0x0553809d]
nsScanner::Append(char const*,UINT)+0x159
[r:\mozilla\parser\htmlparser\src\nsscanner.cpp:354 ip=0x0549ea54]
ParserWriteFunc+0x656
[r:\mozilla\parser\htmlparser\src\nsparser.cpp:2368 ip=0x0549a3d8]
Allocation location
HeapAlloc+0xc [C:\WINDOWS\System32\KERNEL32.dll
ip=0x67e633c8]
heap_alloc+0x4a
[f:\vs70builds\9466\vc\crtbld\crt\src\malloc.c:211 ip=0x7c0010d3]
nh_malloc+0x10 [C:\WINDOWS\System32\MSVCR70.dll:106
ip=0x7c00107b]
nsRecyclingAllocator::Malloc(UINT,int)+0xf2
[r:\mozilla\xpcom\ds\nsrecyclingallocator.cpp:183 ip=0x1001a588]
nsRecyclingAllocatorImpl::Alloc(UINT)+0x24
[r:\mozilla\xpcom\ds\nsrecyclingallocator.cpp:384 ip=0x1001a889]
nsSegmentedBuffer::AppendNewSegment(void)+0x346
[r:\mozilla\xpcom\io\nssegmentedbuffer.cpp:103 ip=0x1006215c]
nsPipe::GetWriteSegment(char *&,UINT&)+0x108
[r:\mozilla\xpcom\io\nspipe3.cpp:482 ip=0x10052b97]
nsPipeOutputStream::WriteSegments((*)(nsIOutputStream *,void
*,char *,UINT,UINT,UINT *),void *,UINT,UINT *)+0x9f
[r:\mozilla\xpcom\io\nspipe3.cpp:1071 ip=0x100551f6]
nsHttpTransaction::WriteSegments(nsAHttpSegmentWriter
*,UINT,UINT *)+0xc6
[r:\mozilla\netwerk\protocol\http\src\nshttptransaction.cpp:441 ip=0x03f09286]
nsHttpConnection::OnSocketReadable(void)+0x212
[r:\mozilla\netwerk\protocol\http\src\nshttpconnection.cpp:633 ip=0x03f01258]
nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream
*)+0xaa [r:\mozilla\netwerk\protocol\http\src\nshttpconnection.cpp:731
ip=0x03f01a51]
nsSocketInputStream::OnSocketReady(UINT)+0x247
[r:\mozilla\netwerk\base\src\nssockettransport2.cpp:234 ip=0x03e50694]
nsSocketTransport::OnSocketReady(PRFileDesc *,short)+0x15d
[r:\mozilla\netwerk\base\src\nssockettransport2.cpp:1396 ip=0x03e53618]
nsSocketTransportService::Run(void)+0x50d
[r:\mozilla\netwerk\base\src\nssockettransportservice2.cpp:540 ip=0x03e30af8]
nsThread::Main(void *)+0x63
[r:\mozilla\xpcom\threads\nsthread.cpp:118 ip=0x10079b42]
PR_NativeRunThread+0x2df
[r:\mozilla\nsprpub\pr\src\threads\combined\pruthr.c:436 ip=0x300492ff]
pr_root+0x17
[r:\mozilla\nsprpub\pr\src\md\windows\w95thred.c:116 ip=0x30051177]
RegisterWaitForInputIdle+0x43
[C:\WINDOWS\system32\kernel32.dll ip=0x77e7d33b]
[W] UMR: Uninitialized memory read in
nsTextFragment::SetBidiFlag(void) {9 occurrences}
Reading 1 byte from 0x058ee6ec (1 byte at 0x058ee6ec
uninitialized)
Address 0x058ee6ec is 104460 bytes into a 156668 byte block
at 0x058d4ee0
Address 0x058ee6ec points to a HeapAlloc'd block in heap
0x00350000
Thread ID: 0x2ab38
Error location
nsTextFragment::SetBidiFlag(void)+0x67
[r:\mozilla\content\shared\src\nstextfragment.cpp:355 ip=0x0497f01c]
memcpy(aDest, m1b + aOffset, sizeof(char) * aCount);
}
}
}
// To save time we only do this when we really want to know,
not during
// every allocation
void
nsTextFragment::SetBidiFlag()
{
if (mState.mIs2b && !mState.mIsBidi) {
const PRUnichar* cp = m2b;
const PRUnichar* end = cp + mState.mLength;
while (cp < end) {
=> PRUnichar ch1 = *cp++;
PRUint32 utf32Char = ch1;
if (IS_HIGH_SURROGATE(ch1) &&
cp < end &&
IS_LOW_SURROGATE(*cp)) {
PRUnichar ch2 = *cp++;
utf32Char = SURROGATE_TO_UCS4(ch1, ch2);
}
if (UTF32_CHAR_IS_BIDI(utf32Char) ) {
mState.mIsBidi = PR_TRUE;
break;
}
}
}
}
nsGenericDOMDataNode::SetBidiStatus(void)+0x47
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:1258 ip=0x04832f38]
nsGenericDOMDataNode::SetText(nsAString const&,int)+0x187
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:1152 ip=0x04834e0e]
HTMLContentSink::ProcessSCRIPTTag(nsIParserNode const&)+0x4ee
[r:\mozilla\content\html\document\src\nshtmlcontentsink.cpp:4225 ip=0x048a483d]
Allocation location
HeapAlloc+0xc [C:\WINDOWS\System32\KERNEL32.dll
ip=0x67e633c8]
heap_alloc+0x4a
[f:\vs70builds\9466\vc\crtbld\crt\src\malloc.c:211 ip=0x7c0010d3]
nh_malloc+0x10 [C:\WINDOWS\System32\MSVCR70.dll:106
ip=0x7c00107b]
nsMemoryImpl::Alloc(UINT)+0x34
[r:\mozilla\xpcom\base\nsmemoryimpl.cpp:325 ip=0x1008fafd]
nsMemory::Alloc(UINT)+0xbb
[r:\mozilla\xpcom\glue\nsmemory.cpp:87 ip=0x100c1f60]
ToNewUnicode(nsAString const&)+0x5b
[r:\mozilla\xpcom\string\src\nsreadableutils.cpp:369 ip=0x100b6bdc]
nsTextFragment::=(nsAString const&)+0x155
[r:\mozilla\content\shared\src\nstextfragment.cpp:151 ip=0x0497eaf8]
nsGenericDOMDataNode::SetText(nsAString const&,int)+0x174
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:1150 ip=0x04834dfb]
HTMLContentSink::ProcessSCRIPTTag(nsIParserNode const&)+0x4ee
[r:\mozilla\content\html\document\src\nshtmlcontentsink.cpp:4225 ip=0x048a483d]
[E] IPW: Invalid pointer write in js_Interpret {1 occurrence}
Writing 4 bytes to 0x059e2178 (4 bytes at 0x059e2178 illegal)
Address 0x059e2178 points into invalid memory
Thread ID: 0x2ab38
Error location
js_Interpret+0xf704 [r:\mozilla\js\src\jsinterp.c:4174
ip=0x03cc744b]
? (JSPropertyOp) obj
: NULL,
attrs,
&prop);
if (!ok)
goto out;
if (attrs == (JSPROP_ENUMERATE |
JSPROP_PERMANENT) &&
script->numGlobalVars) {
/*
* As with JSOP_DEFVAR and JSOP_DEFCONST
(above), fast globals
* use fp->vars to map the global function
name's atomIndex to
* its permanent fp->varobj slot number,
tagged as a jsval.
*/
sprop = (JSScopeProperty *) prop;
=> fp->vars[atomIndex] = INT_TO_JSVAL(sprop->slot);
}
OBJ_DROP_PROPERTY(cx, parent, prop);
break;
}
#if JS_HAS_LEXICAL_CLOSURE
case JSOP_DEFLOCALFUN:
/*
* Define a local function (i.e., one nested at
the top level of
* another function), parented by the current
scope chain, and
* stored in a local variable slot that the
compiler allocated.
* This is an optimization over JSOP_DEFFUN that
avoids requiring
* a call object for the outer function's
activation.
*/
|
|
||
Updated•20 years ago
|
Flags: blocking1.8a5?
|
||
Updated•20 years ago
|
Flags: blocking1.8a5? → blocking1.8a5-
|
||
Comment 11•20 years ago
|
||
*** Bug 273079 has been marked as a duplicate of this bug. ***
|
||
Comment 12•20 years ago
|
||
WFM on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041202 Firefox/1.0+
|
||
Comment 13•20 years ago
|
||
crashes Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a6) Gecko/20041203 after some reloads, couldn´t get the former testcase to crash. testcase made from always crashing page: http://neighborhoodies.com/catalog/product_info.php?products_id=146 Talkback: TB2352368G http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB2353385M all talkbacks 'neighborhoodies': http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=url&match=contains&searchfor=neighborhoodies.com&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid
|
|
||
Comment 14•20 years ago
|
||
Timeframe for regression: BuildID 2004041107 working BuildId 2004041709 crashing looking at talkback TB2352368G I searched for checkins some days before the bug, and found http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/js/src/jsinterp.c&mark=4607&rev=#4598 3.137 <brendan@mozilla.org> 2004-04-12 18:25 - Improve global variable performance from 3x slower to 1.2x slower than locals (Bug 169559, r=shaver). - Also fix longstanding bug where global regexps in precompiled scripts were wrongly shared among threads/contexts (Bug 165201, r=shaver). - Also fix strict-aliasing gcc warning causes (Bug 206599, r=bryner). the original URL of the bug seems not to work, most pages use flash, so I suggest to use http://neighborhoodies.com and click on the pet top right, or simply click below: http://neighborhoodies.com/catalog/product_info.php?products_id=146
|
|
Assignee | |
Comment 15•20 years ago
|
||
*** Bug 263603 has been marked as a duplicate of this bug. ***
|
|
Assignee | |
Updated•20 years ago
|
Assignee: general → brendan
Component: DOM → JavaScript Engine
Keywords: js1.5
Priority: -- → P1
Hardware: PC → All
Whiteboard: TB58138Z → TB58138Z TB1208597K TB1208693E
Target Milestone: --- → mozilla1.8alpha6
|
|
Assignee | |
Updated•20 years ago
|
Status: NEW → ASSIGNED
QA Contact: ian → pschwartau
|
|
Assignee | |
Comment 16•20 years ago
|
||
Neither of the attachments in this bug are valid scripts -- they assign to
elements of undefined, which is not an object, for example:
var group=new Array();
group[0][0]=new Option("- Leave blank if Custom -","0");
group[0] is undefined, and undefined[0] is a ReferenceError. What's the right
testcase here?
/be|
|
||
Comment 17•20 years ago
|
||
*** Bug 274165 has been marked as a duplicate of this bug. ***
|
||
Comment 18•20 years ago
|
||
Derived from the first testcase. It's total nonsense but it's a valid script, just half the size, uses only native JS objects and crashes almost always.
|
|
Assignee | |
Comment 19•20 years ago
|
||
Fix coming, sorry it took so long. /be
|
|
Assignee | |
Comment 20•20 years ago
|
||
The atomIndex for JSOP_DEFFUN and JSOP_CLOSURE is not a string-keyed (name) atom index, it's an atom index for the function object atom. That is not the index to use for fast globals, which overlay name atom index and fp->vars index from which to load a jsval-tagged slot number in the global object. We would like to define fast globals for functions, but it'll take more work. I'm checking this in to fix the crash, but I'll leave this bug open for a better patch soon. /be
Attachment #168721 -
Flags: review+
|
|
Assignee | |
Comment 21•20 years ago
|
||
Erik: what charset should attachment 168505 [details] use?
The fix-patch is in on the trunk now.
/bePriority: P1 → P3
|
|
||
Updated•20 years ago
|
Attachment #168505 -
Attachment mime type: text/html → text/html; charset=iso-8859-1
|
|
Assignee | |
Comment 22•20 years ago
|
||
*** Bug 274226 has been marked as a duplicate of this bug. ***
|
|
||
Comment 23•20 years ago
|
||
Bug 245426 is probably a dupe, too. The ABW mentioned there is in the code #if'd out by this patch.
|
|
Assignee | |
Comment 24•20 years ago
|
||
*** Bug 245426 has been marked as a duplicate of this bug. ***
|
|
Assignee | |
Comment 25•20 years ago
|
||
Duh, need a new bug for the further fast-global function bytecode optimizations, because that bug's not a crash bug. Filed bug 276249. Closing this one, as it's (still) fixed. /be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Verified FIXED using build 2005-01-16-05 on Windows XP with Seamonkey trunk; this used to crash 100% for me.
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Comment 27•20 years ago
|
||
*** Bug 256571 has been marked as a duplicate of this bug. ***
|
||
Comment 28•20 years ago
|
||
Erik, with your permission this will be included in the javascript test suite.
|
|
||
Comment 29•20 years ago
|
||
js1_5/Regress/regress-244470.js checked in.
|
|
||
Updated•19 years ago
|
Flags: testcase+
|
||
Updated•13 years ago
|
Crash Signature: [@ js_Interpret]
You need to log in
before you can comment on or make changes to this bug.
Description
•