Closed Bug 246048 Opened 21 years ago Closed 21 years ago

Browser, mailnews & Thunderbird crash in [@ match_or_replace], on right-click, upon opening tabs or sidebar [f9]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: calum.mackay, Assigned: brendan)

References

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file)

gdb stack trace from Thunderbird
8.71 KB, text/plain
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a2) Gecko/20040609 Firefox/0.8.0+ Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a2) Gecko/20040609 With builds from my CVS checkout last night, I can reliably crash mozilla mailnews and also Thunderbird. The last few stack frames are: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1084547936 (LWP 1033)] 0x10000100 in ?? () (gdb) bt #0 0x10000100 in ?? () #1 0x4005b5f9 in js_GetSlotThreadSafe (cx=0x80cc1a0, obj=0x8633610, slot=2) at jslock.c:554 #2 0x4008199d in match_or_replace (cx=0x80cc1a0, obj=0x863417b, argc=140722555, argv=0x8ce5e68, glob=0x400825dd <replace_glob>, data=0xbfffc650, rval=0xbfffc750) at jsstr.c:1108 #3 0x4008294c in str_replace (cx=0x80cc1a0, obj=0x863417b, argc=140722555, argv=0x8ce5e68, rval=0xbfffc750) at jsstr.c:1600 #4 0x4004fe65 in js_Invoke (cx=0x80cc1a0, argc=2, flags=0) at jsinterp.c:1281 which looks like a problem with, or in, this code: jslock.c: 553 if (!OBJ_IS_NATIVE(obj)) 554 return OBJ_GET_REQUIRED_SLOT(cx, obj, slot); jsobj.h 99 #define OBJ_GET_REQUIRED_SLOT(cx,obj,slot) \ 100 ((obj)->map->ops->getRequiredSlot \ 101 ? (obj)->map->ops->getRequiredSlot(cx, obj, slot) \ 102 : JSVAL_VOID) I will attach the full stack trace. Please let me know if you need me to provide further details. Reproducible: Always Steps to Reproduce: 1.Right click in a mail message to bring up the context menu 2.From this menu, move the email to a folder (mine is over IMAP) 3.After the move is complete. continue right in the msg clicking to bring up the context menu, repeatedly (without doing anything else). crashes fairly quickly, although not immediately.
I cannot reproduce this with a build of mine of 20040607. I did not build a 20040608, so that problem seems to have appeared sometime in the last day or two.
Another crash, slightly different: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1084547936 (LWP 7528)] 0x40081956 in match_or_replace (cx=0x80cc1a0, obj=0x4, argc=4, argv=0x8e432d8, glob=0x400825dd <replace_glob>, data=0xbfffc8b0, rval=0xbfffc9b0) at jsstr.c:1108 /usr/local/src/mozilla/cvs/mozilla/js/src/jsstr.c:1108:32246:beg:0x40081956 Current language: auto; currently c (gdb) bt #0 0x40081956 in match_or_replace (cx=0x80cc1a0, obj=0x4, argc=4, argv=0x8e432d8, glob=0x400825dd <replace_glob>, data=0xbfffc8b0, rval=0xbfffc9b0) at jsstr.c:1108 #1 0x4008294c in str_replace (cx=0x80cc1a0, obj=0x4, argc=4, argv=0x8e432d8, rval=0xbfffc9b0) at jsstr.c:1600
Summary: mailnews & Thunderbird crash in js_GetSlotThreadSafe OBJ_GET_REQUIRED_SLOT → mailnews & Thunderbird crash in match_or_replace
I can reproduce now just by repeatedly right clicking in the message text window. No need to move the mail to another folder.
The problem, in the js_GetSlotThreadSafe() case at least, is that the map structure looks to have bogus contents. When we try to run the ((obj)->map->ops->getRequiredSlot function, via the OBJ_GET_REQUIRED_SLOT macro, the function pointer is bogus, as is the rest of the ops vector. (gdb) up #1 0x4005b5f9 in js_GetSlotThreadSafe (cx=0x80cc1a0, obj=0x85ef230, slot=2) at jslock.c:554 (gdb) print obj $3 = (JSObject *) 0x85ef230 (gdb) print *obj $4 = {map = 0x85ef238, slots = 0x85f00c6} (gdb) print *obj->map $7 = {nrefs = 140440136, ops = 0x85f00c7, nslots = 147856960, freeslot = 147856932} (gdb) print obj->map->ops $8 = (JSObjectOps *) 0x85f00c7 (gdb) print *obj->map->ops $9 = {newObjectMap = 0x10100010, destroyObjectMap = 0x10101001, lookupProperty = 0x101010, defineProperty = 0x1001001, getProperty = 0x1010000, setProperty = 0x10000001, getAttributes = 0x101, setAttributes = 0x10100101, deleteProperty = 0x10000010, defaultValue = 0x1010000, enumerate = 0x1010101, checkAccess = 0x1010101, thisObject = 0x1010101, dropProperty = 0x1010101, call = 0x1010001, construct = 0x1010101, xdrObject = 0x1010101, hasInstance = 0x1010101, setProto = 0x1010101, setParent = 0x1010100, mark = 0x1010101, clear = 0x1010101, getRequiredSlot = 0x1010101, setRequiredSlot = 0x1010101}
Since it's the data that's bogus, it's likely that this is not a js engine bug, but more the caller's problem. But what do I know...?
This looks like a regression from the patch for bug 245890 -- Calum, can you try backing out that bug's patch and see whether that helps? Thanks, /be
Assignee: general → brendan
the **** look like what i had in bug 245846...
Yes, that was it. I backed out the patch for bug 245890 and I can no longer reproduce the problem. With the patch in I can reproduce it in seconds, by repeatedly right-clicking in the mail body window. With the patch reversed, I was unable to reproduce at all.
I backed out that patch. Still not sure what's wrong, I'll figure it out. Thanks for this report. Timeless, your bug was filed before I checked in yesterday, to it's something else. The skidmarks don't look the same to me. /be
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Ah, it looks like I got this bug, not 245846, sorry for the spam...
*** Bug 246111 has been marked as a duplicate of this bug. ***
*** Bug 246120 has been marked as a duplicate of this bug. ***
All fine with today's builds, thanks very much. Verified.
Status: RESOLVED → VERIFIED
*** Bug 246171 has been marked as a duplicate of this bug. ***
*** Bug 246259 has been marked as a duplicate of this bug. ***
*** Bug 246212 has been marked as a duplicate of this bug. ***
Tweaking summary to catch more dupes. Notice for instance that this is filed in BROWSER, but the summary talks about mailnews & Thunderbird. Old summary: "mailnews & Thunderbird crash in match_or_replace". Many of the dupes are on Windows -> OS=all
OS: Linux → All
Summary: mailnews & Thunderbird crash in match_or_replace → Browser, mailnews & Thunderbird crash in match_or_replace, on right-click, upon opening tabs or sidebar [f9]
*** Bug 246350 has been marked as a duplicate of this bug. ***
It was filed under Browser/JS engine, since that's where the crashing code is, and there's no JS category under mailnews. I hadn't actually reproduced the problem in the browser, only in the mailers. but others have, so I agree it's a good change.
*** Bug 246351 has been marked as a duplicate of this bug. ***
*** Bug 246374 has been marked as a duplicate of this bug. ***
*** Bug 246108 has been marked as a duplicate of this bug. ***
Just adding topcrash keyword for tracking...this has been the #1 crasher on the Trunk.
Keywords: crash, topcrash
Summary: Browser, mailnews & Thunderbird crash in match_or_replace, on right-click, upon opening tabs or sidebar [f9] → Browser, mailnews & Thunderbird crash in [@ match_or_replace], on right-click, upon opening tabs or sidebar [f9]
*** Bug 246211 has been marked as a duplicate of this bug. ***
Crash Signature: [@ match_or_replace]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: