Closed Bug 26241 Opened 25 years ago Closed 25 years ago

Crash in JS when running table regression tests

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: karnaze, Assigned: buster)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [pdt+])

The url and others in that directory result in the following stack. This is a recent regression. The easiest way to get the crash is using Viewer. nsQueryInterface::operator()(const nsID & {...}, void * * 0x0012ce4c) line 31 + 23 bytes nsCOMPtr<nsIScriptObjectOwner>::assign_from_helper(const nsCOMPtr_helper & {...}, const nsID & {...}) line 795 + 18 bytes nsCOMPtr<nsIScriptObjectOwner>::nsCOMPtr<nsIScriptObjectOwner>(const nsQueryInterface & {...}) line 508 nsJSUtils::nsConvertObjectToJSVal(nsISupports * 0x00be2a70, JSContext * 0x01e388c0, JSObject * 0x00dbf340, long * 0x0012d6c4) line 259 GetHTMLCollectionProperty(JSContext * 0x01e388c0, JSObject * 0x00dbf340, long 13584820, long * 0x0012d6c4) line 128 + 24 bytes js_GetProperty(JSContext * 0x01e388c0, JSObject * 0x00dbf340, long 36117072, long * 0x0012d6c4) line 1869 + 125 bytes js_Interpret(JSContext * 0x01e388c0, long * 0x0012d854) line 2218 + 1057 bytes js_Invoke(JSContext * 0x01e388c0, unsigned int 2, unsigned int 0) line 682 + 13 bytes js_Interpret(JSContext * 0x01e388c0, long * 0x0012e08c) line 2262 + 15 bytes js_Invoke(JSContext * 0x01e388c0, unsigned int 2, unsigned int 0) line 682 + 13 bytes js_Interpret(JSContext * 0x01e388c0, long * 0x0012e8c4) line 2262 + 15 bytes js_Invoke(JSContext * 0x01e388c0, unsigned int 0, unsigned int 0) line 682 + 13 bytes js_Interpret(JSContext * 0x01e388c0, long * 0x0012f0fc) line 2262 + 15 bytes js_Invoke(JSContext * 0x01e388c0, unsigned int 1, unsigned int 2) line 682 + 13 bytes js_InternalInvoke(JSContext * 0x01e388c0, JSObject * 0x00cf3560, long 14412784, unsigned int 0, unsigned int 1, long * 0x0012f284, long * 0x0012f230) line 759 + 19 bytes JS_CallFunctionValue(JSContext * 0x01e388c0, JSObject * 0x00cf3560, long 14412784, unsigned int 1, long * 0x0012f284, long * 0x0012f230) line 2772 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x01e38df0, void * 0x00cf3560, void * 0x00dbebf0, unsigned int 1, void * 0x0012f284, int * 0x0012f280) line 562 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x01e66154) line 128 + 57 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0229bcf0, nsIDOMEvent * 0x01e66154, unsigned int 1) line 677 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x0229dc30, nsEvent * 0x0012fd24, nsIDOMEvent * * 0x0012f680, unsigned int 7, nsEventStatus * 0x0012fd64) line 1228 + 31 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x01e35ea4, nsIPresContext * 0x0229dc30, nsEvent * 0x0012fd24, nsIDOMEvent * * 0x0012f680, unsigned int 1, nsEventStatus * 0x0012fd64) line 3331 nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x014d3ed0, nsIDocumentLoader * 0x014d5680, nsIChannel * 0x0229a730, unsigned int 0) line 3156 + 34 bytes nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x014d5680, nsIChannel * 0x0229a730, unsigned int 0) line 603 nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 494 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x014d5684, nsIChannel * 0x02287e60, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 438 nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x014d5800, nsIChannel * 0x02287e60, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 535 + 42 bytes nsFileChannel::OnStopRequest(nsFileChannel * const 0x02287e64, nsIChannel * 0x02282ae0, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 455 nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x022849f0) line 279 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x022849a0) line 93 + 12 bytes PL_HandleEvent(PLEvent * 0x022849a0) line 526 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00c8ec30) line 487 + 9 bytes _md_EventReceiverProc(HWND__ * 0x0148061e, unsigned int 49301, unsigned int 0, long 13167664) line 975 + 9 bytes USER32! DispatchMessageWorker@8 + 135 bytes USER32! DispatchMessageA@4 + 11 bytes nsNativeViewerApp::Run() line 84 main(int 1, char * * 0x00be1870) line 157 + 11 bytes mainCRTStartup() line 338 + 17 bytes
The problem is that we end up in GenericElementCollection::NamedItem, which never assigns to its out parameter and then returns NS_OK. It looks like this method is not completely implemented. Reassigning to buster, who is cvs-blamed for it. Here's the stack trace with us in the method: GenericElementCollection::NamedItem(GenericElementCollection * const 0x02a2a5c0, const nsString & {...}, nsIDOMNode * * 0x0012cdc0) line 116 GetHTMLCollectionProperty(JSContext * 0x02a0ed90, JSObject * 0x025d1750, long 18234772, long * 0x0012d5ac) line 124 + 26 bytes js_GetProperty(JSContext * 0x02a0ed90, JSObject * 0x025d1750, long 35652720, long * 0x0012d5ac) line 1869 + 125 bytes js_Interpret(JSContext * 0x02a0ed90, long * 0x0012d73c) line 2218 + 1057 bytes js_Invoke(JSContext * 0x02a0ed90, unsigned int 2, unsigned int 0) line 682 + 13 bytes js_Interpret(JSContext * 0x02a0ed90, long * 0x0012df74) line 2262 + 15 bytes js_Invoke(JSContext * 0x02a0ed90, unsigned int 2, unsigned int 0) line 682 + 13 bytes js_Interpret(JSContext * 0x02a0ed90, long * 0x0012e7ac) line 2262 + 15 bytes js_Invoke(JSContext * 0x02a0ed90, unsigned int 0, unsigned int 0) line 682 + 13 bytes js_Interpret(JSContext * 0x02a0ed90, long * 0x0012efe4) line 2262 + 15 bytes js_Invoke(JSContext * 0x02a0ed90, unsigned int 1, unsigned int 2) line 682 + 13 bytes js_InternalInvoke(JSContext * 0x02a0ed90, JSObject * 0x0118a158, long 39652992, unsigned int 0, unsigned int 1, long * 0x0012f16c, long * 0x0012f118) line 759 + 19 bytes JS_CallFunctionValue(JSContext * 0x02a0ed90, JSObject * 0x0118a158, long 39652992, unsigned int 1, long * 0x0012f16c, long * 0x0012f118) line 2772 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x02a0afc0, void * 0x0118a158, void * 0x025d0e80, unsigned int 1, void * 0x0012f16c, int * 0x0012f168) line 562 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x02f1b6a4) line 128 + 57 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x02ef0f60, nsIDOMEvent * 0x02f1b6a4, unsigned int 1) line 677 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x02f76510, nsEvent * 0x0012fc0c, nsIDOMEvent * * 0x0012f568, unsigned int 7, nsEventStatus * 0x0012fc4c) line 1228 + 31 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x02a0c0d4, nsIPresContext * 0x02f76510, nsEvent * 0x0012fc0c, nsIDOMEvent * * 0x0012f568, unsigned int 1, nsEventStatus * 0x0012fc4c) line 3345 nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x02a223e0, nsIDocumentLoader * 0x02a23ec0, nsIChannel * 0x02f6f230, unsigned int 0) line 3170 + 34 bytes nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x02a23ec0, nsIChannel * 0x02f6f230, unsigned int 0) line 603 nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 494 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x02a23ec4, nsIChannel * 0x02ed3480, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 438 nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x02a23e60, nsIChannel * 0x02ed3480, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 535 + 42 bytes nsFileChannel::OnStopRequest(nsFileChannel * const 0x02ed3484, nsIChannel * 0x02ed31a0, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 455 nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x02edfd20) line 279 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x02edf730) line 93 + 12 bytes PL_HandleEvent(PLEvent * 0x02edf730) line 526 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x01096f50) line 487 + 9 bytes _md_EventReceiverProc(HWND__ * 0x045e0974, unsigned int 49351, unsigned int 0, long 17395536) line 975 + 9 bytes USER32! 77e71820() 01096f50()
Assignee: norris → buster
crasher needs fixing before beta. trying for M14.
Status: NEW → ASSIGNED
Keywords: beta1
Priority: P3 → P1
Target Milestone: M14
Whiteboard: [pdt+]
Adding "crash" keyword.
Keywords: crash
fix just checked in, should make 2/7/00 daily build. all I did was initialize the out-param.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Marking Verified
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.