Closed Bug 263603 Opened 20 years ago Closed 20 years ago

Crash in 30 - 50% attempt look pages from this site

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 244470
Milestone:
mozilla1.8alpha5

People

(Reporter: vfigurov, Assigned: brendan)

References

(
URL
)

Details

(Keywords: crash, js1.5, regression, Whiteboard: TB1208597K TB1208693E)

Attachments

(1 file)

test JS script
60.23 KB, application/x-javascript
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a) Gecko/20040515
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a) Gecko/2004051509

froze, then show popup system window with message about "Send error ...". After
click on Send/Cancel - auto close Mozilla window.

Reproducible: Sometimes
Steps to Reproduce:
1. Mozilla must TAB-SETS
1. go to http://www.kolesa.ru/
2. click on links in center page (News???)
3.
crash: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a1) Gecko/20040520
opened URL twice in new tabs, then reloaded twice, then crash on Shift-Reload.
TB1209126E for 1.8a1, TB1209126E for 1.8a5

no crash seen on 1.7.4 and 1.4.2
WFM Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10.1
Severity: normal → critical
Summary: crash in 30 - 50% attept look pages from this site → Crash in 30 - 50% attempt look pages from this site
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a) Gecko/20040417

regressed somewhere at the start of the 1.8 branch, 
BuildID 2004041208 working, 2004041708 crashing, doesn´t contain talkback.
I´ve got the impression, recent builds are crashing better ;-)

I didn´t see flash on the websites, only animated gifs, and lots of Javascript.

The six talkbacks I submitted are all showing different stack signatures:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=url&match=contains&searchfor=http%3A%2F%2Fwww.kolesa.ru%2F%3Fnewsalias%3D15712&vendor=All&product=All&platform=All
Keywords: regression
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041009
Mozilla Windows Trunk Nightly Build ID: 2004100906
Crashes after clicking on URL above.
Talkback IDs: TB1217050H, TB1216988M

Please change the Status to NEW.
Confirming bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
valgrind says this loading www.kolesa.ru:

Invalid write of size 4
   at 0x1B94FFC1: js_Interpret (jsinterp.c:4299)
   by 0x1B942FFB: js_Execute (jsinterp.c:1562)
   by 0x1B91E2C3: JS_EvaluateUCScriptForPrincipals (jsapi.c:3698)
   by 0x1C963134: nsJSContext::EvaluateString(nsAString const&, void*,
nsIPrincipal*, char const*, unsigned, char const*, nsAString*, int*)
(nsJSEnvironment.cpp:988)
   by 0x1C7EB0AF: nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString
const&) (nsScriptLoader.cpp:669)
   by 0x1C7EAD0A: nsScriptLoader::ProcessRequest(nsScriptLoadRequest*)
(nsScriptLoader.cpp:586)
   by 0x1C7EBD51: nsScriptLoader::OnStreamComplete(nsIStreamLoader*,
nsISupports*, unsigned, unsigned, unsigned char const*) (nsScriptLoader.cpp:919)
   by 0x1CD486B0: nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*,
unsigned) (nsStreamLoader.cpp:132)
 Address 0x1E8C54C0 is not stack'd, malloc'd or (recently) free'd

==> JS
Assignee: general → brendan
Component: Browser-General → JavaScript Engine
OS: Windows XP → All
QA Contact: general → pschwartau
Attached file test JS script 
this script (when loaded from HTML enough times) triggers a crash.  If passed
to JS Shell running under valgrind, it generates the following:

Invalid write of size 4
 at 0x808FFA5: js_Interpret (jsinterp.c:4320)
 by 0x8080720: js_Execute (jsinterp.c:1562)
 by 0x8053BAD: JS_ExecuteScript (jsapi.c:3589)
 by 0x8049499: Process (js.c:351)
 by 0x8049BBD: ProcessArgs (js.c:568)
 by 0x804C5B9: main (js.c:2433)
Address 0x3422DFD8 is not stack'd, malloc'd or (recently) free'd
the crash loading the URL as well as the attached script regressed between linux
trunk builds 2004041207 and 2004041308, pointing at bug 169559, bug 165201 or
bug 206599
> at 0x808FFA5: js_Interpret (jsinterp.c:4320)

should be line 4299:
     fp->vars[atomIndex] = INT_TO_JSVAL(sprop->slot);
Regression from bug 169559 -- this kind of long feedback delay is a good
indicator of why the trunk should be, and is, still in alpha (bug 169559's patch
did not go into the aviary or 1.7 branches).  Thanks for the valgrind and
talkback analysis.

/be
Status: NEW → ASSIGNED
Keywords: js1.5
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8alpha5
*** Bug 251956 has been marked as a duplicate of this bug. ***
Dup of 244470, I'll take that bug and fix the underlying problem.

/be

*** This bug has been marked as a duplicate of 244470 ***
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Verified DUP
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: