Last Comment Bug 267797 - FF10RC1 crash with gmail.com [@ js_Interpret c8839217]
: FF10RC1 crash with gmail.com [@ js_Interpret c8839217]
Status: RESOLVED FIXED
: crash, fixed-aviary1.0, fixed1.7.5, js1.5, topcrash
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Brendan Eich [:brendan]
: Phil Schwartau
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-04 13:13 PST by Jay Patel [:jay]
Modified: 2011-08-05 21:33 PDT (History)
7 users (show)
brendan: blocking1.7.5+
brendan: blocking‑aviary1.0+
bob: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Add more SAVE_SP(fp) calls before OBJ_* call-outs (8.42 KB, patch)
2004-11-05 14:20 PST, Brendan Eich [:brendan]
shaver: review+
asa: approval‑aviary+
asa: approval1.7.5+
Details | Diff | Review

Description Jay Patel [:jay] 2004-11-04 13:13:54 PST
There are a good number of these crashes in Firefox 1.0 RC1 for gmail users. 
Here's the latest from Talkback:

     Count   Offset    Real Signature
[ 46   js_Interpret c8839217 - js_Interpret ]
 
     Crash date range: 01-NOV-04 to 31-OCT-04
     Min/Max Seconds since last crash: 10 - 360048
     Min/Max Runtime: 11 - 372710
 
     Count   Platform List 
     46   Windows XP [Windows NT 5.1 build 2600] 
 
     Count   Build Id List 
     46   2004102622
 
     No of Unique Users        22
 
 Stack trace(Frame) 

	 js_Interpret
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 2865] 
	 js_Execute
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 1162] 
	 JS_EvaluateUCScriptForPrincipals
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c  line
3649] 
	 nsJSContext::EvaluateString
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp
 line 946] 
	 nsScriptLoader::EvaluateScript
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp
 line 668] 
	 nsScriptLoader::ProcessRequest
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp
 line 581] 
	 nsScriptLoader::ProcessScriptElement
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp
 line 527] 
	 nsHTMLScriptElement::MaybeProcessScript
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLScriptElement.cpp
 line 656] 
	 nsHTMLScriptElement::SetDocument
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLScriptElement.cpp
 line 469] 
	 HTMLContentSink::ProcessSCRIPTTag
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp
 line 4341] 
	 HTMLContentSink::AddLeaf
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp
 line 3195] 
	 HTMLContentSink::AddHeadContent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp
 line 3146] 
	 CNavDTD::AddHeadLeaf
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp
 line 3839] 
	 CNavDTD::HandleStartToken
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp
 line 1832] 
	 CNavDTD::HandleToken
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp
 line 1019] 
	 CNavDTD::BuildModel
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp
 line 511] 
	 nsParser::BuildModel
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/nsParser.cpp
 line 2004]  
 
     (1627002)	URL: www.gmail.com
     (1621500)	URL: www.gmail.com
     (1610025)	URL: http://www.gamearena.com.au/
     (1610025)	Comments: I had just opened firefox and opened my six favourite
webpages with the "Open in tabs" option  and it crashed to desktop when I
started looking at each webpage.
     (1608536)	URL: www.gmail.com
     (1608532)	URL: www.gmail.com
     (1608525)	URL: www.gmail.com
     (1608521)	URL: www.gmail.com
     (1607539)	URL: https://gmail.google.com.br/gmail
     (1605209)	URL: www.gmail.com
     (1602706)	URL: www.gmail.com
     (1602128)	URL: www.gmail.com
     (1598423)	URL: www.gmail.com
     (1596267)	URL: www.gmail.com
     (1594765)	URL: http://gmail.google.com/
     (1594716)	URL: http://gmail.google.com/
     (1593034)	URL: www.gmail.com
     (1588653)	URL: http://gmail.google.com/gmail
     (1588653)	Comments: opening a new tab.
     (1579506)	URL: www.gmail.com
     (1577615)	URL: www.gmail.com
     (1573714)	URL: www.gmail.com
     (1572604)	URL: http://gmail.google.com
     (1572604)	Comments: Logging in to Gmail.

Not sure if this is related, but bug 244178 might be worth a quick look.  I have
been using gmail with recent Aviary builds and have not been able to reproduce.
 Not much info in comments to work with, so maybe the stack can provide a clue?
Comment 1 Brendan Eich [:brendan] 2004-11-04 13:36:59 PST
Need to get some brains on this for 1.0.

/be
Comment 2 Brendan Eich [:brendan] 2004-11-05 14:20:48 PST
Created attachment 164790 [details] [diff] [review]
Add more SAVE_SP(fp) calls before OBJ_* call-outs

This may help fix some top-crash bugs; it can't hurt (we could SAVE_SP(fp) at
the top of the interpreter loop body and protect all cases, but that would hurt
perf and waste all the effort to keep sp in a "register" [which is pretty much
wasted on x86 anyway]).

/be
Comment 3 Mike Shaver (:shaver -- probably not reading bugmail closely) 2004-11-05 14:25:33 PST
Comment on attachment 164790 [details] [diff] [review]
Add more SAVE_SP(fp) calls before OBJ_* call-outs

Looks good (and v. safe -- at worst, harmless) to me. r=shaver.
Comment 4 Brendan Eich [:brendan] 2004-11-05 14:27:59 PST
This is good for the branches.

/be
Comment 5 Brendan Eich [:brendan] 2004-11-05 14:35:29 PST
Comment on attachment 164790 [details] [diff] [review]
Add more SAVE_SP(fp) calls before OBJ_* call-outs

I'll let someone else mark approvals.

/be
Comment 6 Asa Dotzler [:asa] 2004-11-05 14:49:52 PST
Comment on attachment 164790 [details] [diff] [review]
Add more SAVE_SP(fp) calls before OBJ_* call-outs

a=asa for checkin to the branches.
Comment 7 Brendan Eich [:brendan] 2004-11-05 15:19:59 PST
Fixed everywhere.

/be

Note You need to log in before you can comment on or make changes to this bug.