Closed
Bug 276979
Opened 20 years ago
Closed 19 years ago
Unrooted JSObject in nsXPCWrappedJSClass::DelegatedQueryInterface crashes [@ js_LookupPropertyWithFlags ]
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: tvdijen, Assigned: timeless)
References
()
Details
(Keywords: crash, fixed1.8)
Crash Data
Attachments
(1 file, 1 obsolete file)
1.28 KB,
patch
|
brendan
:
superreview+
asa
:
approval1.8rc2+
|
Details | Diff | Splinter Review |
Firefox just crashes when I visit http://www.hi.nl
I tried it on the Unix platform aswell. It also crashes.
Not sure what goes wrong, but a browser should not crash on bad input, no matter
how nasty the website is coded!
My browser:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Comment 1•20 years ago
|
||
WFM, no crash in Firefox 20050103 and Mozilla 2005010206 trunk builds on Linux.
(Firefox 1.0 on Linux crashes though.)
Severity: normal → critical
Updated•20 years ago
|
Summary: Firefox crashe son www.hi.nl → Firefox crashes on www.hi.nl
Comment 2•20 years ago
|
||
I crashed using FF 1.0 on WinXP, full stack:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=tb2910858w
Summary: Firefox crashes on www.hi.nl → Firefox crashes on www.hi.nl [@ js_LookupPropertyWithFlags ]
Incident ID: 2910858
Stack Signature js_LookupPropertyWithFlags 855770ae
Product ID Firefox10
Build ID 2004110711
Trigger Time 2005-01-04 07:36:08.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module js3250.dll + (0002874a)
URL visited http://www.hi.nl/
User Comments loading page
Since Last Crash 1978872 sec
Total Uptime 4456331 sec
Trigger Reason Access violation
Source File, Line No.
d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2467
Stack Trace
js_LookupPropertyWithFlags
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line
2467]
js_LookupProperty
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line
2587]
js_GetProperty
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line
2693]
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 243]
nsXPCWrappedJSClass::DelegatedQueryInterface
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 589]
nsXPCWrappedJS::QueryInterface
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 97]
nsEventListenerManager::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1524]
GlobalWindowImpl::HandleDOMEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 927]
nsXULDocument::HandleDOMEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp,
line 1268]
nsXULElement::HandleDOMEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2864]
PresShell::HandleEventInternal
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6059]
PresShell::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5921]
nsViewManager::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2280]
nsViewManager::DispatchEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2066]
HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 77]
nsWindow::DispatchEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1067]
nsWindow::DispatchKeyEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 2978]
nsWindow::OnKeyDown
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 3017]
nsWindow::WindowProc
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1349]
USER32.dll + 0x3a50 (0x77d43a50)
USER32.dll + 0x3b1f (0x77d43b1f)
USER32.dll + 0x3d79 (0x77d43d79)
USER32.dll + 0x3ddf (0x77d43ddf)
nsAppShellService::Run
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 495]
main
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/browser/app/nsBrowserApp.cpp,
line 58]
kernel32.dll + 0x2141a (0x77e8141a)
Assignee: firefox → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: firefox.general → pschwartau
Version: 1.0 Branch → 1.7 Branch
Comment 4•20 years ago
|
||
If this isn't an issue on trunk, is there a reason not to resolve this worksforme?
Comment 5•20 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050406
Firefox/1.0+
I crashed with trunk build on following URL.
http://www.newscientist.com/article.ns?id=mg18624944.600
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB4910634X
Stack Signature js_LookupPropertyWithFlags b75fe574
Product ID FirefoxTrunk
Build ID 2005040506
Trigger Time 2005-04-07 06:47:27.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module js3250.dll + (0002bdeb)
URL visited
User Comments
Since Last Crash 96671 sec
Total Uptime 96671 sec
Trigger Reason Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2522
Stack Trace
js_LookupPropertyWithFlags
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2522]
js_LookupPropertyWithFlags
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2472]
js_GetProperty
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2742]
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 255]
nsXPCWrappedJSClass::GetArraySizeFromParam
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 692]
nsXPCWrappedJS::Release
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 157]
nsEventListenerManager::FlipCaptureBit
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1772]
nsGlobalWindow::GetPrincipal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 1027]
nsXULDocument::DestroyForwardReferences
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp,
line 1571]
nsXULElement::SetInlineStyleRule
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2319]
nsXULElement::SetInlineStyleRule
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2311]
nsXULElement::SetInlineStyleRule
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2311]
nsXULElement::SetInlineStyleRule
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2311]
nsXULElement::SetInlineStyleRule
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2311]
nsXULElement::SetInlineStyleRule
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2311]
nsXULElement::SetInlineStyleRule
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2311]
nsXULElement::SetInlineStyleRule
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2311]
nsEventStateManager::DispatchMouseEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2514]
nsEventStateManager::NotifyMouseOver
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2625]
nsEventStateManager::NotifyMouseOver
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2610]
nsEventStateManager::GenerateMouseEnterExit
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2648]
nsEventStateManager::PreHandleEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 470]
ReflowEvent::HandleEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6486]
PresShell::HandleEventInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6287]
nsViewManager::ResizeView
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2830]
SortByZOrder
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 1144]
nsView::SetZIndex
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp, line
678]
nsWindow::DispatchAppCommandEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1207]
nsWindow::DispatchMouseEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5826]
nsWindow::SetIcon
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 6047]
nsWindow::StandardWindowCreate
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1508]
USER32.dll + 0x8709 (0x77cf8709)
USER32.dll + 0x87eb (0x77cf87eb)
USER32.dll + 0x89a5 (0x77cf89a5)
USER32.dll + 0x89e8 (0x77cf89e8)
nsAppShell::GetNativeEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsAppShell.cpp,
line 205]
nsAutoCompleteController::~nsAutoCompleteController
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp,
line 75]
main
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/browser/app/nsBrowserApp.cpp,
line 60]
kernel32.dll + 0x16d4f (0x7c816d4f)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: 1.7 Branch → Trunk
Comment 6•20 years ago
|
||
Masayuki, your crash occurs at a different location and with a sufficiently
different stack that I doubt it is the same as the original bug. Do you have any
extensions installed or can you reproduce this same crash and give steps on how
to reproduce?
I tried with a firefox 1.0.x and trunk debug winxp build from yesterday on both
urls and can not reproduce either crash.
QA Contact: pschwartau → moz
Comment 7•20 years ago
|
||
err, make that ff 1.0 not 1.0.x
Comment 8•20 years ago
|
||
Oops... Sorry. You are right.
I cannot reproduce on safe mode.
Comment 9•20 years ago
|
||
Tim, can you reproduce your original bug either with Firefox 1.0.2 or a recent
Firefox trunk build?
Comment 10•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051009
Firefox/1.4.1 ID:2005100902
crash with latest branch
TB10464972Y
Incident ID: 10464972
Stack Signature js_LookupPropertyWithFlags e0c06551
Product ID Firefox15
Build ID 2005100805
Trigger Time 2005-10-10 04:42:13.0
Platform Win32
Operating System Windows NT 5.0 build 2195
Module js3250.dll + (0002d4be)
URL visited http://www.hansrossel.com/reisgids/turkijePR.html
User Comments crash while opening this page
Since Last Crash 4391 sec
Total Uptime 4391 sec
Trigger Reason Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2592
Stack Trace
js_LookupPropertyWithFlags
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line
2592]
js_LookupProperty
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line
2519]
js_GetProperty
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line
2804]
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 243]
nsXPCWrappedJSClass::DelegatedQueryInterface
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 589]
nsXPCWrappedJS::QueryInterface
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 97]
nsEventListenerManager::HandleEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1779]
nsXULDocument::HandleDOMEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp,
line 1242]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2135]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsEventStateManager::DispatchMouseEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2627]
nsEventStateManager::NotifyMouseOut
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2696]
nsEventStateManager::NotifyMouseOver
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2746]
nsEventStateManager::GenerateMouseEnterExit
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2785]
nsEventStateManager::PreHandleEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 522]
PresShell::HandleEventInternal
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6361]
PresShell::HandleEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6203]
nsViewManager::HandleEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2559]
nsViewManager::DispatchEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2246]
HandleEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp,
line 174]
nsWindow::DispatchEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1252]
nsWindow::DispatchMouseEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5991]
ChildWindow::DispatchMouseEvent
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 6242]
nsWindow::WindowProc
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1434]
USER32.dll + 0x3158f (0x77e4158f)
USER32.dll + 0x31dc9 (0x77e41dc9)
USER32.dll + 0x31e7e (0x77e41e7e)
nsAppStartup::Run
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp,
line 151]
main
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp,
line 61]
KERNEL32.dll + 0x28989 (0x79628989)
Comment 11•19 years ago
|
||
forgot to add, yes this page crahes in -safe-mode too
Comment 12•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051008
Firefox/1.6a1 ID:2005100807
http://www.hansrossel.com/reisgids/turkijePR.html doesn't crash me on trunk,
but it does on branch:
- Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051010
Firefox/1.4.1 ID:2005101005
Comment 13•19 years ago
|
||
forget comment 10 , 11 and 12 , it's a recent regression
filed Bug 311950 for it
Comment 14•19 years ago
|
||
I don't crash with 1.5 or trunk from yesterday on winxp. Tim, if you can't reproduce this with recent builds would you mark it works for me? Thanks.
Flags: testcase-
Assignee | ||
Comment 15•19 years ago
|
||
this crash report is from 1.8 branch (sorry, our product uses the branch...)
things are /slightly/ different on trunk, but just as broken.
EXCEPTION_RECORD: 0012f208 -- (.exr 12f208)
ExceptionAddress: 00b4ceb3 (js3250!MarkGCThing+0x000000a5)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0000000a
Attempt to read from address 0000000a
FAULTING_THREAD: 000015f8
BUGCHECK_STR: 80000003
DEFAULT_BUCKET_ID: APPLICATION_FAULT
PROCESS_NAME: HsEngine.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
CONTEXT: 0012f224 -- (.cxr 12f224)
eax=00000006 ebx=34f51850 ecx=0012f500 edx=34f5184c esi=360a0414 edi=360a03a0
eip=00b4ceb3 esp=0012f4f0 ebp=0012f508 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210286
js3250!MarkGCThing+0xa5:
00b4ceb3 8b4804 mov ecx,[eax+0x4] ds:0023:0000000a=????????
Resetting default scope
MANAGED_STACK: !dumpstack -EE
succeeded
Loaded Son of Strike data table version 5 from "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
Current frame:
ChildEBP RetAddr Caller,Callee
LAST_CONTROL_TRANSFER: from 00b4ceae to 00b4ceb3
STACK_TEXT:
0012f508 00b4ceae 35df1628 360a03a0 360a0414 js3250!MarkGCThing+0xa5 [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1146]
0012f534 00b4cf98 35df1628 34f516c8 34f50261 js3250!MarkGCThing+0xa0 [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1141]
0012f544 00b31b54 35df1628 35515a68 00000000 js3250!js_MarkGCThing+0x1c [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1446]
0012f554 010ea9ed 35df1628 35515a68 01182c1c js3250!JS_MarkGCThing+0xf [c:\build\chs3\build\mozilla\js\src\jsapi.c @ 1838]
0012f578 010eb1db 360fed08 35df1628 00000000 gklayout!nsDOMClassInfo::MarkReachablePreservedWrappers+0xac [c:\build\chs3\build\mozilla\dom\src\base\nsdomclassinfo.cpp @ 4898]
0012f58c 00b17ab7 0167c460 360fed08 35df1628 gklayout!nsNodeSH::Mark+0x1f [c:\build\chs3\build\mozilla\dom\src\base\nsdomclassinfo.cpp @ 6195]
0012f5b4 00b5c9ab 35df1628 34f50e68 00000000 xpc3250!XPC_WN_Helper_Mark+0x3e [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 989]
0012f5d4 00b4cec5 35df1628 34f50e68 00000000 js3250!js_Mark+0xc3 [c:\build\chs3\build\mozilla\js\src\jsobj.c @ 4127]
0012f600 00b4cf98 35df1628 34f50e68 34f50155 js3250!MarkGCThing+0xb7 [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1146]
0012f610 00b4cfc6 35df1628 34f50e68 00000000 js3250!js_MarkGCThing+0x1c [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1446]
0012f620 00b400be 00a0f14c 0d3c09c8 0000007f js3250!gc_root_marker+0x2a [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1485]
0012f654 00b4d200 0000007f 00b4cf9c 35df1628 js3250!JS_DHashTableEnumerate+0x4f [c:\build\chs3\build\mozilla\js\src\jsdhash.c @ 620]
0012f6a4 00b4d9d1 35df1628 00000005 00b90b60 js3250!js_GC+0x1ca [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1702]
0012f6d0 00b5e890 35df1628 00000000 00000008 js3250!js_NewGCThing+0xf0 [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 636]
0012f6f8 00b133a0 35df1628 00b28a08 03ff8e88 js3250!js_NewObject+0x71 [c:\build\chs3\build\mozilla\js\src\jsobj.c @ 1905]
0012f71c 00b14fb3 0012f820 03ff8e50 00000000 xpc3250!XPCWrappedNative::Init+0xa5 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 764]
0012f7b4 00b08239 0012f820 03ff8e50 03f545c8 xpc3250!XPCWrappedNative::GetNewOrUsed+0x315 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 391]
0012f7f4 00b01834 0012f820 0012f8c8 1411a240 xpc3250!XPCConvert::NativeInterface2JSObject+0x79 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcconvert.cpp @ 1107]
0012f894 00b0c3bd 00a15100 35df1628 0403e6c8 xpc3250!nsXPConnect::WrapNative+0x47 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\nsxpconnect.cpp @ 588]
0012f8cc 00b11219 35df1628 0403e6c8 00408d58 xpc3250!xpc_NewIDObject+0x60 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcjsid.cpp @ 993]
0012f910 00b115ab 04414f70 0403e6c8 00408d58 xpc3250!nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject+0xc3 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 267]
0012f9a4 00b0f6b7 00a8fd68 0407cc88 00408d58 xpc3250!nsXPCWrappedJSClass::DelegatedQueryInterface+0x129 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 590]
0012f9c4 0085463d 0407cc88 00408d58 0012fa2c xpc3250!nsXPCWrappedJS::QueryInterface+0x62 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 97]
0012f9f4 00403fca 002ada4c 0407cc88 00408d58 xpcom_core!nsComponentManagerImpl::GetServiceByContractID+0x71 [c:\build\chs3\build\mozilla\xpcom\components\nscomponentmanager.cpp @ 2393]
0012fa48 004052f9 0012fcec 0012fab4 00000000 HsEngine!nsNativeAppSupportWin::GetCmdLineArgs+0x240 [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsnativeappsupportwin.cpp @ 2099]
0012fabc 00405760 0012fcec 00000000 0012fb8c HsEngine!nsNativeAppSupportWin::HandleRequest+0x30 [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsnativeappsupportwin.cpp @ 1810]
0012fb84 77d48734 00000000 0000004a 00000000 HsEngine!MessageWindow::WindowProc+0x2f [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsnativeappsupportwin.cpp @ 924]
0012fbb0 77d48816 00405731 00b3041c 0000004a USER32!InternalCallWinProc+0x28
0012fc18 77d4b4c0 00000000 00405731 00b3041c USER32!UserCallWinProcCheckWow+0x150
0012fc6c 77d5e7fe 005c7218 0000004a 00000000 USER32!DispatchClientMessage+0xa3
0012fc9c 7c90eae3 0012fcac 000000cc 000000cc USER32!__fnCOPYDATA+0x41
0012fcdc 00405730 77d4b473 00000030 5c3a4322 ntdll!KiUserCallbackDispatcher+0x13
0012fd74 77d493e9 77d493a8 0012fe08 00000000 HsEngine!nsSplashScreenWin::~nsSplashScreenWin+0x1b [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsnativeappsupportwin.cpp @ 450]
0012fda0 77d49402 0012fe08 00000000 00000100 USER32!NtUserPeekMessage+0xc
0012fdcc 012ad491 0012fe08 00000000 00000100 USER32!PeekMessageW+0xbc
0012fe24 012ad61a 0012fe40 00000000 00000000 gkwidget!PeekKeyAndIMEMessage+0x1f [c:\build\chs3\build\mozilla\widget\src\windows\nsappshell.cpp @ 91]
0012fe7c 01270e48 01595158 00402aa6 00abce28 gkwidget!nsAppShell::Run+0x65 [c:\build\chs3\build\mozilla\widget\src\windows\nsappshell.cpp @ 128]
0012fe84 00402aa6 00abce28 7c80b529 00000000 appcomps!nsAppStartup::Run+0xd [c:\build\chs3\build\mozilla\xpfe\components\startup\src\nsappstartup.cpp @ 208]
0012fee4 00402bae 00000003 002a45f0 00000000 HsEngine!main1+0x355 [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 1264]
0012ff08 00402be3 00000003 002a45f0 00152357 HsEngine!main+0xc5 [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 1765]
0012ff18 00407765 00400000 00000000 00152357 HsEngine!WinMain+0x18 [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 1789]
0012ffc0 7c816d4f 80000001 0875ee34 7ffdf000 HsEngine!WinMainCRTStartup+0x185 [f:\vs70builds\3077\vc\crtbld\crt\src\crtexe.c @ 390]
0012fff0 00000000 004075e0 00000000 78746341 kernel32!BaseProcessStart+0x23
FOLLOWUP_IP:
js3250!MarkGCThing+a5 [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1146]
00b4ceb3 8b4804 mov ecx,[eax+0x4]
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: js3250!MarkGCThing+a5
MODULE_NAME: js3250
IMAGE_NAME: js3250.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 43676160
STACK_COMMAND: .cxr 12f224 ; kb
FAILURE_BUCKET_ID: 80000003_js3250!MarkGCThing+a5
BUCKET_ID: 80000003_js3250!MarkGCThing+a5
Followup: MachineOwner
---------
---
possibles:
311950 (probably poorly duped)
292210
278743
276979
---
0 e [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 587] 0001 (0001) 0:**** xpc3250!nsXPCWrappedJSClass::DelegatedQueryInterface+0x116
1 e [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 243] 0001 (0001) 0:**** xpc3250!nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject+0xc
2 e [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 271] 0001 (0001) 0:**** xpc3250!nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject+0xcd
Assignee: general → timeless
Component: JavaScript Engine → XPConnect
QA Contact: bob → pschwartau
Summary: Firefox crashes on www.hi.nl [@ js_LookupPropertyWithFlags ] → Unrooted JSObject in nsXPCWrappedJSClass::DelegatedQueryInterface crashes [@ js_LookupPropertyWithFlags ]
Assignee | ||
Comment 16•19 years ago
|
||
Assignee | ||
Comment 17•19 years ago
|
||
Assignee | ||
Comment 18•19 years ago
|
||
*** Bug 278743 has been marked as a duplicate of this bug. ***
Attachment #201578 -
Flags: superreview?(bzbarsky)
Attachment #201578 -
Flags: review?(mrbkap)
Comment 19•19 years ago
|
||
Comment on attachment 201578 [details] [diff] [review]
protect the function and object
r=mrbkap
Attachment #201578 -
Flags: review?(mrbkap) → review+
Updated•19 years ago
|
Attachment #201578 -
Flags: superreview?(bzbarsky)
Attachment #201578 -
Flags: superreview+
Attachment #201578 -
Flags: review?(mrbkap)
Attachment #201578 -
Flags: review+
Updated•19 years ago
|
Attachment #201578 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 20•19 years ago
|
||
Comment on attachment 201578 [details] [diff] [review]
protect the function and object
mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp 1.86
Attachment #201578 -
Attachment is obsolete: true
Assignee | ||
Comment 21•19 years ago
|
||
Comment on attachment 201579 [details] [diff] [review]
protect the function and object (1.8 branch, diff not made against cvs.mozilla.org versions, sorry)
this fixes a gc rooting hole that can happen randomly
Attachment #201579 -
Flags: approval1.8rc2?
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 22•19 years ago
|
||
Comment on attachment 201579 [details] [diff] [review]
protect the function and object (1.8 branch, diff not made against cvs.mozilla.org versions, sorry)
Brendan, can you give an extra sr here since you and blake have been fixing so many of these unroot js object bugs lately. You guys have a good idea of what these fixes should look like. Thanks.
Attachment #201579 -
Flags: superreview?(brendan)
Comment 23•19 years ago
|
||
Comment on attachment 201579 [details] [diff] [review]
protect the function and object (1.8 branch, diff not made against cvs.mozilla.org versions, sorry)
mscott, this is a different module with its own rooting bugs and solutions. But I can certainly sr this stuff since it has also been around a long while and its local GC rooting solutions are known.
/be
Attachment #201579 -
Flags: superreview?(brendan) → superreview+
Comment 24•19 years ago
|
||
There are other bugs of this sort lurking. Taking this fix even late in the game is adds negligable risk. The only tradeoff is that the gain may be small or tiny in talkback terms. IOW, this is not a topcrash. But the patch is a good fix.
/be
Flags: blocking1.8rc2?
Updated•19 years ago
|
Attachment #201579 -
Flags: approval1.8rc2? → approval1.8rc2+
Comment 25•19 years ago
|
||
It looks like this was checked into the branch by timeless.
As such, adding the fixed1.8 keyword to the bug.
Flags: blocking1.8rc2?
Keywords: fixed1.8
Updated•14 years ago
|
Crash Signature: [@ js_LookupPropertyWithFlags ]
You need to log in
before you can comment on or make changes to this bug.
Description
•