Closed Bug 282360 Opened 20 years ago Closed 20 years ago

Startup crash [@ find_split]; TOO_MUCH_GC; no jsd

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Assigned: mrbkap)

Details

(Keywords: crash)

Crash Data

Unhandled exception at 0x00b4db72 (js3250.dll) in mozilla.exe: 0xC0000005:
Access violation reading location 0x05439000.

EAX = 00261D82 EBX = 04F76088 ECX = 00000000 EDX = 00A54FC8 ESI = 00261D82 EDI =
04F754FC EIP = 00B4DB72 ESP = 0012EFB0 EBP = 0012EFC4 EFL = 00000297 

>	js3250.dll!find_split(JSContext * cx=0x04f37e70, JSString * str=0x04fa0bf8,
JSRegExp * re=0x00000000, long * ip=0x00000001, JSSubString * sep=0x0012eff4) 
Line 1810 + 0x3	C
 	js3250.dll!str_split(JSContext * cx=0x04f37e70, JSObject * obj=0x0510e0e0,
unsigned int argc=0x00000001, long * argv=0x0513a61c, long * rval=0x0012f068) 
Line 1888 + 0x14	C
 	js3250.dll!js_Invoke(JSContext * cx=0x0012f068, unsigned int argc=0x04f37e70,
unsigned int flags=0x0513a620)  Line 1293 + 0x11	C
 	js3250.dll!js_Interpret(JSContext * cx=0x04f37e70, long * result=0x0513a620) 
Line 3627	C
 	js3250.dll!js_Invoke(JSContext * cx=0x0012f068, unsigned int argc=0x04f37e70,
unsigned int flags=0x0513a620)  Line 1313 + 0xa	C
 	js3250.dll!js_Interpret(JSContext * cx=0x04f37e70, long * result=0x0513a620) 
Line 3627	C
 	js3250.dll!js_Invoke(JSContext * cx=0x0012f068, unsigned int argc=0x04f37e70,
unsigned int flags=0x0513a620)  Line 1313 + 0xa	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x04f37e9c, JSObject *
obj=0x04fa0cc0, long fval=0x04f13fd0, unsigned int flags=0x00000000, unsigned
int argc=0x00000001, long * argv=0x0012f618, long * rval=0x0012f660)  Line
1390 + 0xe	C
 	js3250.dll!JS_CallFunctionValue(JSContext * cx=0x04f37e70, JSObject *
obj=0x04fa0cc0, long fval=0x04f13fd0, unsigned int argc=0x00000001, long *
argv=0x0012f618, long * rval=0x0012f660)  Line 3767 + 0x1a	C
 	gklayout.dll!nsJSContext::CallEventHandler(JSObject * aTarget=0x04fa0cc0,
JSObject * aHandler=0x04f13fd0, unsigned int argc=0x00000001, long *
argv=0x0012f618, long * rval=0x0012f660)  Line 1344 + 0x18	C++
 	gklayout.dll!nsJSEventListener::HandleEvent(nsIDOMEvent * aEvent=0x0513a620) 
Line 246 + 0x3a	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct *
aListenerStruct=0x00000001, nsIDOMEvent * aDOMEvent=0x0513a61c,
nsIDOMEventTarget * aCurrentTarget=0x0012f068, unsigned int aSubType=0x04f37e70,
unsigned int aPhaseFlags=0x0513a620)  Line 1512 + 0xb	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext *
aPresContext=0x00000000, nsEvent * aEvent=0x0012f87c, nsIDOMEvent * *
aDOMEvent=0x0012f848, nsIDOMEventTarget * aCurrentTarget=0x04f6d44c, unsigned
int aFlags=0x00000007, nsEventStatus * aEventStatus=0x0012f90c)  Line 1589	C++
 	gklayout.dll!GlobalWindowImpl::HandleDOMEvent(nsPresContext *
aPresContext=0x021d2240, nsEvent * aEvent=0x0012f87c, nsIDOMEvent * *
aDOMEvent=0x0012f848, unsigned int aFlags=0x00000007, nsEventStatus *
aEventStatus=0x0012f90c)  Line 908	C++
 	gklayout.dll!DocumentViewerImpl::LoadComplete(unsigned int aStatus=0x00000000)
 Line 890 + 0x19	C++
 	docshell.dll!nsDocShell::EndPageLoad(nsIWebProgress * aProgress=0x04ef5584,
nsIChannel * aChannel=0x04fa5a78, unsigned int aStatus=0x00000000)  Line 4309	C++
 	docshell.dll!nsWebShell::EndPageLoad(nsIWebProgress * aProgress=0x0012f068,
nsIChannel * channel=0x04f37e70, unsigned int aStatus=0x0513a620)  Line 752	C++
 	docshell.dll!nsDocShell::OnStateChange(nsIWebProgress * aProgress=0x04ef5584,
nsIRequest * aRequest=0x04fa5a78, unsigned int aStateFlags=0x04ef5584, unsigned
int aStatus=0x00000000)  Line 4229	C++
 	docshell.dll!nsDocLoaderImpl::FireOnStateChange(nsIWebProgress *
aProgress=0x04ef5584, nsIRequest * aRequest=0x04fa5a78, int
aStateFlags=0x00020010, unsigned int aStatus=0x00000000)  Line 1234 + 0x12	C++
 	docshell.dll!nsDocLoaderImpl::doStopDocumentLoad(nsIRequest *
request=0x04fa5a78, unsigned int aStatus=0x00000000)  Line 839	C++
 	docshell.dll!nsDocLoaderImpl::DocLoaderIsEmpty()  Line 731	C++
 	docshell.dll!nsDocLoaderImpl::DocLoaderIsEmpty()  Line 734	C++
 	docshell.dll!nsDocLoaderImpl::OnStopRequest(nsIRequest * aRequest=0x0504ddc8,
nsISupports * aCtxt=0x00000000, unsigned int aStatus=0x00000000)  Line 663	C++
 	necko.dll!nsLoadGroup::RemoveRequest(nsIRequest * request=0x050588f4,
nsISupports * ctxt=0x00000000, unsigned int aStatus=0x00000000)  Line 701 + 0xd	C++
 	necko.dll!nsInputStreamChannel::OnStopRequest(nsIRequest * req=0x05040728,
nsISupports * ctx=0x00000000, unsigned int status=0x00000000)  Line 373	C++
 	necko.dll!nsInputStreamPump::OnStateStop()  Line 505	C++
 	necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *
stream=0x05017370)  Line 342	C++
 	xpcom_core.dll!nsOutputStreamReadyEvent::EventHandler(PLEvent *
plevent=0x05059044)  Line 119	C++
 	xpcom_core.dll!PL_HandleEvent(PLEvent * self=0x05059044)  Line 693	C
 	xpcom_core.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x00a51910)  Line
627 + 0x6	C
 	xpcom_core.dll!_md_EventReceiverProc(HWND__ * hwnd=0x00660614, unsigned int
uMsg=0x0000c2a5, unsigned int wParam=0x00000000, long lParam=0x00a51910)  Line
1434	C
 	user32.dll!_InternalCallWinProc@20()  + 0x28	
 	user32.dll!_UserCallWinProcCheckWow@32()  + 0xb7	
 	user32.dll!_DispatchMessageWorker@8()  + 0xdc	
 	user32.dll!_DispatchMessageW@4()  + 0xf	
 	gkwidget.dll!nsAppShell::Run()  Line 159	C++
 	appcomps.dll!nsAppStartup::Run()  Line 216	C++
 	mozilla.exe!main1(int argc=0x00000002, char * * argv=0x002a4d18, nsISupports *
nativeApp=0x00000000)  Line 1321 + 0x9	C++
 	mozilla.exe!main(int argc=0x00000002, char * * argv=0x002a4d18)  Line 1813 +
0x13	C++
 	mozilla.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ *
__formal=0x00400000, char * args=0x00152356, HINSTANCE__ * __formal=0x00400000)
 Line 1841 + 0x17	C++
 	mozilla.exe!WinMainCRTStartup()  Line 390 + 0x1b	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23	

-	cx	0x04f37e70 {links={next=0x04faee70 {next=0x0501e340 {next=0x050da648
prev=0x04faee70 } prev=0x04f37e70 {next=0x04faee70 prev=0x04d211d8 } }
prev=0x04d211d8 {next=0x04f37e70 {next=0x04faee70 prev=0x04d211d8 }
prev=0x04df65d8 {next=0x04d211d8 prev=0x04d0aab0 } } } interpLevel=0x00000002
stackLimit=0x000afd10 ...}	JSContext *
|+	links	{next=0x04faee70 {next=0x0501e340 {next=0x050da648 {next=0x009ed298
prev=0x0501e340 } prev=0x04faee70 {next=0x0501e340 prev=0x04f37e70 } }
prev=0x04f37e70 {next=0x04faee70 {next=0x0501e340 prev=0x04f37e70 }
prev=0x04d211d8 {next=0x04f37e70 prev=0x04df65d8 } } } prev=0x04d211d8
{next=0x04f37e70 {next=0x04faee70 {next=0x0501e340 prev=0x04f37e70 }
prev=0x04d211d8 {next=0x04f37e70 prev=0x04df65d8 } } prev=0x04df65d8
{next=0x04d211d8 {next=0x04f37e70 prev=0x04df65d8 } prev=0x04d0aab0
{next=0x04df65d8 prev=0x02142628 } } } }	JSCListStr
|	interpLevel	0x00000002	unsigned int
|	stackLimit	0x000afd10	unsigned long
|	version	JSVERSION_DEFAULT	JSVersion
|	jsop_eq	0x12 '.'	unsigned char
|	jsop_ne	0x13 '.'	unsigned char
|+	runtime	0x009ed008 {state=JSRTS_UP gcArenaPool={first={next=0x009f1010
{next=0x01a90ae0 base=0x009f1020 limit=0x009f3427 ...} base=0x009ed020
limit=0x009ed020 ...} current=0x051c33e0 {next=0x00000000 {next=??? base=???
limit=??? ...} base=0x051c33f0 limit=0x051c57f7 ...} arenasize=0x00002400 ...}
gcRootsHash={ops=0x00b560bc stub_ops data=0x00000000 hashShift=0x0015 ...} ...}
JSRuntime *
|+	stackPool	{first={next=0x0513a590 {next=0x00000000 {next=??? base=???
limit=??? ...} base=0x0513a5a0 limit=0x0513c5a3 ...} base=0x04f37e9c
limit=0x04f37e9c ...} current=0x0513a590 {next=0x00000000 {next=??? base=???
limit=??? ...} base=0x0513a5a0 limit=0x0513c5a3 ...} arenasize=0x00002000 ...}
JSArenaPool
|-	fp	0x0012f048 {callobj=0x00000000 {map=??? slots=??? } argsobj=0x00000000
{map=??? slots=??? } varobj=0x04fa0ea8 {map=0x04fdcd10 {nrefs=0x00000002
ops=0x00b609a0 _js_ObjectOps nslots=0x00000008 ...} slots=0x05137ccc } ...}
JSStackFrame *
||+	callobj	0x00000000 {map=??? slots=??? }	JSObject *
||+	argsobj	0x00000000 {map=??? slots=??? }	JSObject *
||+	varobj	0x04fa0ea8 {map=0x04fdcd10 {nrefs=0x00000002 ops=0x00b609a0
_js_ObjectOps nslots=0x00000008 ...} slots=0x05137ccc }	JSObject *
||+	script	0x00000000 {code=??? length=??? main=??? ...}	JSScript *
||+	fun	0x04f17198 {nrefs=0x00000001 object=0x04fa1a48 {map=0x04f9dcd0
{nrefs=0x00000083 ops=0x00b609a0 _js_ObjectOps nslots=0x0000000e ...}
slots=0x04f171c4 } u={native=0x00b513c5 str_split(JSContext *, JSObject *,
unsigned int, long *, long *) script=0x00b513c5 str_split(JSContext *, JSObject
*, unsigned int, long *, long *) } ...}	JSFunction *
||+	thisp	0x0510e0e0 {map=0x04fe09d0 {nrefs=0x00000002 ops=0x00b609a0
_js_ObjectOps nslots=0x00000029 ...} slots=0x04fa600c }	JSObject *
||	argc	0x00000001	unsigned int
||+	argv	0x0513a61c	long *
||	rval	0x0510e0e8	long
||	nvars	0x00000000	unsigned int
||+	vars	0x0513a624	long *
||-	down	0x0012f214 {callobj=0x04fa0ea8 {map=0x04fdcd10 {nrefs=0x00000002
ops=0x00b609a0 _js_ObjectOps nslots=0x00000008 ...} slots=0x05137ccc }
argsobj=0x00000000 {map=??? slots=??? } varobj=0x04fa0ea8 {map=0x04fdcd10
{nrefs=0x00000002 ops=0x00b609a0 _js_ObjectOps nslots=0x00000008 ...}
slots=0x05137ccc } ...}	JSStackFrame *
|||+	callobj	0x04fa0ea8 {map=0x04fdcd10 {nrefs=0x00000002 ops=0x00b609a0
_js_ObjectOps nslots=0x00000008 ...} slots=0x05137ccc }	JSObject *
|||+	argsobj	0x00000000 {map=??? slots=??? }	JSObject *
|||+	varobj	0x04fa0ea8 {map=0x04fdcd10 {nrefs=0x00000002 ops=0x00b609a0
_js_ObjectOps nslots=0x00000008 ...} slots=0x05137ccc }	JSObject *
|||-	script	0x01b783c8 {code=0x01b783f8 "l" length=0x00000705 main=0x01b783f8
"l" ...}	JSScript *
||||+	code	0x01b783f8 "l"	unsigned char *
||||	length	0x00000705	unsigned long
||||+	main	0x01b783f8 "l"	unsigned char *
||||	version	0x0000	unsigned short
||||	numGlobalVars	0x0000	unsigned short
||||+	atomMap	{vector=0x01b1ed40 length=0x00000091 }	JSAtomMap
||||+	filename	0x01b6e3d5 "chrome://navigator/content/navigator.js"	const char *
||||	lineno	0x000001af	unsigned int
||||	depth	0x00000006	unsigned int
||||+	trynotes	0x01b78df4 {start=0x00000089 length=0x0000007d
catchStart=0x00000106 }	JSTryNote *
||||+	principals	0x00a540e4 {codebase=0x00a54108 "[System Principal]"
getPrincipalArray=0x003f260e nsGetPrincipalArray(JSContext *, JSPrincipals *)
globalPrivilegesEnabled=0x003f2611 nsGlobalPrivilegesEnabled(JSContext *,
JSPrincipals *) ...}	JSPrincipals *
|||\+	object	0x00000000 {map=??? slots=??? }	JSObject *
|||+	fun	0x01b77fe0 {nrefs=0x00000006 object=0x01b66568 {map=0x01b78058
{nrefs=0x00000006 ops=0x00b609a0 _js_ObjectOps nslots=0x00000005 ...}
slots=0x01b7800c } u={native=0x01b783c8 script=0x01b783c8 {code=0x01b783f8 "l"
length=0x00000705 main=0x01b783f8 "l" ...} } ...}	JSFunction *
|||+	thisp	0x04fa0cc0 {map=0x04f9d590 {nrefs=0x00000001 ops=0x00b06d58
XPC_WN_NoCall_JSOps nslots=0x000002c6 ...} slots=0x04f567bc }	JSObject *
|||	argc	0x00000000	unsigned int
|||+	argv	0x0513a5c4	long *
|||	rval	0x80000001	long
|||	nvars	0x0000000e	unsigned int
|||+	vars	0x0513a5c4	long *
|||-	down	0x0012f3e0 {callobj=0x00000000 {map=??? slots=??? } argsobj=0x00000000
{map=??? slots=??? } varobj=0x00000000 {map=??? slots=??? } ...}	JSStackFrame *
||||+	callobj	0x00000000 {map=??? slots=??? }	JSObject *
||||+	argsobj	0x00000000 {map=??? slots=??? }	JSObject *
||||+	varobj	0x00000000 {map=??? slots=??? }	JSObject *
||||-	script	0x04ede6e0 {code=0x04ede710 ";" length=0x00000008 main=0x04ede710
";" ...}	JSScript *
|||||+	code	0x04ede710 ";"	unsigned char *
|||||	length	0x00000008	unsigned long
|||||+	main	0x04ede710 ";"	unsigned char *
|||||	version	0x0000	unsigned short
|||||	numGlobalVars	0x0000	unsigned short
|||||+	atomMap	{vector=0x04fadcc8 length=0x00000001 }	JSAtomMap
|||||+	filename	0x01aa34ad "chrome://navigator/content/navigator.xul"	const char *
|||||	lineno	0x00000001	unsigned int
|||||	depth	0x00000002	unsigned int
|||||+	trynotes	0x00000000 {start=??? length=??? catchStart=??? }	JSTryNote *
|||||+	principals	0x00a540e4 {codebase=0x00a54108 "[System Principal]"
getPrincipalArray=0x003f260e nsGetPrincipalArray(JSContext *, JSPrincipals *)
globalPrivilegesEnabled=0x003f2611 nsGlobalPrivilegesEnabled(JSContext *,
JSPrincipals *) ...}	JSPrincipals *
||||\+	object	0x00000000 {map=??? slots=??? }	JSObject *
||||+	fun	0x04f1bfe0 {nrefs=0x00000001 object=0x04f13fd0 {map=0x04fa4370
{nrefs=0x00000001 ops=0x00b609a0 _js_ObjectOps nslots=0x00000005 ...}
slots=0x04fa4354 } u={native=0x04ede6e0 script=0x04ede6e0 {code=0x04ede710 ";"
length=0x00000008 main=0x04ede710 ";" ...} } ...}	JSFunction *
||||+	thisp	0x04fa0cc0 {map=0x04f9d590 {nrefs=0x00000001 ops=0x00b06d58
XPC_WN_NoCall_JSOps nslots=0x000002c6 ...} slots=0x04f567bc }	JSObject *
||||	argc	0x00000001	unsigned int
||||+	argv	0x0513a5b0	long *
||||	rval	0x80000001	long
||||	nvars	0x00000000	unsigned int
||||+	vars	0x0513a5b4	long *
||||+	down	0x0012f48c {callobj=0x00000000 {map=??? slots=??? }
argsobj=0x00000000 {map=??? slots=??? } varobj=0x00000000 {map=??? slots=??? }
...}	JSStackFrame *
||||	annotation	0x00000000	void *
||||+	scopeChain	0x04fa0cc0 {map=0x04f9d590 {nrefs=0x00000001 ops=0x00b06d58
XPC_WN_NoCall_JSOps nslots=0x000002c6 ...} slots=0x04f567bc }	JSObject *
||||+	pc	0x04ede714 ":"	unsigned char *
||||+	sp	0x0513a5c4	long *
||||+	spbase	0x0513a5bc	long *
||||	sharpDepth	0x00000000	unsigned int
||||+	sharpArray	0x00000000 {map=??? slots=??? }	JSObject *
||||	flags	0x00000002	unsigned long
||||+	dormantNext	0x00000000 {callobj=??? argsobj=??? varobj=??? ...}	JSStackFrame *
|||\+	xmlNamespace	0x00000000 {map=??? slots=??? }	JSObject *
|||	annotation	0x00000000	void *
|||+	scopeChain	0x04fa0ea8 {map=0x04fdcd10 {nrefs=0x00000002 ops=0x00b609a0
_js_ObjectOps nslots=0x00000008 ...} slots=0x05137ccc }	JSObject *
|||+	pc	0x01b787e6 ":"	unsigned char *
|||+	sp	0x0513a620	long *
|||+	spbase	0x0513a614	long *
|||	sharpDepth	0x00000000	unsigned int
|||+	sharpArray	0x00000000 {map=??? slots=??? }	JSObject *
|||	flags	0x00000000	unsigned long
|||+	dormantNext	0x00000000 {callobj=??? argsobj=??? varobj=??? ...}	JSStackFrame *
||\+	xmlNamespace	0x00000000 {map=??? slots=??? }	JSObject *
||	annotation	0x00000000	void *
||+	scopeChain	0x04fa0ea8 {map=0x04fdcd10 {nrefs=0x00000002 ops=0x00b609a0
_js_ObjectOps nslots=0x00000008 ...} slots=0x05137ccc }	JSObject *
||+	pc	0x00000000 <Bad Ptr>	unsigned char *
||+	sp	0x0513a624	long *
||+	spbase	0x00000000	long *
||	sharpDepth	0x00000000	unsigned int
||+	sharpArray	0x00000000 {map=??? slots=??? }	JSObject *
||	flags	0x00000000	unsigned long
||+	dormantNext	0x00000000 {callobj=??? argsobj=??? varobj=??? ...}	JSStackFrame *
|\+	xmlNamespace	0x00000000 {map=??? slots=??? }	JSObject *
|+	tempPool	{first={next=0x00000000 {next=??? base=??? limit=??? ...}
base=0x04f37ec0 limit=0x04f37ec0 ...} current=0x04f37eac {next=0x00000000
{next=??? base=??? limit=??? ...} base=0x04f37ec0 limit=0x04f37ec0 ...}
arenasize=0x00000400 ...}	JSArenaPool
|+	globalObject	0x04fa0cc0 {map=0x04f9d590 {nrefs=0x00000001 ops=0x00b06d58
XPC_WN_NoCall_JSOps nslots=0x000002c6 ...} slots=0x04f567bc }	JSObject *
|+	newborn	0x04f37ecc	JSGCThing * [8]
|+	lastAtom	0x00a41db0 {entry={next=0x00000000 {next=??? keyHash=??? key=???
...} keyHash=0x00465469 key=0x009f1464 ...} flags=0x00000001 number=0x0000000b
}	JSAtom *
|+	regExpStatics	{input=0x00000000 {length=??? chars=??? } multiline=0x00000000
parenCount=0x0000 ...}	JSRegExpStatics
|+	sharpObjectMap	{depth=0x00000000 sharpgen=0x00000000 table=0x00000000
{buckets=??? nentries=??? shift=??? ...} }	JSSharpObjectMap
|+	argumentFormatMap	0x04f6d620 {format=0x00afc9b0 "%ip" length=0x00000003
formatter=0x00ae8b9c XPC_JSArgumentFormatter(JSContext *, const char *, int,
long * *, char * *) ...}	JSArgumentFormatMap *
|+	lastMessage	0x00000000 <Bad Ptr>	char *
|	branchCallback	0x01437700 nsJSContext::DOMBranchCallback(JSContext *,
JSScript *)	int (JSContext *, JSScript *)*
|	errorReporter	0x014370e0 NS_ScriptErrorReporter(JSContext *, const char *,
JSErrorReport *)	void (JSContext *, const char *, JSErrorReport *)*
|	data	0x04ecfc00	void *
|+	dormantFrameChain	0x00000000 {callobj=??? argsobj=??? varobj=??? ...}
JSStackFrame *
|	thread	0x002a54d8	long
|	requestDepth	0x00000000	long
|+	scopeToShare	0x00000000 {map={nrefs=??? ops=??? nslots=??? ...} object=???
flags=??? ...}	JSScope *
|+	lockedSealedScope	0x00000000 {map={nrefs=??? ops=??? nslots=??? ...}
object=??? flags=??? ...}	JSScope *
|	rval2	0x00000000	long
|	rval2set	0x00	unsigned char
|	creatingException	0x00	unsigned char
|	throwing	0x00	unsigned char
|	exception	0x80000001	long
|	options	0x00000009	unsigned long
|+	localeCallbacks	0x01501ef8 localeCallbacks	JSLocaleCallbacks *
|+	resolvingTable	0x04f333c0 {ops=0x00b55b94 resolving_dhash_ops data=0x00000000
hashShift=0x001c ...}	JSDHashTable *
|+	stackHeaders	0x0513a5a0 {nslots=0x00000003 down=0x00000000 {nslots=???
down=??? } }	JSStackHeader *
|	findObjectPrincipals	0x00000000	JSPrincipals * (JSContext *, JSObject *)*
\+	localRootStack	0x00000000 {scopeMark=??? rootCount=??? topChunk=??? ...}
JSLocalRootStack *

-	str	0x04fa0bf8 {length=0x04f76088 chars=0x04f754fc "..." }	JSString *
|	length	0x04f76088	unsigned int
\+	chars	0x04f754fc ""	unsigned short *
+	re	0x00000000 {nrefs=??? flags=??? cloneIndex=??? ...}	JSRegExp *
+	ip	0x00000001	long *
-	sep	0x0012eff4 {length=0x00000001 chars=0x00a54fc8 "
" }	JSSubString *
|	length	0x00000001	unsigned int
\+	chars	0x00a54fc8 "
"	const unsigned short *

-	(signed short*)str->chars,40c	0xfffffffc 'ü'	short *
|	[0x0]	0xffffffb0 '°'	short
|	[0x1]	0xfffffffa 'ú'	short
|	[0x2]	0xffffffa0 ' '	short
|	[0x3]	0xfffffffa 'ú'	short
|	[0x4]	0xffffff99 '.'	short
|	[0x5]	0xffffffb6 '¶'	short
|	[0x6]	0x41 'A'	short
|	[0x7]	0xfffffff7 '÷'	short
|	[0x8]	0x01	short
|	[0x9]	0x00	short
|	[0xa]	0x01	short
|	[0xb]	0x00	short
|	[0xc]	0xffffffe8 'è'	short
|	[0xd]	0xfffffffa 'ú'	short
|	[0xe]	0x01	short
|	[0xf]	0x00	short
|	[0x10]	0x01	short
|	[0x11]	0x00	short
|	[0x12]	0x05	short
|	[0x13]	0x06	short
|	[0x14]	0xffffffd2 'Ò'	short
|	[0x15]	0x08	short
|	[0x16]	0x01	short
|	[0x17]	0x00	short
|	[0x18]	0xffffffc8 'È'	short
|	[0x19]	0xfffffffa 'ú'	short
|	[0x1a]	0x10	short
|	[0x1b]	0xffffffb2 '²'	short
|	[0x1c]	0x00	short
|	[0x1d]	0x00	short
|	[0x1e]	0x00	short
|	[0x1f]	0x00	short
|	[0x20]	0x00	short
|	[0x21]	0x00	short
|	[0x22]	0x60 '`'	short
|	[0x23]	0xffffff9f '.'	short
|	[0x24]	0x00	short
|	[0x25]	0x00	short
|	[0x26]	0x05	short
\	[0x27]	0x05	short

one frame higher:
-	(JSObject*)(argv[-1] & ~7)	0x04fa0bf8 {map=0x04f76088 {nrefs=0x00000001
ops=0x00b609a0 _js_ObjectOps nslots=0x00000009 ...} slots=0x04f754fc }	JSObject *
|-	map	0x04f76088 {nrefs=0x00000001 ops=0x00b609a0 _js_ObjectOps
nslots=0x00000009 ...}	JSObjectMap *
||	nrefs	0x00000001	long
||+	ops	0x00b609a0 _js_ObjectOps	JSObjectOps *
||	nslots	0x00000009	unsigned long
|\	freeslot	0x00000007	unsigned long
\+	slots	0x04f754fc	long *

navigator.js line 430:
function Startup()
{

line 507:
      var arrayArgComponents = window.arguments[1].split("=");
line 560:
        uriArray = window.arguments[0].toString().split('\n'); // stringify and
split
line 568:
              uriArray = handler.defaultArgs.split('\n');

The crash is clearly on one of 560 or 568, but i haven't done the math to figure
out which.

jsd3250.dll was *not* loaded because it wasn't found, so you can not blame jsd
for causing this crash (you can blame me of course, but that's less fun).

Tree is essentially mozilla 18a5 with bug 277069's patch (attachment 170301 [details] [diff] [review] with
fuzzing for hunk 9 - js_FilterXMLList call changed between 18a5 and trunk).

jsconfig.h defines JS_GCMETER 1 and GC_MARK_DEBUG 1
jsgc.h defines TOO_MUCH_GC 1
jsgc.c has one extra abort() path to hunt:  (jsuword)rt->gcFreeList < 0x100), it
has not been hit.
-> timeless
Assignee: general → timeless
QA Contact: pschwartau → moz
bc: please don't bounce too_much_gc bugs to me. they're not my fault.
Assignee: timeless → brendan
timeless, I just don't want to get a bunch of unconfirmed crash bugs on locally
modified trees with no indication of how to reproduce. The rule I was following
was if you filed it, and if it was unconfirmed and did not have instructions on
how to reproduce, I gave it to you.
bc: the steps are simple, define TOO_MUCH_GC, build mozilla, run mozilla. it
will crash even if jsd isn't around. brendan told me which function/macro was
broken, but i can't remember.
No, I didn't diagnose this fully.  I said it seemed as though str_split's call
to js_ValueToString on OBJECT_TO_JSVAL(obj) was somehow not TOO_MUCH_GC-safe.

I don't care enough about this bug to own it, so timeless, it's up to you to
diagnose further.  Otherwise bounce it back to general@js.bugs and maybe mrbkap
will take it when he gets back from sprint break.

/be
Assignee: brendan → timeless
I cannot reproduce this crash with TOO_MUCH_GC defined in jsobj.c and jsgc.c. I
do see some weird behavior on startup, however, and I do crash when I open a new
window (e.g., with ctrl+n).

Taking this bug so that I remember to poke around the spots pointed out in
comment 5 to see if I can find anything that jumps out as being a potential problem.
Assignee: timeless → mrbkap
I can no longer reproduce this. I think timeless mentioned it may have been
rooting properties a while ago. Marking WFM.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ find_split]
You need to log in before you can comment on or make changes to this bug.