Closed Bug 284431 Opened 20 years ago Closed 19 years ago

Crash running online e4x test suite at js_LeaveLocalRootScope

Categories

(Core :: JavaScript Engine, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: bc, Unassigned)

References

()

Details

(Keywords: crash)

Trunk Seamonkey build from 2005-03-01 on winxp.

The bug is hard to pin down as it is not reproducible with a single test case
nor via the remote online tests (at least with my high latency connection). To
reliably reproduce, download
<http://bclary-com.bclary.com/2004/10/03/js-tests.zip> and unzip somewhere in
your local web server. 

Start with the browser not running, then start the browser and open menu.html on
your local web server. and visit the online test library in the url. Select all
e4x tests, and click execute. You will need to allow popups on the site for the
tests to run. The crash occurs in e4x/TypeConversion/10.4.1.js. This is not
reproducible by running the test case individually. This crash does not occur
when running the tests in the jsshell. See
<http://bclary-com.bclary.com/2004/10/03/results/> for test results using the shell.

stack:

js_LeaveLocalRootScope(JSContext * 0x00011f21) line 507 + 2 bytes
ParseNodeToXML(JSContext * 0x01feec98, JSParseNode * 0x030c3f00, JSXMLArray *
0x0012f6fc, unsigned int 31) line 1779 + 8 bytes
ParseNodeToXML(JSContext * 0x01feec98, JSParseNode * 0x030c3e08, JSXMLArray *
0x0012f6fc, unsigned int 31) line 1468 + 24 bytes
ParseXMLSource(JSContext * 0x0226a230, JSString * 0x00000000) line 1924 + 14 bytes
ToXML(JSContext * 0x01feec98, long 36167708) line 2019 + 7 bytes
js_Interpret(JSContext * 0x01feec98, unsigned char * 0x00c442a0, long *
0x0012f8e0) line 5123
js_Execute(JSContext * 0x00a5fa10, JSObject * 0x02161db8, JSScript * 0x0276c3c8,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f998) line 1524
JS_EvaluateUCScriptForPrincipals(JSContext * 0x01feec98, JSObject * 0x02161db8,
JSPrincipals * 0x01623f54, const unsigned short * 0x0242a010, unsigned int 3139,
const char * 0x0273a3c0, unsigned int 1, long * 0x0012f998) line 3739 + 15 bytes
nsJSContext::EvaluateString(nsJSContext * const 0x0253e19c, const nsAString &
{...}, void * 0x02161db8, nsIPrincipal * 0x00000000, const char * 0x0273a3c0,
unsigned int 1, const char * 0x00c43794, nsAString * 0x00000000, int *
0x0012fa38) line 1035 + 69 bytes
nsScriptLoader::EvaluateScript(nsScriptLoader * const 0x0253e19c,
nsScriptLoadRequest * 0x00000001, const nsString & {...}) line 723
nsScriptLoader::ProcessRequest(nsScriptLoader * const 0x0253e19c,
nsScriptLoadRequest * 0x023773c8) line 629 + 9 bytes
nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x00000000,
nsIStreamLoader * 0x00000000, nsISupports * 0x023773c8, unsigned int 23394000,
unsigned int 4294967295, const unsigned char * 0x00000000) line 973
nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x028b182c, nsIRequest *
0x023a0400, nsISupports * 0x023773c8, unsigned int 0) line 137
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x0253ee40,
nsIRequest * 0x023a0400, nsISupports * 0x023773c8, unsigned int 0) line 65 + 21
bytes
nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x00000000, nsIRequest *
0x023d30e0, nsISupports * 0x00000000, unsigned int 0) line 3802
nsInputStreamPump::OnStateStop(nsInputStreamPump * const 0x0253e19c) line 507
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x023d30e4,
nsIAsyncInputStream * 0x0228c878) line 344
nsOutputStreamReadyEvent::EventHandler(PLEvent * 0x027567cc) line 119
PL_HandleEvent(PLEvent * 0x027567cc) line 699
PL_ProcessPendingEvents(PLEventQueue * 0x0084b690) line 633 + 6 bytes
_md_EventReceiverProc(HWND__ * 0x77d48808, unsigned int 0, unsigned int 1244720,
long 2010417573) line 1436
USER32! 77d70494()
USER32! 77d70494()
GKWIDGET! 01374d11()
MOZILLA! 004073b0()

    while (n > m) {
        lrc = lrs->topChunk;
        JS_ASSERT(lrc != &lrs->firstChunk);
        lrs->topChunk = lrc->down;
=>      JS_free(cx, lrc);
        --n;
    }
Severity: normal → critical
Didn't I fix this with this checkin:

revision 3.57
date: 2005/03/29 01:40:30;  author: brendan%mozilla.org;  state: Exp;  lines: +1 -1
- Fix longstanding goof in js_PushLocalRoot, where m (n % local-root-chunk)
  was returned rather than n (the index of lrs->scopeMark).  I'm mortified.

/be
I still crash but not with this stack. We can either morph this for the other
crashes or resolve it wfm. ?
New bug, please.  This bug was definitely fixed, you can prove it in the js shell.

Also, any hope of a reduced xpcshell or js shell test?

/be
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
(In reply to comment #4)
> New bug, please.  This bug was definitely fixed, you can prove it in the js shell.

IIRC, the e4x suite passed without crashes when I found this one.

Filed bug 290020 on the other crasher.

> 
> Also, any hope of a reduced xpcshell or js shell test?

There is always hope, misguided, but hope none the less. :-) I'll try.
Status: RESOLVED → VERIFIED
Flags: testcase-
You need to log in before you can comment on or make changes to this bug.