Closed Bug 290020 Opened 20 years ago Closed 19 years ago

e4x - crash in online e4x/Regress/regress-280844-1.js

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Assigned: mrbkap)

References

(
URL
)

Details

(Keywords: crash)

Crash 1 Assertion failure: list->xml_class == JSXML_CLASS_LIST, at c:/work/mozilla/anonymous/firefox-trunk/mozilla/js/src/jsxml.c:3100 NTDLL! 7c901230() PutProperty(JSContext * 0x0248bfe8, JSObject * 0x00000000, long 1, long * 0x027a7cfc) line 4203 + 12 bytes xml_appendChild(JSContext * 0x00000001, JSObject * 0x028f6d48, unsigned int 1, long * 0x027a7cfc, long * 0x0012f1fc) line 5396 + 18 bytes js_Invoke(JSContext * 0x00000001, unsigned int 1, unsigned int 0) line 1314 + 17 bytes js_Interpret(JSContext * 0x0248bfe8, unsigned char * 0x027a13cd, long * 0x0012f424) line 3589 js_Execute(JSContext * 0x00000000, JSObject * 0x01c86688, JSScript * 0x027a1310, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f4d8) line 1545 JS_EvaluateUCScriptForPrincipals(JSContext * 0x0248bfe8, JSObject * 0x01c86688, JSPrincipals * 0x0272dabc, const unsigned short * 0x0279fd28, unsigned int 2228, const char * 0x027a33b8, unsigned int 1, long * 0x0012f4d8) line 3739 + 15 bytes nsJSContext::EvaluateString(nsJSContext * const 0x01760fe0, const nsAString & {...}, void * 0x01c86688, nsIPrincipal * 0x00000000, const char * 0x027a33b8, unsigned int 1, const char * 0x1007d83c _js_default_str, nsAString * 0x00000000, int * 0x0012f578) line 1035 + 59 bytes nsScriptLoader::EvaluateScript(nsScriptLoader * const 0x01760fe0, nsScriptLoadRequest * 0x027a30a0, const nsString & {...}) line 723 nsScriptLoader::ProcessRequest(nsScriptLoader * const 0x01760fe0, nsScriptLoadRequest * 0x027a30a0) line 629 + 9 bytes nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x02781b1c, nsIStreamLoader * 0x00000000, nsISupports * 0x027a30a0, unsigned int 36143712, unsigned int 4294967295, const unsigned char * 0x00000000) line 973 nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x000008b4, nsIRequest * 0x0279f350, nsISupports * 0x027a30a0, unsigned int 0) line 137 nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x004b06bb, nsIRequest * 0x0277c830, nsISupports * 0x027a3488, unsigned int 41562272) line 65 + 48 bytes nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x00ccfdcc const nsHttpChannel::`vftable'{for `nsIUploadChannel'}, nsIRequest * 0x00ccfdbc const nsHttpChannel::`vftable'{for `nsICacheListener'}, nsISupports * 0x00ccfda4 const nsHttpChannel::`vftable'{for `nsIEncodedChannel'}, unsigned int 13434260) line 3806 FIREFOX! const nsHttpChannel::`vftable'{for `nsICachingChannel'} address 0x00ccfde0 nsHttpChannel::AddRef() address 0x004b2368 c71fe938() Crash 2 js_CompareStrings(JSString * 0x017d9a88, JSString * 0x027d8dd6) line 2760 + 72 bytes namespace_identity(const void * 0x028db3a0, const void * 0x027d83b0) line 962 + 7 bytes XMLArrayFindMember(const JSXMLArray * 0x028de434, void * 0x027d83b0, int (const void *, const void *)* 0x1006ebf8 namespace_identity(const void *, const void *)) line 1077 + 9 bytes SyncInScopeNamespaces(JSContext * 0x0247f558, JSXML * 0x00000000) line 3838 + 15 bytes GetProperty(JSContext * 0x0247f558, JSObject * 0x00000001, long 268893485, long * 0x0012f3e0) line 3983 + 9 bytes xml_getProperty(JSContext * 0x0247f558, JSObject * 0x028c4de0, long 29713616, long * 0x0012f3e0) line 4875 + 34 bytes js_Interpret(JSContext * 0x0247f558, unsigned char * 0x02758b5c, long * 0x0012f424) line 3414 + 740 bytes js_Execute(JSContext * 0x00000000, JSObject * 0x01c86688, JSScript * 0x02758a98, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f4d8) line 1545 JS_EvaluateUCScriptForPrincipals(JSContext * 0x0247f558, JSObject * 0x01c86688, JSPrincipals * 0x02707ebc, const unsigned short * 0x027574b0, unsigned int 2228, const char * 0x026d3798, unsigned int 1, long * 0x0012f4d8) line 3739 + 15 bytes nsJSContext::EvaluateString(nsJSContext * const 0xcd20cd06, const nsAString & {...}, void * 0x01c86688, nsIPrincipal * 0x00000000, const char * 0x026d3798, unsigned int 1, const char * 0x1007d83c _js_default_str, nsAString * 0x00000000, int * 0x0012f578) line 1035 + 59 bytes nsScriptLoader::EvaluateScript(nsScriptLoader * const 0xcd20cd06, nsScriptLoadRequest * 0x02753de0, const nsString & {...}) line 723 nsScriptLoader::ProcessRequest(nsScriptLoader * const 0xcd20cd06, nsScriptLoadRequest * 0x02753de0) line 629 + 9 bytes nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x02707e0c, nsIStreamLoader * 0x00000000, nsISupports * 0x02753de0, unsigned int 36137488, unsigned int 4294967295, const unsigned char * 0x00000000) line 973 nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x000008b4, nsIRequest * 0x0275c508, nsISupports * 0x02753de0, unsigned int 0) line 137 nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x004b06bb, nsIRequest * 0x0275c308, nsISupports * 0x026d3868, unsigned int 41237984) line 65 + 48 bytes nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x00ccfdcc const nsHttpChannel::`vftable'{for `nsIUploadChannel'}, nsIRequest * 0x00ccfdbc const nsHttpChannel::`vftable'{for `nsICacheListener'}, nsISupports * 0x00ccfda4 const nsHttpChannel::`vftable'{for `nsIEncodedChannel'}, unsigned int 13434260) line 3806 FIREFOX! const nsHttpChannel::`vftable'{for `nsICachingChannel'} address 0x00ccfde0 nsHttpChannel::AddRef() address 0x004b2368 c71fe938()
I took a look at the second stack. The crash is trying to dereference a JSXMLNamespace prefix. When I looked at the various places that created namespaces and their prefixes, I wasn't able to figure out where the prefixes were rooted outside of a local root. I saw that the namespace itself is rooted in the vector of namespaces, however. Does that protect the prefix also? Am I missing anything?
Yes, namespaces own their prefixes, and other private strings -- see the mark hook for JSXMLNamespace. Maybe the prefix was GC'd before it got stored in the namespace, though? /be
Taking.
Assignee: general → mrbkap
I can no longer reproduce this. It was probably fixed by one of the local root stack fixes that went in. Since I'm not sure which one it was, marking WORKSFORME.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
on a trunk cvs debug build from 11/09 Assertion failure: list->xml_class == JSXML_CLASS_LIST, at c:/work/mozilla/builds/ff/trunk/mozilla/js/src/jsxml.c:3131 NTDLL! 7c901230() Append(JSContext * 0x04a3e700, JSXML * 0x04fb5fd0, JSXML * 0x00ad34d0) line 3131 + 35 bytes PutProperty(JSContext * 0x04a3e700, JSObject * 0x04fbb068, long 0x00000001, long * 0x04dfa008) line 4268 + 17 bytes xml_appendChild(JSContext * 0x04a3e700, JSObject * 0x04fbb028, unsigned int 0x00000001, long * 0x04dfa008, long * 0x0012ec7c) line 5469 + 24 bytes js_Invoke(JSContext * 0x04a3e700, unsigned int 0x00000001, unsigned int 0x00000000) line 1177 + 23 bytes js_Interpret(JSContext * 0x04a3e700, unsigned char * 0x04df9d68, long * 0x0012f6dc) line 3522 + 15 bytes js_Execute(JSContext * 0x04a3e700, JSObject * 0x04a7b8f8, JSScript * 0x04df9ca8, JSStackFrame * 0x00000000, unsigned int 0x00000000, long * 0x0012f7e4) line 1423 + 19 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x04a3e700, JSObject * 0x04a7b8f8, JSPrincipals * 0x02fe6f44, const unsigned short * 0x04df8b08, unsigned int 0x000008b5, const char * 0x04df0cb8, unsigned int 0x00000001, long * 0x0012f7e4) line 4102 + 25 bytes nsJSContext::EvaluateString(const nsAString_internal & {...}, void * 0x04a7b8f8, nsIPrincipal * 0x02fe6f40, const char * 0x04df0cb8, unsigned int 0x00000001, const char * 0x100de844 _js_default_str, nsAString_internal * 0x00000000, int * 0x0012f848) line 1072 + 67 bytes nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x04dee778, const nsString & {...}) line 741 nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x04dee778) line 639 + 22 bytes nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x042de1f4, nsIStreamLoader * 0x04df14c0, nsISupports * 0x04dee778, unsigned int 0x00000000, unsigned int 0x000008b5, const unsigned char * 0x04d9e278) line 1004 nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x04df14c4, nsIRequest * 0x04df0d88, nsISupports * 0x04dee778, unsigned int 0x00000000) line 120 nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x04df1c08, nsIRequest * 0x04df0d88, nsISupports * 0x04dee778, unsigned int 0x00000000) line 66 nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x04df0d90, nsIRequest * 0x04d9e118, nsISupports * 0x00000000, unsigned int 0x00000000) line 4094 nsInputStreamPump::OnStateStop() line 507 nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x04d9e11c, nsIAsyncInputStream * 0x04df1d60) line 343 + 11 bytes nsInputStreamReadyEvent::EventHandler(PLEvent * 0x04d9e20c) line 120 PL_HandleEvent(PLEvent * 0x04d9e20c) line 688 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00bc6320) line 623 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00140028, unsigned int 0x0000c0f6, unsigned int 0x00000000, long 0x00bc6320) line 1408 + 9 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d489cd() USER32! 77d48a10() nsAppShell::Run(nsAppShell * const 0x02faf420) line 135 nsAppStartup::Run(nsAppStartup * const 0x02faf380) line 161 + 26 bytes XRE_main(int 0x00000001, char * * 0x003f6f28, const nsXREAppData * 0x0042101c kAppData) line 2289 + 35 bytes main(int 0x00000001, char * * 0x003f6f28) line 61 + 18 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 7c816d4f()
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Flags: testcase+
winxp trunk 20060306 debug crashes js_EqualStrings(JSString *str1, JSString *str2) { size_t n; const jschar *s1, *s2; /* Fast case: pointer equality could be a quick win. */ if (str1 == str2) return JS_TRUE; n = JSSTRING_LENGTH(str1); if (n != JSSTRING_LENGTH(str2)) return JS_FALSE; if (n == 0) return JS_TRUE; => s1 = JSSTRING_CHARS(str1), s2 = JSSTRING_CHARS(str2); do { if (*s1 != *s2) return JS_FALSE; ++s1, ++s2; } while (--n != 0); return JS_TRUE; } + str1 0x04351aa4 {length=3439709472 chars=0xcd05cd06 <Bad Ptr> } JSString * + str2 0x04351a9a {length=3439709472 chars=0xcd20cd20 <Bad Ptr> } JSString * + s1 0x043254f8 "&#52288;&#1109;&#65021;&#65021; 6&#285;&#1036;&#22472;&#1074;&#21976;&#1074;" const unsigned short * + s2 0x00000008 <Bad Ptr> const unsigned short * n 218484000 unsigned int > js3250.dll!js_EqualStrings(JSString * str1=0x04351aa4, JSString * str2=0x04351a9a) Line 2860 + 0x12 bytes C js3250.dll!namespace_identity(const void * a=0x04352c80, const void * b=0x04352c30) Line 974 + 0x13 bytes C js3250.dll!XMLArrayFindMember(const JSXMLArray * array=0x043216bc, void * elt=0x04352c30, int (const void *, const void *)* identity=0x100c3340) Line 1090 + 0x11 bytes C js3250.dll!SyncInScopeNamespaces(JSContext * cx=0x03fae848, JSXML * xml=0x04360978) Line 3930 + 0x12 bytes C js3250.dll!GetProperty(JSContext * cx=0x03fae848, JSObject * obj=0x045491f8, long id=40666164, long * vp=0x0012f578) Line 4075 + 0xd bytes C js3250.dll!xml_getProperty(JSContext * cx=0x03fae848, JSObject * obj=0x045491f8, long id=48446128, long * vp=0x0012f578) Line 5010 + 0x4a bytes C js3250.dll!js_Interpret(JSContext * cx=0x03fae848, unsigned char * pc=0x042ad24f, long * result=0x0012f5f0) Line 3632 + 0x648 bytes C js3250.dll!js_Execute(JSContext * cx=0x03fae848, JSObject * chain=0x040efa90, JSScript * script=0x042ad188, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x0012f6f8) Line 1496 + 0x13 bytes C js3250.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=0x03fae848, JSObject * obj=0x040efa90, JSPrincipals * principals=0x032a3b0c, const unsigned short * chars=0x042a5288, unsigned int length=2229, const char * filename=0x04296ab8, unsigned int lineno=1, long * rval=0x0012f6f8) Line 4134 + 0x19 bytes C firefox.exe!nsJSContext::EvaluateString(const nsAString_internal & aScript={...}, void * aScopeObject=0x040efa90, nsIPrincipal * aPrincipal=0x032a3b08, const char * aURL=0x04296ab8, unsigned int aLineNo=1, const char * aVersion=0x100dbd9c, nsAString_internal * aRetValue=0x00000000, int * aIsUndefined=0x0012f7d4) Line 1075 + 0x43 bytes C++ firefox.exe!nsScriptLoader::EvaluateScript(nsScriptLoadRequest * aRequest=0x041fb278, const nsString & aScript={...}) Line 761 C++ firefox.exe!nsScriptLoader::ProcessRequest(nsScriptLoadRequest * aRequest=0x041fb278) Line 659 + 0x13 bytes C++ firefox.exe!nsScriptLoader::OnStreamComplete(nsIStreamLoader * aLoader=0x04296f08, nsISupports * aContext=0x041fb278, unsigned int aStatus=0, unsigned int stringLen=2229, const unsigned char * string=0x04298450) Line 1026 C++ firefox.exe!nsStreamLoader::OnStopRequest(nsIRequest * request=0x04296b80, nsISupports * ctxt=0x041fb278, unsigned int aStatus=0) Line 120 C++ firefox.exe!nsStreamListenerTee::OnStopRequest(nsIRequest * request=0x04296b80, nsISupports * context=0x041fb278, unsigned int status=0) Line 66 C++ firefox.exe!nsHttpChannel::OnStopRequest(nsIRequest * request=0x042981c8, nsISupports * ctxt=0x00000000, unsigned int status=0) Line 4136 C++ firefox.exe!nsInputStreamPump::OnStateStop() Line 567 C++ firefox.exe!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x04297f70) Line 391 + 0xb bytes C++ xpcom_core.dll!nsInputStreamReadyEvent::EventHandler(PLEvent * plevent=0x04298e4c) Line 121 C++ xpcom_core.dll!PL_HandleEvent(PLEvent * self=0x04298e4c) Line 688 + 0xc bytes C xpcom_core.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x027bc970) Line 623 + 0x9 bytes C xpcom_core.dll!_md_EventReceiverProc(HWND__ * hwnd=0x00360398, unsigned int uMsg=49498, unsigned int wParam=0, long lParam=41666928) Line 1408 + 0x9 bytes C user32.dll!77d48734() [Frames below may be incorrect and/or missing, no symbols loaded for user32.dll] user32.dll!77d48816() user32.dll!77d489cd() user32.dll!77d49402() user32.dll!77d48a10() firefox.exe!nsAppShell::Run() Line 135 C++ firefox.exe!nsAppStartup::Run() Line 161 + 0x1c bytes C++ firefox.exe!XRE_main(int argc=3, char * * argv=0x02147748, const nsXREAppData * aAppData=0x0139cf20) Line 2364 + 0x25 bytes C++ firefox.exe!main(int argc=3, char * * argv=0x02147748) Line 61 + 0x13 bytes C++ firefox.exe!__tmainCRTStartup() Line 586 + 0x19 bytes C firefox.exe!mainCRTStartup() Line 403 C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes see also tb16069588(linux), tb16068064(winxp) plus some possible others. This looks like a different crash. Do you need a new bug? Or should we lump this in with bug 280844 ?
no longer happening with 2006042911 trunk builds on win/linux/mac, but still happening on 1.8.x. Marking works for me. Any regressions will be filed as a new bug.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → WONTFIX
oops.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.