Closed Bug 292455 Opened 20 years ago Closed 19 years ago

crash with E4X script and alert [@ UnmarkedGCThingFlags]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martin.honnen, Unassigned)

Details

(Keywords: crash, testcase)

Crash Data

The HTML document with E4X script at <http://home.arcor.de/martin.honnen/mozillaBugs/e4x/addChild1.html> crashes both Mozilla suite as well as Firefox trunk builds. Here is a talkback incident: <http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=5474986> As that shows that the crash occurs in js3250.dll I file the bug on the JavaScript engine for now although I have tried the JavaScript file <http://home.arcor.de/martin.honnen/mozillaBugs/e4x/addChild2.js> in the Spidermonkey shell and it does not crash the shell but runs fine. Anyone who knows better should change the component.
I changed the test case to use DOM scripting to output results to the document instead of using alert dialogs and then it works fine and does not crash. Here is the changed test case that causes no problems: <http://home.arcor.de/martin.honnen/mozillaBugs/e4x/addChild2.html> So the crash occurs with the alert which is not part of the JavaScript engine but of DOM Level 0. Boris, what do you think, is this DOM Level 0?
Severity: normal → critical
Summary: crash with E4X script and alert → crash with E4X script and alert [@ UnmarkedGCThingFlags]
The talkback incident seems to be mia. I don't have a build available at the moment but will post a stack asap. Stephen, the testcase flag is for tracking when a testcase has been checked into the test library. Use the testcase keyword for tracking if a testcase has been attached to the bug. Use the flag testcase+ if there is a test in mozilla/js/tests, use testcase- if it is not possible to write a test (e.g. compiler issues or something like that) and testcase? to request a testcase be written and checked into cvs. I'm not sure about a regular test in the library using an alert since that makes it impossible to run the full test suite automatically without user intervention. I'll see if we can reproduce this without the alert.
Flags: testcase+ → testcase?
Keywords: testcase
Bob, sorry. https://bugzilla.mozilla.org/flag-help.html offered no help at all on what the flag meant, so I guessed. Thanks for the heads-up.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050426 Firefox/1.0+ Got a popup mentioning kibology twice, but did not crash. CPU is also doing fine.
The talkback server is working again, here is another talkback incident: <http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=5476378>
Severity: critical → normal
winxpsp2, sm, addChild1: No Crash 2005042606 Crash 2005042705 stack for 0430 cvs build from last night for addChild1: NTDLL! 7c901230() UnmarkedGCThingFlags(void * 0x00f1d550) line 1018 + 35 bytes js_MarkGCThing(JSContext * 0x020b1bd8, void * 0x00f1d550, void * 0x00000000) line 1421 + 9 bytes JS_MarkGCThing(JSContext * 0x020b1bd8, void * 0x00f1d550, const char * 0x011b803c _js_object_str, void * 0x00000000) line 1741 + 15 bytes js_MarkXMLQName(JSContext * 0x020b1bd8, JSXMLQName * 0x00f1d510, void * 0x00000000) line 559 + 24 bytes xml_mark_tail(JSContext * 0x020b1bd8, JSXML * 0x00f15720, void * 0x00000000) line 7100 + 20 bytes js_MarkXML(JSContext * 0x020b1bd8, JSXML * 0x00f15720, void * 0x00000000) line 7223 + 17 bytes MarkGCThing(JSContext * 0x020b1bd8, void * 0x00f15720, unsigned char * 0x00f14aa4) line 1251 + 15 bytes js_MarkGCThing(JSContext * 0x020b1bd8, void * 0x00f15720, void * 0x00000000) line 1424 + 17 bytes JS_MarkGCThing(JSContext * 0x020b1bd8, void * 0x00f15720, const char * 0x011b815c _js_private_str, void * 0x00000000) line 1741 + 15 bytes xml_mark(JSContext * 0x020b1bd8, JSObject * 0x036a39f8, void * 0x00000000) line 5055 + 22 bytes MarkGCThing(JSContext * 0x020b1bd8, void * 0x036a39f8, unsigned char * 0x036a41cf) line 1124 + 35 bytes js_MarkGCThing(JSContext * 0x020b1bd8, void * 0x036a39f8, void * 0x00000000) line 1424 + 17 bytes js_GC(JSContext * 0x020b1bd8, unsigned int 0) line 1730 + 21 bytes js_ForceGC(JSContext * 0x020b1bd8, unsigned int 0) line 1488 + 13 bytes JS_GC(JSContext * 0x020b1bd8) line 1752 + 11 bytes nsJSContext::Notify(nsJSContext * const 0x020b1b68, nsITimer * 0x02ea7578) line 1981 + 13 bytes nsTimerImpl::Fire() line 387 nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x02109ca0) line 617 nsAppShell::GetNativeEvent(nsAppShell * const 0x0393dce0, int & 1, void * & 0x0259c394 msg) line 197 nsXULWindow::ShowModal(nsXULWindow * const 0x03111608) line 400 + 31 bytes nsContentTreeOwner::ShowAsModal(nsContentTreeOwner * const 0x0391bee4) line 428 nsWindowWatcher::OpenWindowJS(nsWindowWatcher * const 0x020a31b4, nsIDOMWindow * 0x0365067c, const char * 0x013129a8 kPromptURL, const char * 0x01318e24, const char * 0x01318e00, int 1, unsigned int 1, long * 0x036d319c, nsIDOMWindow * * 0x0012e6b4) line 796 nsWindowWatcher::OpenWindow(nsWindowWatcher * const 0x020a31b0, nsIDOMWindow * 0x0365067c, const char * 0x013129a8 kPromptURL, const char * 0x01318e24, const char * 0x01318e00, nsISupports * 0x03110d00, nsIDOMWindow * * 0x0012e6b4) line 469 + 48 bytes nsPromptService::DoDialog(nsPromptService * const 0x021fffe4, nsIDOMWindow * 0x0365067c, nsIDialogParamBlock * 0x03110d00, const char * 0x013129a8 kPromptURL) line 632 + 77 bytes nsPromptService::Alert(nsPromptService * const 0x021fffe0, nsIDOMWindow * 0x0365067c, const unsigned short * 0x0012e850, const unsigned short * 0x039022a8) line 131 + 37 bytes nsPrompt::Alert(nsPrompt * const 0x0358f610, const unsigned short * 0x0012e850, const unsigned short * 0x039022a8) line 209 + 46 bytes nsGlobalWindow::Alert(nsGlobalWindow * const 0x0365067c, const nsAString & {...}) line 2421 + 69 bytes XPTC_InvokeByIndex(nsISupports * 0x0365067c, unsigned int 64, unsigned int 1, nsXPTCVariant * 0x0012ea60) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2065 + 43 bytes XPC_WN_CallMethod(JSContext * 0x036508e0, JSObject * 0x03621158, unsigned int 1, long * 0x036d3190, long * 0x0012ed30) line 1287 + 14 bytes js_Invoke(JSContext * 0x036508e0, unsigned int 1, unsigned int 0) line 1320 + 23 bytes js_Interpret(JSContext * 0x036508e0, unsigned char * 0x0221855a, long * 0x0012f728) line 3610 + 15 bytes js_Execute(JSContext * 0x036508e0, JSObject * 0x03621158, JSScript * 0x03560c60, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f828) line 1550 + 19 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x036508e0, JSObject * 0x03621158, JSPrincipals * 0x0375b5cc, const unsigned short * 0x038e5b18, unsigned int 467, const char * 0x03900750, unsigned int 1, long * 0x0012f828) line 3784 + 25 bytes nsJSContext::EvaluateString(const nsAString & {...}, void * 0x03621158, nsIPrincipal * 0x0375b5c8, const char * 0x03900750, unsigned int 1, const char * 0x011b880c _js_default_str, nsAString * 0x00000000, int * 0x0012f88c) line 1035 + 67 bytes nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x03900378, const nsString & {...}) line 723 nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x03900378) line 629 + 22 bytes nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x0375b51c, nsIStreamLoader * 0x03901e00, nsISupports * 0x03900378, unsigned int 0, unsigned int 4294967295, const unsigned char * 0x0358fe14) line 973 nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x03901e04, nsIRequest * 0x03900468, nsISupports * 0x03900378, unsigned int 0) line 137 nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03683b98, nsIRequest * 0x03900468, nsISupports * 0x03900378, unsigned int 0) line 66 nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x03900470, nsIRequest * 0x039028b0, nsISupports * 0x00000000, unsigned int 0) line 3811 nsInputStreamPump::OnStateStop() line 507 nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x039028b4, nsIAsyncInputStream * 0x03902640) line 343 + 11 bytes nsInputStreamReadyEvent::EventHandler(PLEvent * 0x022184b4) line 120 PL_HandleEvent(PLEvent * 0x022184b4) line 698 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00ec0918) line 633 + 9 bytes _md_EventReceiverProc(HWND__ * 0x000603a2, unsigned int 49515, unsigned int 0, long 15468824) line 1435 + 9 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d489cd() USER32! 77d48a10() nsAppShell::Run(nsAppShell * const 0x020a8518) line 135 nsAppStartup::Run(nsAppStartup * const 0x020a8278) line 208 main1(int 1, char * * 0x002a2638, nsISupports * 0x00ebc938) line 1272 + 32 bytes main(int 1, char * * 0x002a2638) line 1763 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL
Martin: any reason for downgrading this crash from critical to normal?
iirc someone was playing w/ gc and remarked that the promptservice stuff didn't properly root its params, this could be that.
Is the E4X stuff around the alert relevant? That is, could E4X be forgetting to root something that the alert then GCs?
(In reply to comment #7) > Martin: any reason for downgrading this crash from critical to normal? Sorry, I have done nothing intentionally to change the severity, must have happened by accident. Changing back now to critical.
Severity: normal → critical
(In reply to comment #9) > Is the E4X stuff around the alert relevant? That is, could E4X be forgetting to > root something that the alert then GCs? I have tried a similar example not using E4X but concatenating some arrays and alerting them but that works as normal and does not crash.
Checking in regress-292455.js; /cvsroot/mozilla/js/tests/e4x/Regress/regress-292455.js,v <-- regress-292455.js initial revision: 1.1
Flags: testcase? → testcase+
I am not sure if this is helpful, but I am able to reproduce this in spidermonkey. here is my gdb backtrace #0 0x0000002a9628a140 in UnmarkedGCThingFlags (thing=0x322cf689b6) at jsgc.c:1015 flags = 0 '\0' flagp = (uint8 *) 0xc9ff4806ebc18963 <Address 0xc9ff4806ebc18963 out of bounds> #1 0x0000002a9628acab in js_MarkGCThing (cx=0xee0380, thing=0x322cf689b6, arg=0x0) at jsgc.c:1415 flagp = (uint8 *) 0x4054d798 "" #2 0x0000002a9628b53a in js_GC (cx=0xee0380, gcflags=0) at jsgc.c:1716 rt = (JSRuntime *) 0x64c570 iter = (JSContext *) 0x8325a0 acx = (JSContext *) 0x8325a0 fp = (JSStackFrame *) 0x4054c9d0 chain = (JSStackFrame *) 0x4054c9d0 i = 0 depth = 0 nslots = 42 type = 2519809763 sh = (JSStackHeader *) 0x0 nbytes = 277397750416 nflags = 0 a = (JSArena *) 0x296314578 ap = (JSArena **) 0x6a56d0 flags = 0 '\0' flagp = (uint8 *) 0x40c28650 "&#65533;&#65533;T@" split = (uint8 *) 0x64c7f8 "&#65533;5F\226*" thing = (JSGCThing *) 0xc75978 limit = (JSGCThing *) 0x6ff1183e00000002 flp = (JSGCThing **) 0x1b00652760 oflp = (JSGCThing **) 0x2a9626b1c7 finalizer = 0x40c28600 bytesptr = (uint32 *) 0x64c7f8 all_clear = 0 currentThread = 15745472 requestDebit = 0 #3 0x0000002a9628af01 in js_ForceGC (cx=0xee0380, gcflags=0) at jsgc.c:1482 i = 16 #4 0x0000002a9625eb69 in js_DestroyContext (cx=0xee0380, gcmode=JS_FORCE_GC) at jscntxt.c:276 rt = (JSRuntime *) 0x64c570 last = 0 map = (JSArgumentFormatMap *) 0xee0380 lrs = (JSLocalRootStack *) 0xd86da0 lrc = (JSLocalRootChunk *) 0x2a9633644a #5 0x0000002a9624dc0a in JS_DestroyContext (cx=0xee0380) at jsapi.c:942 No locals. #6 0x0000002a96248c16 in js_exec (chan=0xf03cb0, data=Variable "data" is not available. ) at res_js.c:1437 code = 0x40c28720 "TeleAuto.js" next = Variable "next" is not available. (In reply to comment #6) > winxpsp2, sm, addChild1: > > No Crash 2005042606 > Crash 2005042705 > > stack for 0430 cvs build from last night for addChild1: > > NTDLL! 7c901230() > UnmarkedGCThingFlags(void * 0x00f1d550) line 1018 + 35 bytes > js_MarkGCThing(JSContext * 0x020b1bd8, void * 0x00f1d550, void * 0x00000000) > line 1421 + 9 bytes > JS_MarkGCThing(JSContext * 0x020b1bd8, void * 0x00f1d550, const char * > 0x011b803c _js_object_str, void * 0x00000000) line 1741 + 15 bytes > js_MarkXMLQName(JSContext * 0x020b1bd8, JSXMLQName * 0x00f1d510, void * > 0x00000000) line 559 + 24 bytes > xml_mark_tail(JSContext * 0x020b1bd8, JSXML * 0x00f15720, void * 0x00000000) > line 7100 + 20 bytes > js_MarkXML(JSContext * 0x020b1bd8, JSXML * 0x00f15720, void * 0x00000000) line > 7223 + 17 bytes > MarkGCThing(JSContext * 0x020b1bd8, void * 0x00f15720, unsigned char * > 0x00f14aa4) line 1251 + 15 bytes > js_MarkGCThing(JSContext * 0x020b1bd8, void * 0x00f15720, void * 0x00000000) > line 1424 + 17 bytes > JS_MarkGCThing(JSContext * 0x020b1bd8, void * 0x00f15720, const char * > 0x011b815c _js_private_str, void * 0x00000000) line 1741 + 15 bytes > xml_mark(JSContext * 0x020b1bd8, JSObject * 0x036a39f8, void * 0x00000000) line > 5055 + 22 bytes > MarkGCThing(JSContext * 0x020b1bd8, void * 0x036a39f8, unsigned char * > 0x036a41cf) line 1124 + 35 bytes > js_MarkGCThing(JSContext * 0x020b1bd8, void * 0x036a39f8, void * 0x00000000) > line 1424 + 17 bytes > js_GC(JSContext * 0x020b1bd8, unsigned int 0) line 1730 + 21 bytes > js_ForceGC(JSContext * 0x020b1bd8, unsigned int 0) line 1488 + 13 bytes > JS_GC(JSContext * 0x020b1bd8) line 1752 + 11 bytes > nsJSContext::Notify(nsJSContext * const 0x020b1b68, nsITimer * 0x02ea7578) line > 1981 + 13 bytes > nsTimerImpl::Fire() line 387 > nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x02109ca0) line 617 > nsAppShell::GetNativeEvent(nsAppShell * const 0x0393dce0, int & 1, void * & > 0x0259c394 msg) line 197 > nsXULWindow::ShowModal(nsXULWindow * const 0x03111608) line 400 + 31 bytes > nsContentTreeOwner::ShowAsModal(nsContentTreeOwner * const 0x0391bee4) line 428 > nsWindowWatcher::OpenWindowJS(nsWindowWatcher * const 0x020a31b4, nsIDOMWindow * > 0x0365067c, const char * 0x013129a8 kPromptURL, const char * 0x01318e24, const > char * 0x01318e00, int 1, unsigned int 1, long * 0x036d319c, nsIDOMWindow * * > 0x0012e6b4) line 796 > nsWindowWatcher::OpenWindow(nsWindowWatcher * const 0x020a31b0, nsIDOMWindow * > 0x0365067c, const char * 0x013129a8 kPromptURL, const char * 0x01318e24, const > char * 0x01318e00, nsISupports * 0x03110d00, nsIDOMWindow * * 0x0012e6b4) line > 469 + 48 bytes > nsPromptService::DoDialog(nsPromptService * const 0x021fffe4, nsIDOMWindow * > 0x0365067c, nsIDialogParamBlock * 0x03110d00, const char * 0x013129a8 > kPromptURL) line 632 + 77 bytes > nsPromptService::Alert(nsPromptService * const 0x021fffe0, nsIDOMWindow * > 0x0365067c, const unsigned short * 0x0012e850, const unsigned short * > 0x039022a8) line 131 + 37 bytes > nsPrompt::Alert(nsPrompt * const 0x0358f610, const unsigned short * 0x0012e850, > const unsigned short * 0x039022a8) line 209 + 46 bytes > nsGlobalWindow::Alert(nsGlobalWindow * const 0x0365067c, const nsAString & > {...}) line 2421 + 69 bytes > XPTC_InvokeByIndex(nsISupports * 0x0365067c, unsigned int 64, unsigned int 1, > nsXPTCVariant * 0x0012ea60) line 102 > XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode > CALL_METHOD) line 2065 + 43 bytes > XPC_WN_CallMethod(JSContext * 0x036508e0, JSObject * 0x03621158, unsigned int 1, > long * 0x036d3190, long * 0x0012ed30) line 1287 + 14 bytes > js_Invoke(JSContext * 0x036508e0, unsigned int 1, unsigned int 0) line 1320 + 23 > bytes > js_Interpret(JSContext * 0x036508e0, unsigned char * 0x0221855a, long * > 0x0012f728) line 3610 + 15 bytes > js_Execute(JSContext * 0x036508e0, JSObject * 0x03621158, JSScript * 0x03560c60, > JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f828) line 1550 + 19 bytes > JS_EvaluateUCScriptForPrincipals(JSContext * 0x036508e0, JSObject * 0x03621158, > JSPrincipals * 0x0375b5cc, const unsigned short * 0x038e5b18, unsigned int 467, > const char * 0x03900750, unsigned int 1, long * 0x0012f828) line 3784 + 25 bytes > nsJSContext::EvaluateString(const nsAString & {...}, void * 0x03621158, > nsIPrincipal * 0x0375b5c8, const char * 0x03900750, unsigned int 1, const char * > 0x011b880c _js_default_str, nsAString * 0x00000000, int * 0x0012f88c) line 1035 > + 67 bytes > nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x03900378, const nsString > & {...}) line 723 > nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x03900378) line 629 + 22 bytes > nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x0375b51c, > nsIStreamLoader * 0x03901e00, nsISupports * 0x03900378, unsigned int 0, unsigned > int 4294967295, const unsigned char * 0x0358fe14) line 973 > nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x03901e04, nsIRequest * > 0x03900468, nsISupports * 0x03900378, unsigned int 0) line 137 > nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03683b98, > nsIRequest * 0x03900468, nsISupports * 0x03900378, unsigned int 0) line 66 > nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x03900470, nsIRequest * > 0x039028b0, nsISupports * 0x00000000, unsigned int 0) line 3811 > nsInputStreamPump::OnStateStop() line 507 > nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x039028b4, > nsIAsyncInputStream * 0x03902640) line 343 + 11 bytes > nsInputStreamReadyEvent::EventHandler(PLEvent * 0x022184b4) line 120 > PL_HandleEvent(PLEvent * 0x022184b4) line 698 + 10 bytes > PL_ProcessPendingEvents(PLEventQueue * 0x00ec0918) line 633 + 9 bytes > _md_EventReceiverProc(HWND__ * 0x000603a2, unsigned int 49515, unsigned int 0, > long 15468824) line 1435 + 9 bytes > USER32! 77d48734() > USER32! 77d48816() > USER32! 77d489cd() > USER32! 77d48a10() > nsAppShell::Run(nsAppShell * const 0x020a8518) line 135 > nsAppStartup::Run(nsAppStartup * const 0x020a8278) line 208 > main1(int 1, char * * 0x002a2638, nsISupports * 0x00ebc938) line 1272 + 32 bytes > main(int 1, char * * 0x002a2638) line 1763 + 37 bytes > mainCRTStartup() line 338 + 17 bytes > KERNEL
I no longer see this crash. Fixed by bug 322045 ?
-> fixed. Note automated browser tests will show timeouts until automatic alert dismissal is added.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
v 1.8.0.1, 1.8, 1.9a1 20060217 win/linux/mac
Status: RESOLVED → VERIFIED
Crash Signature: [@ UnmarkedGCThingFlags]
You need to log in before you can comment on or make changes to this bug.