Closed Bug 300858 Opened 19 years ago Closed 19 years ago

crash on Windows 2000 product documentation page [@ js_CompareStrings]

Categories

(Core :: JavaScript Engine, defect)

x86
Windows 2000
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.8beta4

People

(Reporter: mikel, Assigned: mrbkap)

References

()

Details

(Keywords: crash)

Crash Data

Attachments

(1 file, 1 obsolete file)

In Deer Park Alpha 2, viewing the Microsoft Windows 2000 Product Documentation page causes the browser to crash. I tried to report this via the crash tool, but it doesn't work properly behind proxies. :-(
WFM: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b3) Gecko/20050714 Firefox/1.0+ on XP
Sorry, the link I previously supplied was my bookmark. It actually crashes when you go to the Server Help section. Updating URL accordingly.
There we go... thanks for updating the URL ;) Talkback ID: TB7493297G
Incident ID: 7493297 Stack Signature js_CompareStrings 935eb65c Product ID FirefoxTrunk Build ID 2005071406 Trigger Time 2005-07-14 18:25:53.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (00046ca6) URL visited User Comments Since Last Crash 131 sec Total Uptime 131 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line 2785 Stack Trace js_CompareStrings [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line 2785] sort_compare_strings [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsarray.c, line 848] js_HeapSort [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsarray.c, line 762] array_sort [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsarray.c, line 936] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1173] js_Interpret [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3464] js_Execute [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1404] JS_EvaluateUCScriptForPrincipals [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3855] nsJSContext::EvaluateString [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1060] nsScriptLoader::EvaluateScript [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 757] nsScriptLoader::ProcessRequest [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 658] nsScriptLoader::ProcessScriptElement [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 593] nsHTMLScriptElement::MaybeProcessScript [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 662] nsHTMLScriptElement::BindToTree [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 455] nsGenericElement::AppendChildTo [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2728] HTMLContentSink::ProcessSCRIPTTag [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 4121] HTMLContentSink::AddLeaf [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 2987] CNavDTD::AddLeaf [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 3568] CNavDTD::HandleDefaultStartToken [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1283] CNavDTD::HandleStartToken [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1664] CNavDTD::HandleToken [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 955] CNavDTD::BuildModel [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 458] nsParser::BuildModel [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/nsParser.cpp, line 2116]
Keywords: crash
Summary: crash on Windows 2000 product documentation page → crash on Windows 2000 product documentation page [@ js_CompareStrings]
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Taking.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attached patch patch v1 (obsolete) — Splinter Review
We don't update all_strings in array_sort in the case of a hole, so we can end up in sort_compare_strings with a hole for one of the strings (which js_CompareStrings doesn't account for). I decided that the extra check in sort_compare_strings was better than penalizing the sort and sending it through sort_compare (and updating all_strings in the hole case).
Attachment #189831 - Flags: review?(brendan)
Brendan says to avoid the extra branches, and just penalize the cases with holes in them instead of all string comparisons.
Attachment #189831 - Attachment is obsolete: true
Attachment #189845 - Flags: review?(brendan)
Attachment #189831 - Flags: review?(brendan)
Comment on attachment 189845 [details] [diff] [review] penalize fewer cases Cool, r+a=me. /be
Attachment #189845 - Flags: review?(brendan)
Attachment #189845 - Flags: review+
Attachment #189845 - Flags: approval1.8b4+
This should get fixed for 1.8b4, no doubt about it! ;-) /be
Flags: blocking1.8b4+
I checked this in last night. Might be good to have a testcase for this.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: testcase?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8beta4
Checking in regress-300858.js; /cvsroot/mozilla/js/tests/js1_5/Array/regress-300858.js,v <-- regress-300858.js initial revision: 1.1
Flags: testcase? → testcase+
Flags: blocking1.8b5+ → blocking1.8b4+
verified fixed 1.9 20060818 win/mac*/linux
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_CompareStrings]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: