Closed
Bug 300858
Opened 19 years ago
Closed 19 years ago
crash on Windows 2000 product documentation page [@ js_CompareStrings]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.8beta4
People
(Reporter: mikel, Assigned: mrbkap)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(1 file, 1 obsolete file)
964 bytes,
patch
|
brendan
:
review+
brendan
:
approval1.8b4+
|
Details | Diff | Splinter Review |
In Deer Park Alpha 2, viewing the Microsoft Windows 2000 Product Documentation page causes the browser to crash. I tried to report this via the crash tool, but it doesn't work properly behind proxies. :-(
Comment 1•19 years ago
|
||
WFM: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b3) Gecko/20050714 Firefox/1.0+ on XP
Reporter | ||
Comment 2•19 years ago
|
||
Sorry, the link I previously supplied was my bookmark. It actually crashes when you go to the Server Help section. Updating URL accordingly.
Comment 3•19 years ago
|
||
There we go... thanks for updating the URL ;) Talkback ID: TB7493297G
Incident ID: 7493297 Stack Signature js_CompareStrings 935eb65c Product ID FirefoxTrunk Build ID 2005071406 Trigger Time 2005-07-14 18:25:53.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (00046ca6) URL visited User Comments Since Last Crash 131 sec Total Uptime 131 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line 2785 Stack Trace js_CompareStrings [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line 2785] sort_compare_strings [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsarray.c, line 848] js_HeapSort [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsarray.c, line 762] array_sort [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsarray.c, line 936] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1173] js_Interpret [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3464] js_Execute [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1404] JS_EvaluateUCScriptForPrincipals [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3855] nsJSContext::EvaluateString [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1060] nsScriptLoader::EvaluateScript [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 757] nsScriptLoader::ProcessRequest [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 658] nsScriptLoader::ProcessScriptElement [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 593] nsHTMLScriptElement::MaybeProcessScript [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 662] nsHTMLScriptElement::BindToTree [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 455] nsGenericElement::AppendChildTo [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2728] HTMLContentSink::ProcessSCRIPTTag [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 4121] HTMLContentSink::AddLeaf [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 2987] CNavDTD::AddLeaf [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 3568] CNavDTD::HandleDefaultStartToken [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1283] CNavDTD::HandleStartToken [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1664] CNavDTD::HandleToken [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 955] CNavDTD::BuildModel [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 458] nsParser::BuildModel [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/nsParser.cpp, line 2116]
Keywords: crash
Summary: crash on Windows 2000 product documentation page → crash on Windows 2000 product documentation page [@ js_CompareStrings]
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 6•19 years ago
|
||
We don't update all_strings in array_sort in the case of a hole, so we can end up in sort_compare_strings with a hole for one of the strings (which js_CompareStrings doesn't account for). I decided that the extra check in sort_compare_strings was better than penalizing the sort and sending it through sort_compare (and updating all_strings in the hole case).
Attachment #189831 -
Flags: review?(brendan)
Assignee | ||
Comment 7•19 years ago
|
||
Brendan says to avoid the extra branches, and just penalize the cases with holes in them instead of all string comparisons.
Attachment #189831 -
Attachment is obsolete: true
Attachment #189845 -
Flags: review?(brendan)
Assignee | ||
Updated•19 years ago
|
Attachment #189831 -
Flags: review?(brendan)
Comment 8•19 years ago
|
||
Comment on attachment 189845 [details] [diff] [review] penalize fewer cases Cool, r+a=me. /be
Attachment #189845 -
Flags: review?(brendan)
Attachment #189845 -
Flags: review+
Attachment #189845 -
Flags: approval1.8b4+
Comment 9•19 years ago
|
||
This should get fixed for 1.8b4, no doubt about it! ;-) /be
Flags: blocking1.8b4+
Assignee | ||
Comment 10•19 years ago
|
||
I checked this in last night. Might be good to have a testcase for this.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: testcase?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8beta4
Comment 11•19 years ago
|
||
Checking in regress-300858.js; /cvsroot/mozilla/js/tests/js1_5/Array/regress-300858.js,v <-- regress-300858.js initial revision: 1.1
Flags: testcase? → testcase+
Updated•19 years ago
|
Flags: blocking1.8b5+ → blocking1.8b4+
Updated•13 years ago
|
Crash Signature: [@ js_CompareStrings]
You need to log in
before you can comment on or make changes to this bug.
Description
•