Closed
Bug 300858
Opened 19 years ago
Closed 19 years ago
crash on Windows 2000 product documentation page [@ js_CompareStrings]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.8beta4
People
(Reporter: mikel, Assigned: mrbkap)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(1 file, 1 obsolete file)
964 bytes,
patch
|
brendan
:
review+
brendan
:
approval1.8b4+
|
Details | Diff | Splinter Review |
In Deer Park Alpha 2, viewing the Microsoft Windows 2000 Product Documentation
page causes the browser to crash.
I tried to report this via the crash tool, but it doesn't work properly behind
proxies. :-(
Comment 1•19 years ago
|
||
WFM: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b3) Gecko/20050714
Firefox/1.0+ on XP
Reporter | ||
Comment 2•19 years ago
|
||
Sorry, the link I previously supplied was my bookmark. It actually crashes when
you go to the Server Help section.
Updating URL accordingly.
Comment 3•19 years ago
|
||
There we go... thanks for updating the URL ;)
Talkback ID: TB7493297G
Incident ID: 7493297
Stack Signature js_CompareStrings 935eb65c
Product ID FirefoxTrunk
Build ID 2005071406
Trigger Time 2005-07-14 18:25:53.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module js3250.dll + (00046ca6)
URL visited
User Comments
Since Last Crash 131 sec
Total Uptime 131 sec
Trigger Reason Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line 2785
Stack Trace
js_CompareStrings
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line 2785]
sort_compare_strings
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsarray.c, line 848]
js_HeapSort
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsarray.c, line 762]
array_sort
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsarray.c, line 936]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1173]
js_Interpret
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3464]
js_Execute
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1404]
JS_EvaluateUCScriptForPrincipals
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3855]
nsJSContext::EvaluateString
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1060]
nsScriptLoader::EvaluateScript
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 757]
nsScriptLoader::ProcessRequest
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 658]
nsScriptLoader::ProcessScriptElement
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 593]
nsHTMLScriptElement::MaybeProcessScript
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp,
line 662]
nsHTMLScriptElement::BindToTree
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp,
line 455]
nsGenericElement::AppendChildTo
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 2728]
HTMLContentSink::ProcessSCRIPTTag
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 4121]
HTMLContentSink::AddLeaf
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 2987]
CNavDTD::AddLeaf
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 3568]
CNavDTD::HandleDefaultStartToken
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 1283]
CNavDTD::HandleStartToken
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 1664]
CNavDTD::HandleToken
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 955]
CNavDTD::BuildModel
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 458]
nsParser::BuildModel
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/nsParser.cpp,
line 2116]
Keywords: crash
Summary: crash on Windows 2000 product documentation page → crash on Windows 2000 product documentation page [@ js_CompareStrings]
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 6•19 years ago
|
||
We don't update all_strings in array_sort in the case of a hole, so we can end
up in sort_compare_strings with a hole for one of the strings (which
js_CompareStrings doesn't account for). I decided that the extra check in
sort_compare_strings was better than penalizing the sort and sending it through
sort_compare (and updating all_strings in the hole case).
Attachment #189831 -
Flags: review?(brendan)
Assignee | ||
Comment 7•19 years ago
|
||
Brendan says to avoid the extra branches, and just penalize the cases with
holes in them instead of all string comparisons.
Attachment #189831 -
Attachment is obsolete: true
Attachment #189845 -
Flags: review?(brendan)
Assignee | ||
Updated•19 years ago
|
Attachment #189831 -
Flags: review?(brendan)
Comment 8•19 years ago
|
||
Comment on attachment 189845 [details] [diff] [review]
penalize fewer cases
Cool, r+a=me.
/be
Attachment #189845 -
Flags: review?(brendan)
Attachment #189845 -
Flags: review+
Attachment #189845 -
Flags: approval1.8b4+
Comment 9•19 years ago
|
||
This should get fixed for 1.8b4, no doubt about it! ;-)
/be
Flags: blocking1.8b4+
Assignee | ||
Comment 10•19 years ago
|
||
I checked this in last night.
Might be good to have a testcase for this.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: testcase?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8beta4
Comment 11•19 years ago
|
||
Checking in regress-300858.js;
/cvsroot/mozilla/js/tests/js1_5/Array/regress-300858.js,v <-- regress-300858.js
initial revision: 1.1
Flags: testcase? → testcase+
Updated•19 years ago
|
Flags: blocking1.8b5+ → blocking1.8b4+
Updated•14 years ago
|
Crash Signature: [@ js_CompareStrings]
You need to log in
before you can comment on or make changes to this bug.
Description
•