Closed Bug 301097 Opened 19 years ago Closed 15 years ago

Crash [@ JS_GetPrivate] line 1813

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.7 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: crash, top100)

Crash Data

Found during testing a debug Firefox 1.0.6 using Spider, not a new bug though
however looks fairly common in talkback. Could not reproduce on the trunk.

Very similar stack to bug 269568, bug 269472

JS_GetPrivate(JSContext * 0x02c9d9d8, JSObject * 0xc04d8b00) line 1998 + 3 bytes
nsScriptSecurityManager::GetFunctionObjectPrincipal(JSContext * 0x02c9d9d8,
JSObject * 0xc04d8b00, JSStackFrame * 0x0012f02c, nsIPrincipal * * 0x0012ed6c)
line 1813 + 14 bytes
nsScriptSecurityManager::GetFramePrincipal(JSContext * 0x02c9d9d8, JSStackFrame
* 0x0012f02c, nsIPrincipal * * 0x0012ed6c) line 1874 + 24 bytes
nsScriptSecurityManager::GetPrincipalAndFrame(JSContext * 0x02c9d9d8,
nsIPrincipal * * 0x0012ed6c, JSStackFrame * * 0x0012ed2c) line 1898 + 20 bytes
nsScriptSecurityManager::GetSubjectPrincipal(JSContext * 0x02c9d9d8,
nsIPrincipal * * 0x0012ed6c) line 1938
nsScriptSecurityManager::GetSubjectPrincipal(nsScriptSecurityManager * const
0x00f2a9d0, nsIPrincipal * * 0x0012ed6c) line 1601
nsScriptSecurityManager::SubjectPrincipalIsSystem(nsScriptSecurityManager *
const 0x00f2a9d0, int * 0x0012ed80) line 1634 + 36 bytes
nsContentUtils::IsCallerChrome() line 920 + 21 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f07c, nsIView * 0x024ec760,
unsigned int 1, nsEventStatus * 0x0012ef28) line 6027 + 5 bytes
PresShell::HandleEvent(PresShell * const 0x024ece4c, nsIView * 0x024ec760,
nsGUIEvent * 0x0012f07c, nsEventStatus * 0x0012ef28, int 1, int & 1) line 5921 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x024ec760, nsGUIEvent * 0x0012f07c, int 0)
line 2275
nsViewManager::DispatchEvent(nsViewManager * const 0x024ec590, nsGUIEvent *
0x0012f07c, nsEventStatus * 0x0012f078) line 2061 + 20 bytes
GlobalWindowImpl::Deactivate(GlobalWindowImpl * const 0x024190c4) line 4678
nsWebShellWindow::HandleEvent(nsGUIEvent * 0x0012f234) line 567
nsWindow::DispatchEvent(nsWindow * const 0x0239604c, nsGUIEvent * 0x0012f234,
nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f234) line 1088
nsWindow::DispatchFocus(unsigned int 108, int 0) line 5451 + 15 bytes
nsWindow::ProcessMessage(unsigned int 8, unsigned int 0, long 0, long *
0x0012f698) line 4214 + 23 bytes
nsWindow::WindowProc(HWND__ * 0x0165023a, unsigned int 8, unsigned int 0, long
0) line 1349 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d4b4c0()
USER32! 77d4b50c()
NTDLL! 7c90eae3()
USER32! 77d49402()
PeekKeyAndIMEMessage(tagMSG * 0x0012f8d4 {msg=0x00000113 wp=0x000073d9
lp=0x60d46a20}, HWND__ * 0x00000000) line 90 + 24 bytes
nsAppShell::Run(nsAppShell * const 0x00eb1b30) line 128 + 11 bytes
nsAppShellService::Run(nsAppShellService * const 0x00eb1880) line 495
xre_main(int 5, char * * 0x003e7708, const nsXREAppData * 0x0041e01c kAppData)
line 1907 + 35 bytes
main(int 5, char * * 0x003e7708) line 58 + 18 bytes
mainCRTStartup() line 338 + 17 bytes

-	cx	0x02c9d9d8
+	links	{...}
	interpLevel	0
	stackLimit	718584
	version	0
	jsop_eq	18 ''
	jsop_ne	19 ''
+	runtime	0x00eb4d98
+	stackPool	{...}
+	fp	0x0012f02c
+	tempPool	{...}
+	globalObject	0x02ca1570
+	newborn	0x02c9da34
+	lastAtom	0x02d8e930
+	regExpStatics	{...}
+	sharpObjectMap	{...}
+	argumentFormatMap	0x02c9dc48
+	lastMessage	0x084b0cc0 "assignment to undeclared variable output"
	tracefp	0x00000000
	branchCallback	0x01b04fa0 nsJSContext::DOMBranchCallback(JSContext *, JSScript *)
	errorReporter	0x01b04490 NS_ScriptErrorReporter(JSContext *, const char *,
JSErrorReport *)
	data	0x02c9d830
+	dormantFrameChain	0x00000000
	thread	4085080
	requestDepth	0
+	scopeToShare	0x00000000
+	lockedSealedScope	0x00000000
	rval2	0
	rval2set	0 ''
	creatingException	0 ''
	throwing	0 ''
	exception	-2147483647
	options	25
+	localeCallbacks	0x01e59260
+	resolvingTable	0x02c9e3d0
+	stackHeaders	0x00000000
	findObjectPrincipals	0x01b076f0 ObjectPrincipalFinder(JSContext *, JSObject *)
-	obj	0xc04d8b00
	map	CXX0017: Error: symbol "" not found
	slots	CXX0030: Error: expression cannot be evaluated
	v	0

Loading the page by itself however gives a completely different stack with an
uninitialized atom.

js_Interpret(JSContext * 0x02e2b5f8, long * 0x0012f18c) line 3114 + 26 bytes
js_Execute(JSContext * 0x02e2b5f8, JSObject * 0x02df6908, JSScript * 0x03ead818,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f2a4) line 1173 + 13 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x02e2b5f8, JSObject * 0x02df6908,
JSPrincipals * 0x0336f398, const unsigned short * 0x03ea4068, unsigned int 8635,
const char * 0x03e973a8, unsigned int 1, long * 0x0012f2a4) line 3649 + 25 bytes
nsJSContext::EvaluateString(const nsAString & {...}, void * 0x02df6908,
nsIPrincipal * 0x0336f390, const char * 0x03e973a8, unsigned int 1, const char *
0x100ba430, nsAString & {...}, int * 0x0012f2f0) line 946 + 67 bytes
nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x03e97188, const nsString
& {...}) line 668
nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x03e97188) line 581 + 22 bytes
nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x033d9394,
nsIStreamLoader * 0x03e9ae10, nsISupports * 0x03e97188, unsigned int 0, unsigned
int 4294967295, const char * 0x03e9e1bc) line 905
nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x03e9ae14, nsIRequest *
0x03e97648, nsISupports * 0x03e97188, unsigned int 0) line 144
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03814590,
nsIRequest * 0x03e97648, nsISupports * 0x03e97188, unsigned int 0) line 66
nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x03e97650, nsIRequest *
0x03e9b9f0, nsISupports * 0x00000000, unsigned int 0) line 3670
nsInputStreamPump::OnStateStop() line 499
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03e9b9f4,
nsIAsyncInputStream * 0x03e9b7d4) line 339 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x039e10cc) line 119
PL_HandleEvent(PLEvent * 0x039e10cc) line 673 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00eee8a0) line 608 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x01610206, unsigned int 49517, unsigned int 0,
long 15657120) line 1414 + 9 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d489cd()
USER32! 77d48a10()
nsAppShell::Run(nsAppShell * const 0x00ec0080) line 135
nsAppShellService::Run(nsAppShellService * const 0x00f2adb0) line 495
xre_main(int 4, char * * 0x003e7708, const nsXREAppData * 0x0041e01c kAppData)
line 1907 + 35 bytes
main(int 4, char * * 0x003e7708) line 58 + 18 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()

+	atom	0xcdcdcdcd
-	cx	0x02e2b5f8
+	links	{...}
	interpLevel	1
	stackLimit	718584
	version	0
	jsop_eq	18 ''
	jsop_ne	19 ''
+	runtime	0x00f012e0
+	stackPool	{...}
+	fp	0x0012f16c
+	tempPool	{...}
+	globalObject	0x02df6908
+	newborn	0x02e2b654
+	lastAtom	0x00f098a8
+	regExpStatics	{...}
+	sharpObjectMap	{...}
+	argumentFormatMap	0x02e2b868
+	lastMessage	0x039e33d8 "assignment to undeclared variable output"
	tracefp	0x00000000
	branchCallback	0x01b14fa0 nsJSContext::DOMBranchCallback(JSContext *, JSScript *)
	errorReporter	0x01b14490 NS_ScriptErrorReporter(JSContext *, const char *,
JSErrorReport *)
	data	0x02e2b450
+	dormantFrameChain	0x00000000
	thread	4085080
	requestDepth	0
+	scopeToShare	0x00000000
+	lockedSealedScope	0x00000000
	rval2	0
	rval2set	0 ''
	creatingException	0 ''
	throwing	0 ''
	exception	-2147483647
	options	9
+	localeCallbacks	0x01e69260
+	resolvingTable	0x02e2bff0
+	stackHeaders	0x00000000
	findObjectPrincipals	0x01b176f0 ObjectPrincipalFinder(JSContext *, JSObject *)
+	pc	0x03ead871 "="
-	script	0x03ead818
+	code	0x03ead848 ""
	length	628
+	main	0x03ead863 "l"
	version	0
+	atomMap	{...}
+	filename	0x03eac43d
"http://adopt.specificclick.net/adopt.sm?l=1801392231&sz=pop&r=j&pfc=1&v=1&rnd=25699942205226456"
	lineno	1
	depth	7
+	trynotes	0x00000000
+	principals	0x0336f398
+	object	0x00000000
Severity: normal → critical
Keywords: crash
This has the earmarks of dead JS objects....
Assignee: dveditz → general
Component: Security: CAPS → JavaScript Engine
QA Contact: general
Lots of rooting fixes, in JS, XBL, and DOM, since 1.0.x.  Anyone want to guess which one might help here?

/be
this is a very very very common crash of mine. i'd love to see it killed :)
Summary: Crash @ JS_GetPrivate line 1813 → Crash [@ JS_GetPrivate] line 1813
which is to say, i don't believe it's fixed. although i haven't seen it in the past 10 days.
timeless: what do you mean by "this"?  The JS_GetPrivate line number means nothing.  You have to include much of the stack in the signature.  Are you?

/be
i recognize this crash as:

no js on stack
PresShell::HandleEventInternal

nsContentUtils::IsCallerChrome

nsScriptSecurityManager::GetFunctionObjectPrincipal

http://viper.haque.net/~timeless/jsgffo.ssm.icc.crash
http://viper.haque.net/~timeless/jsgp.ssm.icc.crash
*** Bug 319015 has been marked as a duplicate of this bug. ***
(In reply to comment #7)
> *** Bug 319015 has been marked as a duplicate of this bug. ***
> 

...and just FYI, bug 319015 was Fx 1.5, not 1.0.x
*** Bug 319121 has been marked as a duplicate of this bug. ***
why is this not listed on the talkback server as an open bug for JS_GetPrivate crashes ?
The cbs URL worksforme on trunk, and the stack trace was never enough to implicate a specific rooting bug, so marking as WFM.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ JS_GetPrivate]
You need to log in before you can comment on or make changes to this bug.