Last Comment Bug 309695 - Crash visiting msdn.microsoft.com [@ js_FreeAtomMap]
: Crash visiting msdn.microsoft.com [@ js_FreeAtomMap]
Status: VERIFIED FIXED
: fixed1.8, js1.6
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P1 normal (vote)
: mozilla1.8beta5
Assigned To: Brendan Eich [:brendan]
:
:
Mentors:
http://msdn.microsoft.com/workshop/br...
: 309792 310161 (view as bug list)
Depends on:
Blocks: 308085
  Show dependency treegraph
 
Reported: 2005-09-22 18:14 PDT by Christian :Biesinger (don't email me, ping me on IRC)
Modified: 2006-05-10 12:46 PDT (History)
9 users (show)
brendan: blocking1.8b5+
bob: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
full stack trace (11.55 KB, text/plain)
2005-09-22 18:16 PDT, Christian :Biesinger (don't email me, ping me on IRC)
no flags Details
stack trace with local variables (42.36 KB, text/plain)
2005-09-22 18:20 PDT, Christian :Biesinger (don't email me, ping me on IRC)
no flags Details
the obvious fix (801 bytes, patch)
2005-09-22 23:26 PDT, Brendan Eich [:brendan]
brendan: review+
mrbkap: review+
brendan: approval1.8b5+
Details | Diff | Splinter Review

Description Christian :Biesinger (don't email me, ping me on IRC) 2005-09-22 18:14:51 PDT
I crash visiting the above url, top stack frames:
#0  0x006c170d in js_FreeAtomMap (cx=0x94ff0d8, map=0x10) at
../../../../mozilla/js/src/jsatom.c:972
#1  0x007485c6 in js_DestroyScript (cx=0x94ff0d8, script=0x0) at
../../../../mozilla/js/src/jsscript.c:1328
#2  0x006e6739 in fun_finalize (cx=0x94ff0d8, obj=0x93dfe80) at
../../../../mozilla/js/src/jsfun.c:1108
#3  0x00718393 in js_FinalizeObject (cx=0x94ff0d8, obj=0x93dfe80) at
../../../../mozilla/js/src/jsobj.c:2086
#4  0x006ec7c0 in js_GC (cx=0x94ff0d8, gcflags=0) at
../../../../mozilla/js/src/jsgc.c:1839

Line:
0x006c170d in js_FreeAtomMap (cx=0x94ff0d8, map=0x10) at
../../../../mozilla/js/src/jsatom.c:972
972         if (map->vector) {
Comment 1 Christian :Biesinger (don't email me, ping me on IRC) 2005-09-22 18:16:16 PDT
Created attachment 197122 [details]
full stack trace
Comment 2 Christian :Biesinger (don't email me, ping me on IRC) 2005-09-22 18:20:09 PDT
Created attachment 197123 [details]
stack trace with local variables
Comment 3 Christian :Biesinger (don't email me, ping me on IRC) 2005-09-22 18:33:21 PDT
oh, I should mention... linux, trunk, seamonkey, gtk2, checkout finish: Do Sep
22 14:18:32 CEST 2005
Comment 4 Mike Shaver (:shaver -- probably not reading bugmail closely) 2005-09-22 18:35:45 PDT
fun has ->interpreted as true, u.script as NULL, and the atom is for
"BrowserData".  Just to record that (the interpreted && !script combination is
especially interesting to me).
Comment 5 Blake Kaplan (:mrbkap) 2005-09-22 18:57:27 PDT
Note that the patch for bug 308085 can cause us to set fun->interpreted earlier
(I'm not sure if that's a problem, though).
Comment 6 Brendan Eich [:brendan] 2005-09-22 23:23:52 PDT
Fix coming right away, sorry for this regression from 308085.

Looks like BrowserData is a function somewhere on MSDN with invalid syntax.  Can
someone find and post it?

/be
Comment 7 Brendan Eich [:brendan] 2005-09-22 23:26:27 PDT
Created attachment 197149 [details] [diff] [review]
the obvious fix

The fix for bug 308085 got approval earlier today (baking results in this bug
were racing that approval) anad it is about to land, with this fix included, on
the 1.8 branch.

/be
Comment 8 Brendan Eich [:brendan] 2005-09-22 23:28:21 PDT
Fixed on trunk and branch.

/be
Comment 9 Bob Clary [:bc:] 2005-09-22 23:40:49 PDT
(In reply to comment #6)

http://msdn.microsoft.com/workshop/code/browdata.js
Comment 10 Blake Kaplan (:mrbkap) 2005-09-22 23:43:53 PDT
Comment on attachment 197149 [details] [diff] [review]
the obvious fix

r=mrbkap
Comment 11 Mike Shaver (:shaver -- probably not reading bugmail closely) 2005-09-23 06:38:07 PDT
Ah, that's why I couldn't find the interpreted-set that was causing this; the
tree I was looking at didn't have 308085 in it.  Thanks!
Comment 12 R.K.Aa. 2005-09-23 13:45:34 PDT
*** Bug 309792 has been marked as a duplicate of this bug. ***
Comment 13 Jesse Ruderman 2005-09-23 19:34:40 PDT
Filed bug 309840 on the fact that our js engine thinks the BrowserData function
is invalid.
Comment 14 Brendan Eich [:brendan] 2005-09-23 20:28:27 PDT
(In reply to comment #13)
> Filed bug 309840 on the fact that our js engine thinks the BrowserData function
> is invalid.

Which fact is due to our js engine following ECMA-262 Edition 3.  Yeah, yeah --
"real world web standards" (of which I am a proponent) may trump that paper
spec. Bob's spidering will help tell what trumps what.

/be

Comment 15 Stephen Donner [:stephend] 2005-09-24 22:13:21 PDT
Verified FIXED using build 2005-09-24-05 SeaMonkey on Windows XP.
Comment 16 Bertram Franz 2005-09-28 06:38:35 PDT
*** Bug 310161 has been marked as a duplicate of this bug. ***
Comment 17 cosmicbrat 2006-02-24 13:05:31 PST
When keying in Microsoft's Feedback page,  <http://feedback.msn.com/eform.aspx?productkey=hotmail&locale=en-us>
Seamonkey becomes less and less responsive.. like there's a serious conflict there...  and it seems that Seamonkey must be uninstalled and re-installed to eliminate what that page messed up in SeaMonkey...

Note You need to log in before you can comment on or make changes to this bug.