Closed Bug 309695 Opened 15 years ago Closed 15 years ago

Crash visiting msdn.microsoft.com [@ js_FreeAtomMap]

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla1.8beta5

People

(Reporter: Biesinger, Assigned: brendan)

References

()

Details

(Keywords: fixed1.8, js1.6)

Attachments

(3 files)

I crash visiting the above url, top stack frames:
#0  0x006c170d in js_FreeAtomMap (cx=0x94ff0d8, map=0x10) at
../../../../mozilla/js/src/jsatom.c:972
#1  0x007485c6 in js_DestroyScript (cx=0x94ff0d8, script=0x0) at
../../../../mozilla/js/src/jsscript.c:1328
#2  0x006e6739 in fun_finalize (cx=0x94ff0d8, obj=0x93dfe80) at
../../../../mozilla/js/src/jsfun.c:1108
#3  0x00718393 in js_FinalizeObject (cx=0x94ff0d8, obj=0x93dfe80) at
../../../../mozilla/js/src/jsobj.c:2086
#4  0x006ec7c0 in js_GC (cx=0x94ff0d8, gcflags=0) at
../../../../mozilla/js/src/jsgc.c:1839

Line:
0x006c170d in js_FreeAtomMap (cx=0x94ff0d8, map=0x10) at
../../../../mozilla/js/src/jsatom.c:972
972         if (map->vector) {
oh, I should mention... linux, trunk, seamonkey, gtk2, checkout finish: Do Sep
22 14:18:32 CEST 2005
fun has ->interpreted as true, u.script as NULL, and the atom is for
"BrowserData".  Just to record that (the interpreted && !script combination is
especially interesting to me).
Note that the patch for bug 308085 can cause us to set fun->interpreted earlier
(I'm not sure if that's a problem, though).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Fix coming right away, sorry for this regression from 308085.

Looks like BrowserData is a function somewhere on MSDN with invalid syntax.  Can
someone find and post it?

/be
Assignee: general → brendan
Depends on: 308085
Flags: blocking1.8b5+
Keywords: js1.6
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta5
Attached patch the obvious fixSplinter Review
The fix for bug 308085 got approval earlier today (baking results in this bug
were racing that approval) anad it is about to land, with this fix included, on
the 1.8 branch.

/be
Attachment #197149 - Flags: review+
Attachment #197149 - Flags: approval1.8b5+
Fixed on trunk and branch.

/be
Status: NEW → RESOLVED
Closed: 15 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Blocks: 308085
No longer depends on: 308085
Comment on attachment 197149 [details] [diff] [review]
the obvious fix

r=mrbkap
Attachment #197149 - Flags: review+
Ah, that's why I couldn't find the interpreted-set that was causing this; the
tree I was looking at didn't have 308085 in it.  Thanks!
*** Bug 309792 has been marked as a duplicate of this bug. ***
Filed bug 309840 on the fact that our js engine thinks the BrowserData function
is invalid.
(In reply to comment #13)
> Filed bug 309840 on the fact that our js engine thinks the BrowserData function
> is invalid.

Which fact is due to our js engine following ECMA-262 Edition 3.  Yeah, yeah --
"real world web standards" (of which I am a proponent) may trump that paper
spec. Bob's spidering will help tell what trumps what.

/be

Verified FIXED using build 2005-09-24-05 SeaMonkey on Windows XP.
Status: RESOLVED → VERIFIED
*** Bug 310161 has been marked as a duplicate of this bug. ***
Flags: testcase-
Flags: testcase- → testcase?
When keying in Microsoft's Feedback page,  <http://feedback.msn.com/eform.aspx?productkey=hotmail&locale=en-us>
Seamonkey becomes less and less responsive.. like there's a serious conflict there...  and it seems that Seamonkey must be uninstalled and re-installed to eliminate what that page messed up in SeaMonkey...
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.