Closed Bug 310161 Opened 19 years ago Closed 19 years ago

Browser crash after running javascript [@ js_FreeAtomMap]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 309695

People

(Reporter: bertramf, Unassigned)

Details

(Keywords: crash)

Crash Data

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050715 Firefox/1.0.6 SUSE/1.0.6-4.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20050927 SeaMonkey/1.1a

This is a browser or JavaScript problem, but I did not find that in the
components list, therefore "General".

Using self-compiled seamonkey (code of 9-23):
/home/bertram/mozilla/objects/dist/bin/run-mozilla.sh: line 131:  1699
Segmentation fault      "$prog" ${1+"$@"}

Reproducible (on a private web page) also with a debug version - I'll attach
stack and debugger output.

Looks like there was some problem parsing the js, and for freeing we try to go
through a null pointer w/o checking.

Reproducible: Always

Steps to Reproduce:
Unfortunately an internal page. If really needed I can try and provide the js.

Actual Results:  
SIGSEGV

Expected Results:  
show the page

Output from the debugger window (last view lines, let me know if more id needed):

CSS Error (<URL deleted>): Error in parsing value for property 'cursor'.
Declaration dropped.
CSS Error (<URL deleted>): Expected color but found 'px'.  Expected color but
found 'px'.  Expected end of value for property but found 'px'.  Error in
parsing value for property 'border-left'.  Declaration dropped.
CSS Error (<URL deleted>): Expected color but found 'px'.  Expected color but
found 'px'.  Expected end of value for property but found 'px'.  Error in
parsing value for property 'border-bottom'.  Declaration dropped.
CSS Error (<URL deleted>): Error in parsing value for property 'cursor'. 
Declaration dropped.
JavaScript error: <URL>.asp, line 76: document.forms is not a function
JavaScript error: <URL>.js line 728: missing name after . operator
Document <URL.asp> loaded successfully
WARNING: GetCharCode used for wrong key event; should use onkeypress., file
nsDOMKeyboardEvent.cpp, line 108
++DOMWINDOW == 28
CSS Error (<URL deleted>): Error in parsing value for property 'cursor'. 
Declaration dropped.
CSS Error (<URL deleted>): Expected color but found 'px'.  Expected color but
found 'px'.  Expected end of value for property but found 'px'.  Error in
parsing value for property 'border-left'.  Declaration dropped.
CSS Error (<URL deleted>): Expected color but found 'px'.  Expected color but
found 'px'.  Expected end of value for property but found 'px'.  Error in
parsing value for property 'border-bottom'.  Declaration dropped.
CSS Error (<URL deleted>): Error in parsing value for property 'cursor'. 
Declaration dropped.
JavaScript error: <URL>.asp, line 76: document.forms is not a function
JavaScript error: <URL>.js line 728: missing name after . operator
Document <URL>.asp loaded successfully

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1085309024 (LWP 30177)]
0x4019e940 in js_FreeAtomMap (cx=0x45665368, map=0x10) at jsatom.c:972
/home/bertram/mozilla-debug/js/src/jsatom.c:972:28754:beg:0x4019e940
Current language:  auto; currently c
(gdb) bt
#0  0x4019e940 in js_FreeAtomMap (cx=0x45665368, map=0x10) at jsatom.c:972
#1  0x4021f0a7 in js_DestroyScript (cx=0x45665368, script=0x0) at jsscript.c:1328
#2  0x401c2b4f in fun_finalize (cx=0x45665368, obj=0x45835f68) at jsfun.c:1108
#3  0x401f0662 in js_FinalizeObject (cx=0x45665368, obj=0x45835f68) at jsobj.c:2086
#4  0x401c8848 in js_GC (cx=0x45665368, gcflags=0) at jsgc.c:1839
#5  0x401c7d0e in js_ForceGC (cx=0x45665368, gcflags=0) at jsgc.c:1510
#6  0x40190dab in JS_GC (cx=0x45665368) at jsapi.c:1849
#7  0x41930e4e in nsJSContext::Notify (this=0x456652b8, timer=0x8f864e8) at
nsJSEnvironment.cpp:2156
#8  0x4011d02f in nsTimerImpl::Fire (this=0x8f864e8) at nsTimerImpl.cpp:397
#9  0x4011d202 in handleTimerEvent (event=0x4581e058) at nsTimerImpl.cpp:459
#10 0x40114850 in PL_HandleEvent (self=0x4581e058) at plevent.c:688
#11 0x401146f1 in PL_ProcessPendingEvents (self=0x80b9958) at plevent.c:623
#12 0x40117c12 in nsEventQueueImpl::ProcessPendingEvents (this=0x81c8df8) at
nsEventQueue.cpp:419
#13 0x4242109c in event_processor_callback (source=0x44802318,
condition=G_IO_IN, data=0x81c8df8) at nsAppShell.cpp:67
#14 0x406c0cb9 in g_io_unix_dispatch (source=0x44802370, callback=0x42421078
<event_processor_callback>, user_data=0x81c8df8) at giounix.c:162
#15 0x4069bfee in IA__g_main_context_dispatch (context=0x809ca98) at gmain.c:1947
#16 0x4069e30b in g_main_context_iterate (context=0x809ca98, block=1,
dispatch=1, self=0x82148b8) at gmain.c:2578
#17 0x4069f1c8 in IA__g_main_loop_run (loop=0x448023e8) at gmain.c:2782
#18 0x403db6eb in IA__gtk_main () at gtkmain.c:963
#19 0x4242179a in nsAppShell::Run (this=0x8299280) at nsAppShell.cpp:139
#20 0x40d4f459 in nsAppStartup::Run (this=0x8299230) at nsAppStartup.cpp:207
#21 0x080521cb in main1 (argc=1, argv=0xbfffdb14, nativeApp=0x8211b48) at
nsAppRunner.cpp:1249
#22 0x08052eda in main (argc=1, argv=0xbfffdb14) at nsAppRunner.cpp:1738
(gdb) graph display map
(gdb) up
#1  0x4021f0a7 in js_DestroyScript (cx=0x45665368, script=0x0) at jsscript.c:1328
/home/bertram/mozilla-debug/js/src/jsscript.c:1328:40233:beg:0x4021f0a7
(gdb) p *script
Cannot access memory at address 0x0
(gdb) p script
$1 = (JSScript *) 0x0
(gdb) up
#2  0x401c2b4f in fun_finalize (cx=0x45665368, obj=0x45835f68) at jsfun.c:1108
/home/bertram/mozilla-debug/js/src/jsfun.c:1108:33688:beg:0x401c2b4f
(gdb) p fun
$2 = (JSFunction *) 0x458573e0
(gdb) p *fun
$3 = {nrefs = 0, object = 0x0, u = {native = 0, script = 0x0}, nargs = 1, extra
= 0, nvars = 11, flags = 0 '\0', interpreted = 1 '\001', nregexps = 0, spare =
0, atom = 0x8ea4240, clasp = 0x0}


fun_finalize() seems to expect that, if interpreted=1, u.script is a valid
pointer, which is not the case here. Not sure if it would just be sufficient to
catch this case, or if something went wrong earlier ...
A minimal testcase or something like that would be really good (we just need a
testcase, not the whole page)...
Assignee: general → general
Component: General → JavaScript Engine
Product: Mozilla Application Suite → Core
QA Contact: general → general
Summary: Browser crash after running java script → Browser crash after running javascript [@ js_FreeAtomMap]
(In reply to comment #1)

I tried to wget the js, asp etc. files, but when I modify them to use local
copies of the URLs, the abort does not happen anymore. Probably because they
can't get the results as if they were on the real server.

Sorry, no testcase. I can just offer to test or debug more, if you can direct me
a little where to go.
Keywords: crash
This is a dup of 309695. Sorry for not finding that earlier.

I've tried out the 20050928 code and there is no abort anymore.

*** This bug has been marked as a duplicate of 309695 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_FreeAtomMap]
You need to log in before you can comment on or make changes to this bug.