Crash [@ js_MarkScript] when visiting Gmail, visiting another site and then going back

VERIFIED FIXED

Status

()

--
critical
VERIFIED FIXED
13 years ago
7 years ago

People

(Reporter: martijn.martijn, Assigned: mrbkap)

Tracking

({crash, regression, verified1.8})

Trunk
x86
Windows XP
crash, regression, verified1.8
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
This regressed between 2005-09-21 and 2005-09-22 and it is only a trunk crash:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-09-21+06%3A00%3A00&maxdate=2005-09-22+09%3A00%3A00&cvsroot=%2Fcvsroot

To reproduce:
- visit Gmail (you have to have an account)
- Visit another site
- Go back

From talkback ID TB9817090Q: 
js_MarkScript 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsscript.c, line 1344]
fun_mark  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsfun.c,
line 1357]
js_Mark  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c,
line 4119]
MarkGCThing 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1146]
js_MarkGCThing 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1446]
js_MarkAtomState 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsatom.c, line 467]
js_GC  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c,
line 1705]
js_NewGCThing 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 636]
AllocSlots 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 1811]
js_NewObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 1929]
js_NewFunction 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsfun.c, line 1964]
FunctionDef 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 858]
FunctionStmt 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 1021]
Statements 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 1053]
Statement 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 1704]
Statements 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 1053]
js_CompileTokenStream 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 468]
CompileTokenStream 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3432]
JS_CompileUCScriptForPrincipals 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3513]
JS_EvaluateUCScriptForPrincipals 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3948]
nsJSContext::EvaluateString 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1067]
nsScriptLoader::EvaluateScript 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 748]
nsScriptLoader::ProcessRequest 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 642]
nsScriptLoader::ProcessScriptElement 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 583]
nsHTMLScriptElement::MaybeProcessScript 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp,
line 673]
nsHTMLScriptElement::SetHtmlFor 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp,
line 537]
SinkContext::CloseContainer 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 1403]
HTMLContentSink::CloseContainer 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 2985]
CNavDTD::HandleToken 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 838]
CNavDTD::BuildModel 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 459]
nsParser::BuildModel 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/nsParser.cpp,
line 2010]

I have bfcache enable (haven't checked yet without bfcache).
(Reporter)

Updated

13 years ago
Severity: normal → critical
(Reporter)

Updated

13 years ago
Depends on: 310399

Comment 1

13 years ago
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050927 SeaMonkey/1.1a
TB9874524K

Comment 2

13 years ago
*** Bug 310493 has been marked as a duplicate of this bug. ***

Comment 3

13 years ago
there is still a 'nice to have' Patch waiting according to Bug 305181 comment 25.
Bug 305181 [FIX]Crash when navigating between Gmail and another URL [@
nsXPConnect::ReleaseJSContext]
(Reporter)

Updated

13 years ago
Depends on: 305181
The remaining patch in bug 305181 isn't really a crash fix of any sort...

Given the regression range, this looks to be a regression from bug 308085...
Blocks: 308085
Then again, bug 308085 landed on branch too.  But it's the onle JS engine change
on trunk in that range...
Flags: blocking1.9a1?
Weird, I can reproduce the crash in this build: 1.9a1_2005092912, but not in
this build: 1.9a1_2005092922.
Something cured it?
That's the range in which mrbkap backed out one of the patches for bug 307317...
Blocks: 307317
(Reporter)

Comment 8

13 years ago
Works for me too now, on current trunk. Marking WFM then?
I'd wait and see what happens in bug 307317
This is a regression from bug 308085. Fix in a jiffy.
Assignee: nobody → general
Component: History: Session → JavaScript Engine
QA Contact: history.session → general
Created attachment 198033 [details] [diff] [review]
Null-check the script

This is very similar to bug 309695... The fix in bug 307317 must be causing us
to mark the function, even after we've refused to create the script (or before
the script is created, I'm not sure).
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #198033 - Flags: review?(brendan)
Actually, the stack says: "Before the script is created", no invalid javascript
needed here.
Flags: blocking1.9a1? → blocking1.8b5?
(Reporter)

Comment 14

13 years ago
Does the "Null-check the script" patch also take care of bug 310399?
That stack is pretty weird (looks like an optimizer got to it :-(), so once I
check this fix in, people should test to see if fixes the problem, but it
certainly is possible (since we are marking in that stack).
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Comment on attachment 198033 [details] [diff] [review]
Null-check the script

This is a very safe null-defense patch that fixes a regression from bug 308085
which was also checked in on the branch.
Attachment #198033 - Flags: review?(brendan) → approval1.8b5?
(Reporter)

Comment 18

13 years ago
(In reply to comment #15)
> That stack is pretty weird (looks like an optimizer got to it :-(), so once I
> check this fix in, people should test to see if fixes the problem, but it
> certainly is possible (since we are marking in that stack).
The problem is that it already doesn't crash anymore (just like this bug), so no
idea if the patch would fix that bug.

Updated

13 years ago
Attachment #198033 - Flags: approval1.8b5? → approval1.8b5+
Fix checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8
(In reply to comment #18)
> The problem is that it already doesn't crash anymore (just like this bug), so no
> idea if the patch would fix that bug.

Upon further reflection, it looks like this patch should fix that bug as well.

Updated

13 years ago
Flags: blocking1.8b5?

Comment 21

13 years ago
*** Bug 310399 has been marked as a duplicate of this bug. ***

Updated

13 years ago
Flags: testcase-

Updated

13 years ago
Status: RESOLVED → VERIFIED
Keywords: fixed1.8 → verified1.8
Crash Signature: [@ js_MarkScript]
You need to log in before you can comment on or make changes to this bug.