Closed
Bug 310456
Opened 19 years ago
Closed 19 years ago
Crash [@ js_MarkScript] when visiting Gmail, visiting another site and then going back
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: mrbkap)
References
()
Details
(Keywords: crash, regression, verified1.8)
Crash Data
Attachments
(1 file)
864 bytes,
patch
|
shaver
:
review+
asa
:
approval1.8b5+
|
Details | Diff | Splinter Review |
This regressed between 2005-09-21 and 2005-09-22 and it is only a trunk crash:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-09-21+06%3A00%3A00&maxdate=2005-09-22+09%3A00%3A00&cvsroot=%2Fcvsroot
To reproduce:
- visit Gmail (you have to have an account)
- Visit another site
- Go back
From talkback ID TB9817090Q:
js_MarkScript
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsscript.c, line 1344]
fun_mark [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsfun.c,
line 1357]
js_Mark [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c,
line 4119]
MarkGCThing
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1146]
js_MarkGCThing
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1446]
js_MarkAtomState
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsatom.c, line 467]
js_GC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c,
line 1705]
js_NewGCThing
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 636]
AllocSlots
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 1811]
js_NewObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 1929]
js_NewFunction
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsfun.c, line 1964]
FunctionDef
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 858]
FunctionStmt
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 1021]
Statements
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 1053]
Statement
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 1704]
Statements
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 1053]
js_CompileTokenStream
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsparse.c, line 468]
CompileTokenStream
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3432]
JS_CompileUCScriptForPrincipals
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3513]
JS_EvaluateUCScriptForPrincipals
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3948]
nsJSContext::EvaluateString
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1067]
nsScriptLoader::EvaluateScript
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 748]
nsScriptLoader::ProcessRequest
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 642]
nsScriptLoader::ProcessScriptElement
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 583]
nsHTMLScriptElement::MaybeProcessScript
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp,
line 673]
nsHTMLScriptElement::SetHtmlFor
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLScriptElement.cpp,
line 537]
SinkContext::CloseContainer
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 1403]
HTMLContentSink::CloseContainer
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 2985]
CNavDTD::HandleToken
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 838]
CNavDTD::BuildModel
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 459]
nsParser::BuildModel
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/nsParser.cpp,
line 2010]
I have bfcache enable (haven't checked yet without bfcache).
Reporter | ||
Updated•19 years ago
|
Severity: normal → critical
Comment 1•19 years ago
|
||
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050927 SeaMonkey/1.1a
TB9874524K
Comment 2•19 years ago
|
||
*** Bug 310493 has been marked as a duplicate of this bug. ***
Comment 3•19 years ago
|
||
there is still a 'nice to have' Patch waiting according to Bug 305181 comment 25.
Bug 305181 [FIX]Crash when navigating between Gmail and another URL [@
nsXPConnect::ReleaseJSContext]
Comment 4•19 years ago
|
||
The remaining patch in bug 305181 isn't really a crash fix of any sort...
Given the regression range, this looks to be a regression from bug 308085...
Blocks: 308085
Comment 5•19 years ago
|
||
Then again, bug 308085 landed on branch too. But it's the onle JS engine change
on trunk in that range...
Flags: blocking1.9a1?
Comment 6•19 years ago
|
||
Weird, I can reproduce the crash in this build: 1.9a1_2005092912, but not in
this build: 1.9a1_2005092922.
Something cured it?
Comment 7•19 years ago
|
||
That's the range in which mrbkap backed out one of the patches for bug 307317...
Blocks: 307317
Reporter | ||
Comment 8•19 years ago
|
||
Works for me too now, on current trunk. Marking WFM then?
Comment 9•19 years ago
|
||
I'd wait and see what happens in bug 307317
Assignee | ||
Comment 10•19 years ago
|
||
This is a regression from bug 308085. Fix in a jiffy.
Assignee: nobody → general
Component: History: Session → JavaScript Engine
QA Contact: history.session → general
Assignee | ||
Comment 11•19 years ago
|
||
This is very similar to bug 309695... The fix in bug 307317 must be causing us
to mark the function, even after we've refused to create the script (or before
the script is created, I'm not sure).
Assignee | ||
Comment 12•19 years ago
|
||
Actually, the stack says: "Before the script is created", no invalid javascript
needed here.
Comment 13•19 years ago
|
||
Comment on attachment 198033 [details] [diff] [review]
Null-check the script
r=shaver
Attachment #198033 -
Flags: review+
Updated•19 years ago
|
Flags: blocking1.9a1? → blocking1.8b5?
Reporter | ||
Comment 14•19 years ago
|
||
Does the "Null-check the script" patch also take care of bug 310399?
Assignee | ||
Comment 15•19 years ago
|
||
That stack is pretty weird (looks like an optimizer got to it :-(), so once I
check this fix in, people should test to see if fixes the problem, but it
certainly is possible (since we are marking in that stack).
Assignee | ||
Comment 16•19 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 17•19 years ago
|
||
Comment on attachment 198033 [details] [diff] [review]
Null-check the script
This is a very safe null-defense patch that fixes a regression from bug 308085
which was also checked in on the branch.
Attachment #198033 -
Flags: review?(brendan) → approval1.8b5?
Reporter | ||
Comment 18•19 years ago
|
||
(In reply to comment #15)
> That stack is pretty weird (looks like an optimizer got to it :-(), so once I
> check this fix in, people should test to see if fixes the problem, but it
> certainly is possible (since we are marking in that stack).
The problem is that it already doesn't crash anymore (just like this bug), so no
idea if the patch would fix that bug.
Updated•19 years ago
|
Attachment #198033 -
Flags: approval1.8b5? → approval1.8b5+
Assignee | ||
Comment 20•19 years ago
|
||
(In reply to comment #18)
> The problem is that it already doesn't crash anymore (just like this bug), so no
> idea if the patch would fix that bug.
Upon further reflection, it looks like this patch should fix that bug as well.
Updated•19 years ago
|
Flags: blocking1.8b5?
Comment 21•19 years ago
|
||
*** Bug 310399 has been marked as a duplicate of this bug. ***
Updated•19 years ago
|
Flags: testcase-
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
Keywords: fixed1.8 → verified1.8
Updated•13 years ago
|
Crash Signature: [@ js_MarkScript]
You need to log in
before you can comment on or make changes to this bug.
Description
•