310493 - firefox was crashed when e-mail link inside gmail was clicked

Status: RESOLVED DUPLICATE of bug 310456

(Core :: JavaScript Engine, defect)

Description

[Jeongkyu Kim]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050927 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050927 Firefox/1.6a1

When I clicked e-mail link while browsing gmail, firefox crashed sometimes after
displaying new mail window. 

Incident ID: TB9801542K

Reproducible: Sometimes

Steps to Reproduce:
1. open gmail.com and log in
2. open a mail of which content has e-mail link
3. click the link

Actual Results:  
Firefox crashed after diaplying new mail window


I had a chance to break at the point where the crash happend with my 
debug build.

In js/src/jsscript.c,

void
js_MarkScript(JSContext *cx, JSScript *script, void *arg)
{
    JSAtomMap *map;
    uintN i, length;
    JSAtom **vector;

    map = &script->atomMap;
>> The parameter 'script' was passed as null and crash happened here....

Here are several lines from call stack. And please let me know if someone 
wants to have more information from debugging session. I'll try reproduce it.

js3250.dll!js_MarkScript(JSContext * cx=0x04765ad0, JSScript * 
script=0x00000000, void * arg=0x00000000)  Line 1342 + 0x3
js3250.dll!fun_mark(JSContext * cx=0x04765ad0, JSObject * obj=0x04b20168, void 
* arg=0x00000000)  Line 1357 + 0x14
js3250.dll!js_Mark(JSContext * cx=0x04765ad0, JSObject * obj=0x04b20168, void 
* arg=0x00000000)  Line 4119 + 0x12
js3250.dll!MarkGCThing(JSContext * cx=0x04765ad0, void * thing=0x04b20168, 
unsigned char * flagp=0x04b1e795)  Line 1146 + 0x23
js3250.dll!js_MarkGCThing(JSContext * cx=0x04765ad0, void * thing=0x04b20168, 
void * arg=0x00000000)  Line 1446 + 0x11

Comment 1

[Hermann Schwab]

Bug 310456 	Crash [@ js_MarkScript] when visiting Gmail, visiting another site
and then going back

*** This bug has been marked as a duplicate of 310456 ***