Last Comment Bug 311950 - crash at http://www.hansrossel.com/reisgids/turkijePR.html [@ js_LookupPropertyWithFlags ]
: crash at http://www.hansrossel.com/reisgids/turkijePR.html [@ js_LookupProper...
Status: RESOLVED FIXED
: fixed1.8
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 1.8 Branch
: All All
: -- critical (vote)
: ---
Assigned To: Brendan Eich [:brendan]
:
:
Mentors:
http://www.hansrossel.com/reisgids/tu...
Depends on: 311157
Blocks: 311071
  Show dependency treegraph
 
Reported: 2005-10-10 12:20 PDT by Peter van der Woude [:Peter6]
Modified: 2005-10-22 23:59 PDT (History)
8 users (show)
bob: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Peter van der Woude [:Peter6] 2005-10-10 12:20:51 PDT
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051008
Firefox/1.4.1 ID:2005100805 / vanilla profile

Open url and crash

this is NO dupe of Bug 276979

works in 20051004 1222pdt build
fails in 20051004 1350pdt build

regressionwindow : (bonsai down, will try later)

TB10464972Y

Incident ID: 10464972
Stack Signature	js_LookupPropertyWithFlags e0c06551
Product ID	Firefox15
Build ID	2005100805
Trigger Time	2005-10-10 04:42:13.0
Platform	Win32
Operating System	Windows NT 5.0 build 2195
Module	js3250.dll + (0002d4be)
URL visited	http://www.hansrossel.com/reisgids/turkijePR.html
User Comments	crash while opening this page
Since Last Crash	4391 sec
Total Uptime	4391 sec
Trigger Reason	Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2592
Stack Trace 	
js_LookupPropertyWithFlags 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line
2592]
js_LookupProperty 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line
2519]
js_GetProperty 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line
2804]
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 243]
nsXPCWrappedJSClass::DelegatedQueryInterface 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 589]
nsXPCWrappedJS::QueryInterface 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 97]
nsEventListenerManager::HandleEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1779]
nsXULDocument::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp,
line 1242]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2135]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2132]
nsEventStateManager::DispatchMouseEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2627]
nsEventStateManager::NotifyMouseOut 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2696]
nsEventStateManager::NotifyMouseOver 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2746]
nsEventStateManager::GenerateMouseEnterExit 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 2785]
nsEventStateManager::PreHandleEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 522]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6361]
PresShell::HandleEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6203]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2559]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2246]
HandleEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp,
line 174]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1252]
nsWindow::DispatchMouseEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5991]
ChildWindow::DispatchMouseEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 6242]
nsWindow::WindowProc 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1434]
USER32.dll + 0x3158f (0x77e4158f)
USER32.dll + 0x31dc9 (0x77e41dc9)
USER32.dll + 0x31e7e (0x77e41e7e)
nsAppStartup::Run 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp,
line 151]
main 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp,
line 61]
KERNEL32.dll + 0x28989 (0x79628989)
Comment 2 Boris Zbarsky [:bz] (still a bit busy) 2005-10-10 13:46:31 PDT
That seems very unlikely, whereas the fix for bug 311071 (just 6 mins outside
your regression window) or bug 311090 seems much more probably.  Note that 6
mins is well within the range of cvs-mirror lag or machine clock skew...
Comment 3 Peter van der Woude [:Peter6] 2005-10-10 14:11:50 PDT
correct regressionwindow
http://tinderbox.mozilla.org/bonsai/cvsquery.cgi?treeid=default&module=AviarySuiteBranchTinderbox&branch=MOZILLA_1_8_BRANCH&branchtype=match&filetype=match&whotype=match&sortby=Date&hours=2&date=explicit&mindate=20051004+1147&maxdate=20051004+1354&cvsroot=%2Fcvsroot

it build from 1315-1354 so i assumed the last 2 wouldn't be in.
(i'll keep this in mind the next times)
Comment 4 Brendan Eich [:brendan] 2005-10-10 21:59:45 PDT
I don't think E4X changes could cause this.  How about the nsDOMClassInfo.cpp
changes?  We should get this bug well-assigned (not that mrbkap needs any more
criticals just now -- but this bug is not critical ;-).

Could cx be bad?  What line is implicated in js_LookupPropertyWithFlags, can
someone show the source from the right cvs pull date?

/be
Comment 5 Boris Zbarsky [:bz] (still a bit busy) 2005-10-11 07:36:22 PDT
This is still critical severity.

> I don't think E4X changes could cause this.

Think again.  ;)  In a debug branch build:

Assertion failure: tt == TOK_XMLCDATA || tt == TOK_XMLCOMMENT || tt ==
TOK_XMLPI, at ../../../mozilla/js/src/jsparse.c:3499

Program received signal SIGABRT, Aborted.

#3  0xb7fd0adf in JS_Assert (
    s=0xb7ff47a4 "tt == TOK_XMLCDATA || tt == TOK_XMLCOMMENT || tt == TOK_XMLPI", 
    file=0xb7ff4108 "../../../mozilla/js/src/jsparse.c", ln=3499)
    at ../../../mozilla/js/src/jsutil.c:63
#4  0xb7faf762 in XMLElementContent (cx=0x87c3d68, ts=0x89401b0, pn=0x89404b0, 
    tc=0xbfffe560) at ../../../mozilla/js/src/jsparse.c:3498
#5  0xb7fafb90 in XMLElementOrList (cx=0x87c3d68, ts=0x89401b0, tc=0xbfffe560, 
    allowList=1) at ../../../mozilla/js/src/jsparse.c:3590
#6  0xb7fb0b1b in PrimaryExpr (cx=0x87c3d68, ts=0x89401b0, tc=0xbfffe560)
    at ../../../mozilla/js/src/jsparse.c:3993
#7  0xb7fae4ab in MemberExpr (cx=0x87c3d68, ts=0x89401b0, tc=0xbfffe560, 
    allowCallSyntax=1) at ../../../mozilla/js/src/jsparse.c:2891
...
#26 0xb7f3e525 in JS_CompileUCScriptForPrincipals (cx=0x87c3d68, obj=0x8b316d8, 
    principals=0x8a38b94, chars=0x899f0c8, length=270, 
    filename=0x87ec958 "http://www.hansrossel.com/javascript/dontgetframed.js",
lineno=1)
    at ../../../mozilla/js/src/jsapi.c:3681

That script looks like this:

<script language="javascript">
<!-- kleef in head om niet geframed te worden -->
<!--
if (self.location.href != top.window.location.href)
{ top.window.location.href = self.location.href };

if (top.frames.length!=0)
top.location=self.document.location;
//-->
</script>

(yes, in an external script file; gotta love these folks).

For what it's worth, in frame 4 when we assert we have:

(gdb) p tt
$3 = TOK_IF
(gdb) p ts->lineno
$9 = 4

Oh, and backing out the patch for bug 311071 fixes this crash.
Comment 6 Blake Kaplan (:mrbkap) 2005-10-11 09:41:44 PDT
Boris, this is with the fix for bug 311157 in your tree, right?
Comment 7 Boris Zbarsky [:bz] (still a bit busy) 2005-10-11 09:57:00 PDT
No, that was without that patch -- I pulled my 1.8 tree last night.

With that patch, I don't see a crash on the site in this bug.  So sounds like
this was fixed by that patch...  If that's a likely possibility, please resolve
accordingly.
Comment 8 Peter van der Woude [:Peter6] 2005-10-11 09:59:55 PDT
Yes, fixed indeed, resolving

Note You need to log in before you can comment on or make changes to this bug.