Closed Bug 312588 Opened 19 years ago Closed 19 years ago

Firefox crash accessing the page http://www.puppozungo.com/testbrowser.html [@ UnmarkedGCThingFlags] [@ js_MarkGCThing]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: andrew, Unassigned)

References

(
URL
)

Details

(Keywords: crash, testcase)

Crash Data

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc3 Firefox/1.0.7 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc3 Firefox/1.0.7 Opening the page http://www.puppozungo.com/testbrowser.html the firefox browser close with no messages. The page contains a double javascript infinite loop Reproducible: Always Steps to Reproduce: 1.Try to load this page http://www.puppozungo.com/testbrowser.html Actual Results: Firefox close all windows Expected Results: Firefox signal tha the script is resource hungry.
Launching firefox from the command line when firefox exits the return code is 139.
Konqueror (on the same Linux platform) detect the resource leakage and warns user with a message box that give you a chance of terminate the ill behaved script.
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051015 Firefox/1.4.1 ID:2005101504 WFM after stopping the 2 warnings the page opens fine
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051015 Firefox/1.6a1 ID:2005101508 Crashes for me but talkback doesn't come up.
Severity: normal → critical
Keywords: crash
Version: unspecified → 1.0 Branch
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051015 Firefox/1.4.1 ID:2005101523 It crashes in branch and trunk but I get only a talkback in 1.0.7: TB10717153E
Keywords: talkbackid
Status: UNCONFIRMED → NEW
Ever confirmed: true
Yes, this crashes my 2005-10-16 trunk winxp build, after pressing a few times the "Continue" button when I get the slow script warning. The page has this code: <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT> <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT> Talkback ID: TB10742329Q
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: testcase
OS: Linux → All
Product: Firefox → Core
QA Contact: general → general
Version: 1.0 Branch → Trunk
Checking in regress-312588.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-312588.js,v <-- regress-312588.js initial revision: 1.1 done In a trunk build from yesterday: get several out of memory errors followed by Assertion failure: flags != GCF_FINAL, at c:/work/mozilla/builds/ff/trunk/mozilla/js/src/jsgc.c:1040 NTDLL! 7c901230() UnmarkedGCThingFlags(void * 0x030526a0) line 1040 + 35 bytes js_MarkGCThing(JSContext * 0x02aeaf08, void * 0x030526a0, void * 0x00000000) line 1443 + 9 bytes JS_MarkGCThing(JSContext * 0x02aeaf08, void * 0x030526a0, const char * 0x100dd16c _js_private_str, void * 0x00000000) line 1838 + 15 bytes fun_mark(JSContext * 0x02aeaf08, JSObject * 0x04276768, void * 0x00000000) line 1353 + 22 bytes js_Mark(JSContext * 0x02aeaf08, JSObject * 0x04276768, void * 0x00000000) line 4174 + 18 bytes MarkGCThing(JSContext * 0x02aeaf08, void * 0x04276768, unsigned char * 0x04277c05) line 1146 + 35 bytes js_MarkGCThing(JSContext * 0x02aeaf08, void * 0x04276768, void * 0x00000000) line 1446 + 17 bytes js_GC(JSContext * 0x02aeaf08, unsigned int 0x00000005) line 1777 + 22 bytes js_NewGCThing(JSContext * 0x02aeaf08, unsigned int 0x00000000, unsigned int 0x00000008) line 633 + 11 bytes js_NewObject(JSContext * 0x02aeaf08, JSClass * 0x100fbf10 _js_FunctionClass, JSObject * 0x04276768, JSObject * 0x041ef620) line 1952 + 13 bytes js_CloneFunctionObject(JSContext * 0x02aeaf08, JSObject * 0x04276768, JSObject * 0x041ef620) line 1998 + 22 bytes JS_CloneFunctionObject(JSContext * 0x02aeaf08, JSObject * 0x04276768, JSObject * 0x041ef620) line 3420 + 17 bytes xpc_CloneJSFunction(XPCCallContext & {...}, JSObject * 0x04276768, JSObject * 0x041ef620) line 55 + 23 bytes DefinePropertyIfFound(XPCCallContext & {...}, JSObject * 0x041ef620, long 0x01a8f50c, XPCNativeSet * 0x031632e8, XPCNativeInterface * 0x0318ba88, XPCNativeMember * 0x0318baa0, XPCWrappedNativeScope * 0x0414ee98, int 0x00000001, XPCWrappedNative * 0x00000000, XPCWrappedNative * 0x00000000, XPCNativeScriptableInfo * 0x03e71a20, unsigned int 0x00000001, int * 0x00000000) line 453 + 23 XPC_WN_ModsAllowed_Proto_Resolve(JSContext * 0x02aeaf08, JSObject * 0x041ef620, long 0x01a8f50c) line 1574 + 61 bytes js_LookupPropertyWithFlags(JSContext * 0x02aeaf08, JSObject * 0x041ef620, long 0x0299b310, unsigned int 0x00000001, JSObject * * 0x0012ef58, JSProperty * * 0x0012ef48) line 2708 + 70 bytes js_LookupProperty(JSContext * 0x02aeaf08, JSObject * 0x042766a8, long 0x0299b310, JSObject * * 0x0012ef58, JSProperty * * 0x0012ef48) line 2566 + 27 bytes js_GetProperty(JSContext * 0x02aeaf08, JSObject * 0x042766a8, long 0x0299b310, long * 0x0012f864) line 2851 + 25 bytes js_Interpret(JSContext * 0x02aeaf08, unsigned char * 0x02a4ee1b, long * 0x0012fa18) line 3327 + 1641 bytes js_Invoke(JSContext * 0x02aeaf08, unsigned int 0x00000002, unsigned int 0x00000002) line 1197 + 19 bytes js_InternalInvoke(JSContext * 0x02aeaf08, JSObject * 0x032771f8, long 0x0328aa08, unsigned int 0x00000000, unsigned int 0x00000002, long * 0x0420e9a8, long * 0x0012fb94) line 1274 + 20 bytes JS_CallFunctionValue(JSContext * 0x02aeaf08, JSObject * 0x032771f8, long 0x0328aa08, unsigned int 0x00000002, long * 0x0420e9a8, long * 0x0012fb94) line 4183 + 31 bytes nsJSContext::CallEventHandler(JSObject * 0x032771f8, JSObject * 0x0328aa08, unsigned int 0x00000002, long * 0x0420e9a8, long * 0x0012fb94) line 1422 + 33 bytes nsGlobalWindow::RunTimeout(nsTimeout * 0x0422eaa8) line 6235 nsGlobalWindow::TimerCallback(nsITimer * 0x0420b750, void * 0x0422eaa8) line 6593 nsTimerImpl::Fire() line 394 + 17 bytes nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x019b3f48) line 628 nsAppShell::Run(nsAppShell * const 0x00f3c5c0) line 142 nsAppStartup::Run(nsAppStartup * const 0x00f3c520) line 161 + 26 bytes XRE_main(int 0x00000004, char * * 0x003f6d28, const nsXREAppData * 0x0042101c kAppData) line 2289 + 35 bytes main(int 0x00000004, char * * 0x003f6d28) line 61 + 18 bytes mainCRTStartup() line 338 + 17 bytes
Flags: testcase+
Keywords: talkbackid
Summary: Firefox crash accessing the page http://www.puppozungo.com/testbrowser.html → Firefox crash accessing the page http://www.puppozungo.com/testbrowser.html [@ UnmarkedGCThingFlags] [@ js_MarkGCThing]
Martijn's stack is the same as bug 308678's; Bob's is the same as bug 292455's.
I no longer see a crash in windows/linux on the trunk using the puppozungo url. In the js test cases, I no longer see the crash in 1.8, 1.8.0.1, or trunk builds on windows/linux/mac. I'm not sure what fixed this so marking it works for me. Please reopen if you can reproduce it in a trunk build.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Fixed by bug 322045 patch? Any way to confirm based on when that patch went in? /be
re: comment #10 I picked up just the fix for bug 322045 and this prevented the crash.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
fixed by bug 322045. Thanks colin.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
Depends on: 322045
Even with this patch, this site is crashing our product again. Different place though.... 00 ntdll!KiFastSystemCallRet 01 ntdll!ZwWaitForMultipleObjects+0xc 02 kernel32!UnhandledExceptionFilter+0x82d 03 MSVCR71!_XcptFilter+0x15f 04 seamonkey!WinMainCRTStartup(void)+0x1d7 05 MSVCR71!_except_handler3+0x61 06 ntdll!ExecuteHandler2+0x26 07 ntdll!ExecuteHandler+0x24 08 ntdll!KiUserExceptionDispatcher+0xe 09 xpc3250!XPCNativeSet::Mark(void)+0x17 0a xpc3250!XPCJSRuntime::GCCallback(struct JSContext * cx = 0x04072630, JSGCStatus status = JSGC_FINALIZE_END (3))+0x133 0b gklayout!DOMGCCallback(struct JSContext * cx = 0x00addb83, JSGCStatus status = 67577392 (No matching enumerant))+0x14 0c js3250!js_GC(struct JSContext * cx = 0x04072630, unsigned int gcflags = 5)+0x7fb 0d js3250!js_NewGCThing(struct JSContext * cx = 0x04072630, unsigned int flags = 1, unsigned int nbytes = 8)+0xf0 0e js3250!js_NewString(struct JSContext * cx = 0x04072630, unsigned short * chars = 0x04692f40 "[object XULDocument @ 0x411a7d0 (native @ 0x41a21f0)]", unsigned int length = 0x35, unsigned int gcflag = 0)+0x2b 0f js3250!JS_NewString(struct JSContext * cx = 0x04072630, char * bytes = 0x04685108 "[object XULDocument @ 0x411a7d0 (native @ 0x41a21f0)]", unsigned int length = 0x35)+0x2a 10 xpc3250!ToStringGuts(class XPCCallContext * ccx = 0x04072630)+0x4c 11 xpc3250!XPC_WN_Shared_ToString(struct JSContext * cx = 0x04072630, struct JSObject * obj = 0x040dfd88, unsigned int argc = 0, long * argv = 0x04690064, long * vp = 0x0012e6e0)+0x38 12 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 0, unsigned int flags = 0)+0x556 13 js3250!js_Interpret(struct JSContext * cx = 0x04072630, unsigned char * pc = 0x0471e49e ":", long * result = 0x0012e968)+0x4fb5 14 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 1, unsigned int flags = 2)+0x597 15 xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 0x0176cc38, unsigned short methodIndex = 3, class nsXPTMethodInfo * info = 0x019070f0, struct nsXPTCMiniVariant * nativeParams = 0x0012eb10)+0x6b1 16 xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0xcc38, class nsXPTMethodInfo * info = 0x00000003, struct nsXPTCMiniVariant * params = 0x0012ebcc)+0x27 17 xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x0476cc38, unsigned int methodIndex = 3, unsigned int * args = 0x0012ebcc, unsigned int * stackBytesToPop = 0x0012ebbc)+0xee 18 xpcom_core!SharedStub(void)+0x16 19 gklayout!nsEventListenerManager::HandleEventSubType(struct nsListenerStruct * aListenerStruct = 0x0451bfe0, class nsIDOMEvent * aDOMEvent = 0x0467d008, class nsIDOMEventTarget * aCurrentTarget = 0x03eb008c, unsigned int aSubType = 0x467d010, unsigned int aPhaseFlags = 7)+0x14e 1a gklayout!nsEventListenerManager::HandleEvent(class nsPresContext * aPresContext = 0x00000000, class nsEvent * aEvent = 0x0012ee20, class nsIDOMEvent ** aDOMEvent = 0x0012ed70, class nsIDOMEventTarget * aCurrentTarget = 0x03eb008c, unsigned int aFlags = 7, nsEventStatus * aEventStatus = 0x0012ee9c)+0x241 1b gklayout!nsGlobalWindow::HandleDOMEvent(class nsPresContext * aPresContext = 0x041a8028, class nsEvent * aEvent = 0x0012ee20, class nsIDOMEvent ** aDOMEvent = 0x0012ed70, unsigned int aFlags = 7, nsEventStatus * aEventStatus = 0x0012ee9c)+0x24a 1c gklayout!nsGlobalWindow::HandleDOMEvent(class nsPresContext * aPresContext = 0x041a8028, class nsEvent * aEvent = 0x0012ee20, class nsIDOMEvent ** aDOMEvent = 0x00000000, unsigned int aFlags = 1, nsEventStatus * aEventStatus = 0x0012ee9c)+0x34 1d gklayout!nsEventStateManager::PreHandleEvent(class nsPresContext * aPresContext = 0x041a8028, class nsEvent * aEvent = 0x00000000, class nsIFrame * aTargetFrame = 0x042ab318, nsEventStatus * aStatus = 0x00000000, class nsIView * aView = 0x041a8a60)+0x892 1e gklayout!PresShell::HandleEventInternal(class nsEvent * aEvent = 0x00000000, class nsIView * aView = 0x041a8a60, unsigned int aFlags = 1, nsEventStatus * aStatus = 0x0012efe8)+0x197 1f gklayout!PresShell::HandleEvent(class nsIView * aView = 0x041a8a60, class nsGUIEvent * aEvent = 0x0012f098, nsEventStatus * aEventStatus = 0x0012efe8, int aForceHandle = 69907224, int * aHandled = 0x0413efe8)+0x210 20 gklayout!nsViewManager::HandleEvent(class nsView * aView = 0x00000001, class nsGUIEvent * aEvent = 0x00000000, int aCaptured = 0)+0x2bc 21 gklayout!nsViewManager::DispatchEvent(class nsGUIEvent * aEvent = 0x3d888889, nsEventStatus * aStatus = 0x0012f05c)+0x63a 22 gklayout!HandleEvent(class nsGUIEvent * aEvent = 0x0012f098)+0x27 23 gkwidget!nsWindow::DispatchEvent(class nsGUIEvent * event = 0x00000000, nsEventStatus * aStatus = 0x041a8ad8)+0x35 24 gkwidget!nsWindow::DispatchWindowEvent(class nsGUIEvent * event = 0x00000000)+0x16 25 gkwidget!nsWindow::DispatchFocus(unsigned int aEventType = 0x69, int isMozWindowTakingFocus = 1)+0x6a 26 gkwidget!nsWindow::ProcessMessage(unsigned int msg = 7, unsigned int wParam = 0x220cbe, long lParam = 0, long * aRetValue = 0x0012f378)+0x10e 27 gkwidget!nsWindow::WindowProc(struct HWND__ * hWnd = 0x02530e9a, unsigned int msg = 7, unsigned int wParam = 0x220cbe, long lParam = 68848348)+0x9c 28 USER32!InternalCallWinProc+0x28 29 USER32!UserCallWinProcCheckWow+0x150 2a USER32!DispatchClientMessage+0xa3 2b USER32!__fnDWORD+0x24 2c ntdll!KiUserCallbackDispatcher+0x13 2d USER32!NtUserSetFocus+0xc 2e gklayout!nsGlobalWindow::Focus(void)+0x234 2f appshell!nsWebShellWindow::HandleEvent(class nsGUIEvent * aEvent = 0x03eb0058)+0x10a 30 gkwidget!nsWindow::DispatchEvent(class nsGUIEvent * event = 0x00000000, nsEventStatus * aStatus = 0x0407c3a0)+0x35 31 gkwidget!nsWindow::DispatchWindowEvent(class nsGUIEvent * event = 0x00000000)+0x16 32 gkwidget!nsWindow::DispatchFocus(unsigned int aEventType = 0x69, int isMozWindowTakingFocus = 1)+0x6a 33 gkwidget!nsWindow::ProcessMessage(unsigned int msg = 7, unsigned int wParam = 0, long lParam = 0, long * aRetValue = 0x0012f90c)+0x10e 34 gkwidget!nsWindow::WindowProc(struct HWND__ * hWnd = 0x00220cbe, unsigned int msg = 7, unsigned int wParam = 0, long lParam = 67617700)+0x9c 35 USER32!InternalCallWinProc+0x28 36 USER32!UserCallWinProcCheckWow+0x150 37 USER32!DispatchClientMessage+0xa3 38 USER32!__fnDWORD+0x24 39 ntdll!KiUserCallbackDispatcher+0x13 3a USER32!NtUserMessageCall+0xc 3b USER32!RealDefWindowProcW+0x47 Failing on the Mark call: inline void XPCNativeSet::Mark() { if(IsMarked()) return; XPCNativeInterface* const * pp = mInterfaces; for(int i = (int) mInterfaceCount; i > 0; i--, pp++) (*pp)->Mark(); MarkSelfOnly(); } this 0x0407a590 class XPCNativeSet * mMemberCount 1 mInterfaceCount 0 mInterfaces class XPCNativeInterface *[1] [0] 0x000afd10 class XPCNativeInterface * Looks like bug 288500 and bug 255498.
I can't reproduce a crash in trunk 20060328 builds on win/mac/linux. Marking verified fixed.
Status: RESOLVED → VERIFIED
Blocks: 335429
With enough ram installed, you will get a crash in windows trunk builds due to the operator new throwing the nomem exception. I am also seeing trunk crashes on linux and macppc on the qa farm although I haven't (yet) been able to reproduce the crashes on macppc or linux.
Just download Fedora/1.0.8-1.1.fc3.1.legacy Firefox/1.0.8 and the URL http://www.puppozungo.com/testbrowser.html crash the browser. *am*
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
andrew@montefusco.com: we fix bugs on trunk, which is minefield, you're testing firefox1.0 which is over two years old. that's not a valid reason for reopening a bug.
(In reply to comment #17) > andrew@montefusco.com: we fix bugs on trunk, which is minefield, you're testing > firefox1.0 which is over two years old. that's not a valid reason for reopening > a bug. I repeat the test on 1.5.0.1 and got a "Out of memory" message on JavaScript console. The browser doesnt crash anymore but is unusable. Finally, I upgrade to 1.5.0.3 and got a fair behaviour: after some time I got a popup with "Unresponsive script" title; clicking on "Stop" button I have the control again. Thanks for the fix. *am*
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
verified fixed, remaining issues in bug 335429.
Status: RESOLVED → VERIFIED
Crash Signature: [@ UnmarkedGCThingFlags] [@ js_MarkGCThing]
You need to log in before you can comment on or make changes to this bug.