Closed Bug 314887 Opened 19 years ago Closed 19 years ago

crash if I open this site [@ js_GetGCThingFlags]

Categories

(Core :: JavaScript Engine, defect, P1)

x86
Windows 2000
defect

Tracking

()

VERIFIED FIXED
mozilla1.8rc1

People

(Reporter: nemu.asakura, Assigned: brendan)

References

()

Details

(Keywords: crash, js1.6, verified1.8)

Crash Data

Attachments

(3 files)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051102 Firefox/1.5 (tete009) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051102 Firefox/1.5 (tete009) same as summary. Reproducible: Always
Happens for me with trunk nightly. TB11394596Y Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1 Stack: js_GetGCThingFlags [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 231] js_GC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1801] js_ForceGC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1510] nsAppStartup::Run [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162] main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Assignee: nobody → general
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Summary: crash if I open this site. → crash if I open this site [@ js_GetGCThingFlags]
Version: unspecified → Trunk
Assertion failure: JSVAL_IS_GCTHING(lrc->roots[m]), at c:/work/mozilla/builds/ff/trunk/mozilla/js/src/jscntxt.c:660 Stack to assert: js_MarkLocalRoots(JSContext * 0x0411aee8, JSLocalRootStack * 0x040a86b0) line 660 + 55 bytes js_GC(JSContext * 0x0411aee8, unsigned int 0x00000000) line 1801 + 19 bytes js_ForceGC(JSContext * 0x0411aee8, unsigned int 0x00000000) line 1510 + 13 bytes JS_GC(JSContext * 0x0411aee8) line 1830 + 11 bytes nsJSContext::Notify(nsJSContext * const 0x0411ae78, nsITimer * 0x0416da88) line 2161 + 13 bytes nsTimerImpl::Fire() line 398 nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x012c54c0) line 628 nsAppShell::Run(nsAppShell * const 0x032e6a20) line 142 nsAppStartup::Run(nsAppStartup * const 0x032e6980) line 161 + 26 bytes XRE_main(int 0x00000003, char * * 0x003f6f48, const nsXREAppData * 0x0042101c kAppData) line 2289 + 35 bytes main(int 0x00000003, char * * 0x003f6f48) line 61 + 18 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 7c816d4f() + name 0x00000000 "" + cx 0x0411aee8 - lrs 0x040a86b0 scopeMark 0x00000000 rootCount 0x0000009f + topChunk 0x040a86bc + firstChunk {...} n 0x0000009e m 0x0000009e mark 0x00000000 + lrc 0x040a86bc lrc->roots[m] 0x80000001
Attached file base.js
Attached file top.htm
top.htm crashed as soon as it loaded when it referenced base.js from the local file system, but when loaded from bugzilla, you need to view source after it loads.
No crash in: 1.9a1_2005102721 Crash in: 1.9a1_2005102813
Attached patch obvious fixSplinter Review
Big dumb inconsistency, obvious fix, safe for 1.8 and must fix -- this will be a topcrash. /be
Attachment #201768 - Flags: review?(mrbkap)
Attachment #201768 - Flags: approval1.8rc2?
Assignee: general → brendan
Flags: blocking1.8rc2+
Keywords: js1.6
Priority: -- → P1
Target Milestone: --- → mozilla1.8rc1
Attachment #201768 - Flags: review?(mrbkap) → review+
Fixed on trunk. /be
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
This probably already is a topcrash over in bug 314484. I should have caught this when I did the original review :-/
(In reply to comment #9) > This probably already is a topcrash over in bug 314484. Don't think so -- bug 314484 happens only on branch, and started spiking talkback on 11-oct, IIRC. The checkin that caused this bug hit the trunk on 28-oct. /be
Attachment #201768 - Flags: approval1.8rc2? → approval1.8rc2+
Fixed on 1.8 branch. /be
Keywords: fixed1.8
Checking in regress-314887.js; /cvsroot/mozilla/js/tests/js1_6/Regress/regress-314887.js,v <-- regress-314887.js initial revision: 1.1 done
Flags: testcase+
no crash firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8verified1.8
verified fixed 1.8.x and trunk.
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_GetGCThingFlags]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: