320846 - Crash [@ Variables() line 2164 ] in jsparse.c

Status: VERIFIED DUPLICATE of bug 320172

(Core :: JavaScript Engine, defect)

Description

[Bob Clary [:bc] (inactive)]

Crashes Firefox 1.0.7/1.5 winxp but not Firefox trunk. testcase to be attached:

Firefox 1.5/winxp crashes with

+	clasp	0x00000030
+	cx	0x03e06180
+	fp->fun	0x040389a0
+	fun	0x040389a0
+	obj	0x00000000

Variables(JSContext * 0x03e06180, JSTokenStream * 0x04091b30, JSTreeContext * 0x0012d6b4) line 2164 + 3 bytes
Statement(JSContext * 0x03e06180, JSTokenStream * 0x04091b30, JSTreeContext * 0x0012d6b4) line 1945 + 17 bytes
Statements(JSContext * 0x03e06180, JSTokenStream * 0x04091b30, JSTreeContext * 0x0012d6b4) line 1053 + 17 bytes
js_CompileTokenStream(JSContext * 0x03e06180, JSObject * 0x03d3b9e8, JSTokenStream * 0x04091b30, JSCodeGenerator * 0x0012d6b4) line 468 + 17 bytes
CompileTokenStream(JSContext * 0x03e06180, JSObject * 0x03d3b9e8, JSTokenStream * 0x04091b30, void * 0x03e061c8, int * 0x00000000) line 3581 + 26 bytes
JS_CompileUCScriptForPrincipals(JSContext * 0x03e06180, JSObject * 0x03d3b9e8, JSPrincipals * 0x0403177c, const unsigned short * 0x04036868, unsigned int 0x0000000f, const char * 0x04058859, unsigned int 0x000000fc) line 3680 + 23 bytes
obj_eval(JSContext * 0x03e06180, JSObject * 0x03feded0, unsigned int 0x00000002, long * 0x0405cb10, long * 0x0012d924) line 1235 + 220 bytes
js_Invoke(JSContext * 0x03e06180, unsigned int 0x00000002, unsigned int 0x00000000) line 1177 + 23 bytes
js_Interpret(JSContext * 0x03e06180, unsigned char * 0x0409c6f1, long * 0x0012e444) line 3522 + 15 bytes
js_Invoke(JSContext * 0x03e06180, unsigned int 0x00000001, unsigned int 0x00000000) line 1197 + 19 bytes
js_Interpret(JSContext * 0x03e06180, unsigned char * 0x0409c8ea, long * 0x0012ef14) line 3522 + 15 bytes
js_Invoke(JSContext * 0x03e06180, unsigned int 0x00000001, unsigned int 0x00000000) line 1197 + 19 bytes
js_Interpret(JSContext * 0x03e06180, unsigned char * 0x0408e8ff, long * 0x0012f9e4) line 3522 + 15 bytes
js_Invoke(JSContext * 0x03e06180, unsigned int 0x00000001, unsigned int 0x00000002) line 1197 + 19 bytes
js_InternalInvoke(JSContext * 0x03e06180, JSObject * 0x03feded0, long 0x03d3b7b8, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x04097360, long * 0x0012fb64) line 1274 + 20 bytes
JS_CallFunctionValue(JSContext * 0x03e06180, JSObject * 0x03feded0, long 0x03d3b7b8, unsigned int 0x00000001, long * 0x04097360, long * 0x0012fb64) line 4158 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x03feded0, JSObject * 0x03d3b7b8, unsigned int 0x00000001, long * 0x04097360, long * 0x0012fb64) line 1411 + 33 bytes
nsGlobalWindow::RunTimeout(nsTimeout * 0x03f52978) line 6298
nsGlobalWindow::TimerCallback(nsITimer * 0x03d779a0, void * 0x03f52978) line 6656
nsTimerImpl::Fire() line 394 + 17 bytes
nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x01270980) line 628
nsAppShell::Run(nsAppShell * const 0x01375e68) line 142
nsAppStartup::Run(nsAppStartup * const 0x01375dc8) line 150 + 26 bytes
XRE_main(int 0x00000003, char * * 0x003f7bc0, const nsXREAppData * 0x0042201c kAppData) line 2313 + 35 bytes
main(int 0x00000003, char * * 0x003f7bc0) line 61 + 18 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()

Firefox 1.0.7/winxp crashes with

	attrs	0x00000001
+	cx	0x03aee0e8
+	foundp	0x0012d54c
	id	0x03d1dc30
	isFunction	0x03d333b0
+	name	0x00000000 ""
+	obj	0x00000000
+	obj2	0x03bb3e48
	ok	0x00000000
	oldAttrs	0x00000089
+	prop	0x02dfa718
	report	0x00000010
+	type	0x003e0000 "È"
	value	0x03d33118


js_CheckRedeclaration(JSContext * 0x03aee0e8, JSObject * 0x00000000, long 0x03d1dc30, unsigned int 0x00000001, int * 0x0012d54c) line 1314 + 33 bytes
js_Interpret(JSContext * 0x03aee0e8, long * 0x0012d8a0) line 3617 + 37 bytes
js_Execute(JSContext * 0x03aee0e8, JSObject * 0x03935190, JSScript * 0x03cfec88, JSStackFrame * 0x03d3330c, unsigned int 0x00000020, long * 0x0012da1c) line 1173 + 13 bytes
obj_eval(JSContext * 0x03aee0e8, JSObject * 0x03ac7e90, unsigned int 0x00000002, long * 0x03d33398, long * 0x0012da1c) line 1098 + 27 bytes
js_Invoke(JSContext * 0x03aee0e8, unsigned int 0x00000002, unsigned int 0x00000000) line 955 + 23 bytes
js_Interpret(JSContext * 0x03aee0e8, long * 0x0012e360) line 2998 + 15 bytes
js_Invoke(JSContext * 0x03aee0e8, unsigned int 0x00000001, unsigned int 0x00000000) line 972 + 13 bytes
js_Interpret(JSContext * 0x03aee0e8, long * 0x0012ec54) line 2998 + 15 bytes
js_Invoke(JSContext * 0x03aee0e8, unsigned int 0x00000001, unsigned int 0x00000000) line 972 + 13 bytes
js_Interpret(JSContext * 0x03aee0e8, long * 0x0012f548) line 2998 + 15 bytes
js_Invoke(JSContext * 0x03aee0e8, unsigned int 0x00000001, unsigned int 0x00000002) line 972 + 13 bytes
js_InternalInvoke(JSContext * 0x03aee0e8, JSObject * 0x03ac7e90, long 0x032cff48, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x03b892a0, long * 0x0012f6e0) line 1049 + 20 bytes
JS_CallFunctionValue(JSContext * 0x03aee0e8, JSObject * 0x03ac7e90, long 0x032cff48, unsigned int 0x00000001, long * 0x03b892a0, long * 0x0012f6e0) line 3698 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x03ac7e90, JSObject * 0x032cff48, unsigned int 0x00000001, long * 0x03b892a0, long * 0x0012f6e0) line 1297 + 33 bytes
GlobalWindowImpl::RunTimeout(nsTimeoutImpl * 0x03dd98f8) line 5491
GlobalWindowImpl::TimerCallback(nsITimer * 0x03b89110, void * 0x03dd98f8) line 5853
nsTimerImpl::Fire() line 382 + 17 bytes
nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x032b1aa0) line 616
nsAppShell::Run(nsAppShell * const 0x02e4c188) line 142
nsAppShellService::Run(nsAppShellService * const 0x02e4c0c8) line 495
xre_main(int 0x00000003, char * * 0x003e79d0, const nsXREAppData * 0x0041e01c kAppData) line 1907 + 35 bytes
main(int 0x00000003, char * * 0x003e79d0) line 58 + 18 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()

Comment 1

[Brendan Eich [:brendan]]

*** This bug has been marked as a duplicate of 320172 ***

Comment 2

[Bob Clary [:bc] (inactive)]

Attachment: fftest.zip

testcase. I'll see about reducing it.

Comment 3

[Bob Clary [:bc] (inactive)]

damn, beat me to it. Don't know why my query didn't find the stack.