When E4X code is run twice (or more), the SpiderMonkey engine crashes [@ js_AllocStack 0deb057d]

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
JavaScript Engine
P2
critical
VERIFIED FIXED
12 years ago
6 years ago

People

(Reporter: Franky Braem, Assigned: brendan)

Tracking

({crash, verified1.8.0.2, verified1.8.1})

Trunk
mozilla1.9alpha1
crash, verified1.8.0.2, verified1.8.1
Points:
---
Bug Flags:
blocking1.8.1 +
blocking1.8.0.2 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [rft-dl], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

The following code crashes on the line containing 'var childs = htmlXML.children();'

It doesn't crashes when: test isn't called twice, or when the line containing children() is removed.

The script:

test();
test();

function test()
{
  var htmlXML = 
   <html>
    <body>
     <div>
      <div id="summary" />
      <div id="desc" />
     </div> 
    </body>
   </html>;
  var childs = htmlXML.children();

  var el = htmlXML.body.div..div.(function::attribute('id') == 'summary');
  el.div += <div>
              <strong>Prototype:</strong>
              Test
              <br />
             </div>;
}

The crash happens also with jsshell.

Reproducible: Always




>	js32.dll!js_CompareStrings(JSString * str1=0x00000000, JSString * str2=0x00583488)  Line 2828 + 0x3 bytes	C
 	js32.dll!ToXMLName(JSContext * cx=0x003a9ba0, long v=3850716, long * funidp=0x0012e704)  Line 3061 + 0x2d bytes	C
 	js32.dll!GetProperty(JSContext * cx=0x003a9ba0, JSObject * obj=0x005836a8, long id=3850716, long * vp=0x0012e898)  Line 4016 + 0x11 bytes	C
 	js32.dll!xml_children(JSContext * cx=0x003a9ba0, JSObject * obj=0x005836a8, unsigned int argc=0, long * argv=0x00581098, long * rval=0x0012e898)  Line 5645 + 0x15 bytes	C
 	js32.dll!js_Invoke(JSContext * cx=0x003a9ba0, unsigned int argc=0, unsigned int flags=0)  Line 1230 + 0x1a bytes	C
 	js32.dll!js_Interpret(JSContext * cx=0x003a9ba0, unsigned char * pc=0x0051b647, long * result=0x0012ed88)  Line 3779 + 0xf bytes	C
 	js32.dll!js_Execute(JSContext * cx=0x003a9ba0, JSObject * chain=0x003ac3c8, JSScript * script=0x0051b848, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x0012f1b0)  Line 1480 + 0x13 bytes	C
 	js32.dll!JS_ExecuteScript(JSContext * cx=0x003a9ba0, JSObject * obj=0x003ac3c8, JSScript * script=0x0051b848, long * rval=0x0012f1b0)  Line 3998 + 0x19 bytes	C
 	wxjs.exe!EngineStartState::Execute(const Script & script={...})  Line 107 + 0x18 bytes	C++
 	wxjs.exe!Engine::Execute(const Script & script={...})  Line 109 + 0x19 bytes	C++
 	wxjs.exe!main(int argc=4, char * * argv=0x003a5e98)  Line 228	C++
 	wxjs.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	wxjs.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!RegisterWaitForInputIdle()  + 0x49 bytes	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060113 Firefox/1.6a1 ID:2006011305

It crashes when I move my mouse. 
In branch it crashed only once: TB13921568Q
In trunk very easy: TB13921611K TB13921771Q TB13921852K

Comment 2

12 years ago
The reduced testcase (or maybe just very similar is)
  <x/>.(function::children());
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
OS: Windows XP → All
Hardware: PC → All

Updated

12 years ago
Summary: When E4X code is run twice (or more), the SpiderMonkey engine crashes → When E4X code is run twice (or more), the SpiderMonkey engine crashes [@ js_AllocStack 0deb057d]
(Assignee)

Updated

12 years ago
Assignee: general → brendan
Flags: blocking1.8.1+
Flags: blocking1.8.0.2+
Priority: -- → P2
Target Milestone: --- → mozilla1.9alpha
(Assignee)

Comment 3

12 years ago
Created attachment 208428 [details] [diff] [review]
fix

Obvious null defense.  In general qn->uri may be null.  But note that for an attribute, attrqn->uri will never be null.

/be
Attachment #208428 - Flags: review?(mrbkap)
(Assignee)

Updated

12 years ago
Status: NEW → ASSIGNED
Comment on attachment 208428 [details] [diff] [review]
fix

I had exactly this ready for review (though I reverseed the two null checks).
Attachment #208428 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 5

12 years ago
Fixed.

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Updated

12 years ago
Attachment #208428 - Flags: approval1.8.1?
Attachment #208428 - Flags: approval1.8.0.2?
Attachment #208428 - Flags: approval1.8.1? → branch-1.8.1?(brendan)
(Assignee)

Comment 6

12 years ago
Comment on attachment 208428 [details] [diff] [review]
fix

Null defense, mmm.

/be
Attachment #208428 - Flags: branch-1.8.1?(brendan)
Attachment #208428 - Flags: branch-1.8.1+
Attachment #208428 - Flags: approval1.8.0.2?
Attachment #208428 - Flags: approval1.8.0.2+

Comment 7

12 years ago
verified with 2006-02-11 winxp trunk.

Checking in regress-323338-1.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-323338-1.js,v  <--  regress-323338-1.js
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/js/tests/e4x/Regress/regress-323338-2.js,v
done
Checking in regress-323338-2.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-323338-2.js,v  <--  regress-323338-2.js
initial revision: 1.1
done
Status: RESOLVED → VERIFIED
Flags: testcase+

Comment 8

12 years ago
note to self: saw crashes in opt/dbg builds across branches on qa farm with builds around 2006021400 but not in my local opt/dbg builds 2006021408. Need to retest.
(Assignee)

Comment 9

12 years ago
Fixed on branches.

/be
Keywords: fixed1.8.0.2, fixed1.8.1

Updated

12 years ago
Whiteboard: [rft-dl]

Comment 10

12 years ago
v ff 1.8.0.1/1.8/1.9 20060302 win/linux/mac

Comment 11

12 years ago
v ff 1.8.0.1/1.8/1.9 win/linux/mac 2006030[12]
Keywords: fixed1.8.0.2, fixed1.8.1 → verified1.8.0.2, verified1.8.1
(Assignee)

Updated

11 years ago
Keywords: fixed1.8.1

Updated

11 years ago
Keywords: fixed1.8.1
Crash Signature: [@ js_AllocStack 0deb057d]
You need to log in before you can comment on or make changes to this bug.