Last Comment Bug 323338 - When E4X code is run twice (or more), the SpiderMonkey engine crashes [@ js_AllocStack 0deb057d]
: When E4X code is run twice (or more), the SpiderMonkey engine crashes [@ js_A...
Status: VERIFIED FIXED
[rft-dl]
: crash, verified1.8.0.2, verified1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P2 critical (vote)
: mozilla1.9alpha1
Assigned To: Brendan Eich [:brendan]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-13 12:41 PST by Franky Braem
Modified: 2011-06-13 10:01 PDT (History)
5 users (show)
brendan: blocking1.8.1+
brendan: blocking1.8.0.2+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (876 bytes, patch)
2006-01-13 16:10 PST, Brendan Eich [:brendan]
mrbkap: review+
brendan: approval‑branch‑1.8.1+
brendan: approval1.8.0.2+
Details | Diff | Review

Description Franky Braem 2006-01-13 12:41:07 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

The following code crashes on the line containing 'var childs = htmlXML.children();'

It doesn't crashes when: test isn't called twice, or when the line containing children() is removed.

The script:

test();
test();

function test()
{
  var htmlXML = 
   <html>
    <body>
     <div>
      <div id="summary" />
      <div id="desc" />
     </div> 
    </body>
   </html>;
  var childs = htmlXML.children();

  var el = htmlXML.body.div..div.(function::attribute('id') == 'summary');
  el.div += <div>
              <strong>Prototype:</strong>
              Test
              <br />
             </div>;
}

The crash happens also with jsshell.

Reproducible: Always




>	js32.dll!js_CompareStrings(JSString * str1=0x00000000, JSString * str2=0x00583488)  Line 2828 + 0x3 bytes	C
 	js32.dll!ToXMLName(JSContext * cx=0x003a9ba0, long v=3850716, long * funidp=0x0012e704)  Line 3061 + 0x2d bytes	C
 	js32.dll!GetProperty(JSContext * cx=0x003a9ba0, JSObject * obj=0x005836a8, long id=3850716, long * vp=0x0012e898)  Line 4016 + 0x11 bytes	C
 	js32.dll!xml_children(JSContext * cx=0x003a9ba0, JSObject * obj=0x005836a8, unsigned int argc=0, long * argv=0x00581098, long * rval=0x0012e898)  Line 5645 + 0x15 bytes	C
 	js32.dll!js_Invoke(JSContext * cx=0x003a9ba0, unsigned int argc=0, unsigned int flags=0)  Line 1230 + 0x1a bytes	C
 	js32.dll!js_Interpret(JSContext * cx=0x003a9ba0, unsigned char * pc=0x0051b647, long * result=0x0012ed88)  Line 3779 + 0xf bytes	C
 	js32.dll!js_Execute(JSContext * cx=0x003a9ba0, JSObject * chain=0x003ac3c8, JSScript * script=0x0051b848, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x0012f1b0)  Line 1480 + 0x13 bytes	C
 	js32.dll!JS_ExecuteScript(JSContext * cx=0x003a9ba0, JSObject * obj=0x003ac3c8, JSScript * script=0x0051b848, long * rval=0x0012f1b0)  Line 3998 + 0x19 bytes	C
 	wxjs.exe!EngineStartState::Execute(const Script & script={...})  Line 107 + 0x18 bytes	C++
 	wxjs.exe!Engine::Execute(const Script & script={...})  Line 109 + 0x19 bytes	C++
 	wxjs.exe!main(int argc=4, char * * argv=0x003a5e98)  Line 228	C++
 	wxjs.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	wxjs.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!RegisterWaitForInputIdle()  + 0x49 bytes	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]
Comment 1 Ria Klaassen (not reading all bugmail) 2006-01-13 13:11:57 PST
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060113 Firefox/1.6a1 ID:2006011305

It crashes when I move my mouse. 
In branch it crashed only once: TB13921568Q
In trunk very easy: TB13921611K TB13921771Q TB13921852K
Comment 2 Aiko 2006-01-13 13:16:16 PST
The reduced testcase (or maybe just very similar is)
  <x/>.(function::children());
Comment 3 Brendan Eich [:brendan] 2006-01-13 16:10:33 PST
Created attachment 208428 [details] [diff] [review]
fix

Obvious null defense.  In general qn->uri may be null.  But note that for an attribute, attrqn->uri will never be null.

/be
Comment 4 Blake Kaplan (:mrbkap) (please use needinfo!) 2006-01-13 16:35:00 PST
Comment on attachment 208428 [details] [diff] [review]
fix

I had exactly this ready for review (though I reverseed the two null checks).
Comment 5 Brendan Eich [:brendan] 2006-01-13 17:09:53 PST
Fixed.

/be
Comment 6 Brendan Eich [:brendan] 2006-01-31 12:46:05 PST
Comment on attachment 208428 [details] [diff] [review]
fix

Null defense, mmm.

/be
Comment 7 Bob Clary [:bc:] 2006-02-13 12:35:09 PST
verified with 2006-02-11 winxp trunk.

Checking in regress-323338-1.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-323338-1.js,v  <--  regress-323338-1.js
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/js/tests/e4x/Regress/regress-323338-2.js,v
done
Checking in regress-323338-2.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-323338-2.js,v  <--  regress-323338-2.js
initial revision: 1.1
done
Comment 8 Bob Clary [:bc:] 2006-02-15 09:35:59 PST
note to self: saw crashes in opt/dbg builds across branches on qa farm with builds around 2006021400 but not in my local opt/dbg builds 2006021408. Need to retest.
Comment 9 Brendan Eich [:brendan] 2006-02-22 12:44:41 PST
Fixed on branches.

/be
Comment 10 Bob Clary [:bc:] 2006-03-02 11:41:29 PST
v ff 1.8.0.1/1.8/1.9 20060302 win/linux/mac
Comment 11 Bob Clary [:bc:] 2006-03-03 12:36:54 PST
v ff 1.8.0.1/1.8/1.9 win/linux/mac 2006030[12]

Note You need to log in before you can comment on or make changes to this bug.