Closed Bug 323338 Opened 20 years ago Closed 20 years ago

When E4X code is run twice (or more), the SpiderMonkey engine crashes [@ js_AllocStack 0deb057d]

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: f.braem, Assigned: brendan)

Details

(Keywords: crash, verified1.8.0.2, verified1.8.1, Whiteboard: [rft-dl])

Crash Data

Attachments

(1 file)

fix
876 bytes, patch
mrbkap
: review+
brendan
: approval-branch-1.8.1+
brendan
: approval1.8.0.2+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 The following code crashes on the line containing 'var childs = htmlXML.children();' It doesn't crashes when: test isn't called twice, or when the line containing children() is removed. The script: test(); test(); function test() { var htmlXML = <html> <body> <div> <div id="summary" /> <div id="desc" /> </div> </body> </html>; var childs = htmlXML.children(); var el = htmlXML.body.div..div.(function::attribute('id') == 'summary'); el.div += <div> <strong>Prototype:</strong> Test <br /> </div>; } The crash happens also with jsshell. Reproducible: Always > js32.dll!js_CompareStrings(JSString * str1=0x00000000, JSString * str2=0x00583488) Line 2828 + 0x3 bytes C js32.dll!ToXMLName(JSContext * cx=0x003a9ba0, long v=3850716, long * funidp=0x0012e704) Line 3061 + 0x2d bytes C js32.dll!GetProperty(JSContext * cx=0x003a9ba0, JSObject * obj=0x005836a8, long id=3850716, long * vp=0x0012e898) Line 4016 + 0x11 bytes C js32.dll!xml_children(JSContext * cx=0x003a9ba0, JSObject * obj=0x005836a8, unsigned int argc=0, long * argv=0x00581098, long * rval=0x0012e898) Line 5645 + 0x15 bytes C js32.dll!js_Invoke(JSContext * cx=0x003a9ba0, unsigned int argc=0, unsigned int flags=0) Line 1230 + 0x1a bytes C js32.dll!js_Interpret(JSContext * cx=0x003a9ba0, unsigned char * pc=0x0051b647, long * result=0x0012ed88) Line 3779 + 0xf bytes C js32.dll!js_Execute(JSContext * cx=0x003a9ba0, JSObject * chain=0x003ac3c8, JSScript * script=0x0051b848, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x0012f1b0) Line 1480 + 0x13 bytes C js32.dll!JS_ExecuteScript(JSContext * cx=0x003a9ba0, JSObject * obj=0x003ac3c8, JSScript * script=0x0051b848, long * rval=0x0012f1b0) Line 3998 + 0x19 bytes C wxjs.exe!EngineStartState::Execute(const Script & script={...}) Line 107 + 0x18 bytes C++ wxjs.exe!Engine::Execute(const Script & script={...}) Line 109 + 0x19 bytes C++ wxjs.exe!main(int argc=4, char * * argv=0x003a5e98) Line 228 C++ wxjs.exe!__tmainCRTStartup() Line 586 + 0x19 bytes C wxjs.exe!mainCRTStartup() Line 403 C kernel32.dll!RegisterWaitForInputIdle() + 0x49 bytes [Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060113 Firefox/1.6a1 ID:2006011305 It crashes when I move my mouse. In branch it crashed only once: TB13921568Q In trunk very easy: TB13921611K TB13921771Q TB13921852K
The reduced testcase (or maybe just very similar is) <x/>.(function::children());
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
OS: Windows XP → All
Hardware: PC → All
Summary: When E4X code is run twice (or more), the SpiderMonkey engine crashes → When E4X code is run twice (or more), the SpiderMonkey engine crashes [@ js_AllocStack 0deb057d]
Assignee: general → brendan
Flags: blocking1.8.1+
Flags: blocking1.8.0.2+
Priority: -- → P2
Target Milestone: --- → mozilla1.9alpha
Attached patch fixSplinter Review
Obvious null defense. In general qn->uri may be null. But note that for an attribute, attrqn->uri will never be null. /be
Attachment #208428 - Flags: review?(mrbkap)
Status: NEW → ASSIGNED
Comment on attachment 208428 [details] [diff] [review] fix I had exactly this ready for review (though I reverseed the two null checks).
Attachment #208428 - Flags: review?(mrbkap) → review+
Fixed. /be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Attachment #208428 - Flags: approval1.8.1?
Attachment #208428 - Flags: approval1.8.0.2?
Attachment #208428 - Flags: approval1.8.1? → branch-1.8.1?(brendan)
Comment on attachment 208428 [details] [diff] [review] fix Null defense, mmm. /be
Attachment #208428 - Flags: branch-1.8.1?(brendan)
Attachment #208428 - Flags: branch-1.8.1+
Attachment #208428 - Flags: approval1.8.0.2?
Attachment #208428 - Flags: approval1.8.0.2+
verified with 2006-02-11 winxp trunk. Checking in regress-323338-1.js; /cvsroot/mozilla/js/tests/e4x/Regress/regress-323338-1.js,v <-- regress-323338-1.js initial revision: 1.1 done RCS file: /cvsroot/mozilla/js/tests/e4x/Regress/regress-323338-2.js,v done Checking in regress-323338-2.js; /cvsroot/mozilla/js/tests/e4x/Regress/regress-323338-2.js,v <-- regress-323338-2.js initial revision: 1.1 done
Status: RESOLVED → VERIFIED
Flags: testcase+
note to self: saw crashes in opt/dbg builds across branches on qa farm with builds around 2006021400 but not in my local opt/dbg builds 2006021408. Need to retest.
Fixed on branches. /be
Keywords: fixed1.8.0.2, fixed1.8.1
Whiteboard: [rft-dl]
v ff 1.8.0.1/1.8/1.9 20060302 win/linux/mac
v ff 1.8.0.1/1.8/1.9 win/linux/mac 2006030[12]
Keywords: fixed1.8.0.2, fixed1.8.1verified1.8.0.2, verified1.8.1
Keywords: fixed1.8.1
Crash Signature: [@ js_AllocStack 0deb057d]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: