Closed
Bug 325721
Opened 19 years ago
Closed 19 years ago
assigning to a global variable in javascript crashes browser
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 325540
People
(Reporter: paul, Unassigned)
References
()
Details
(Keywords: crash, regression)
Attachments
(1 file)
5.93 KB,
text/plain
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060202 Fedora/1.5.0.1-2 Firefox/1.5.0.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060202 Fedora/1.5.0.1-2 Firefox/1.5.0.1 It appears that assigning to global variables in javascript that are not preceded with "var" causes the browser to crash in 1.5.0.1. This does not occur in 1.5. The problem occurs on Linux and Windows machines. Reproducible: Always Steps to Reproduce: 1. (On Linux) 2. ulimit -c unlimited 3. DEBUG_CORE_FILES=1 firefox -safe-mode 4. Go to: http://simonbaird.com/mptw1/ 5. Click on Minesweep Actual Results: Browser core dumps. Expected Results: A little game of minesweep should run. This is being discussed at http://groups.google.com/group/TiddlyWiki, in the thread "FireFox 1.5.0.1 Dumps with Tiddlywiki 1.2.x". If this is really a change in how Javascript handles global variables, this it should not be crashing the browser.
Reporter | ||
Comment 1•19 years ago
|
||
Here is a dump of the stack from the core file that was created
Updated•19 years ago
|
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Version: unspecified → 1.8 Branch
Comment 2•19 years ago
|
||
For some reason, simonbaird.com doesn't resolve for me. Can you post a reduced test case and attach it to the bug?
Comment 3•19 years ago
|
||
confirmed with trunk and 1.8 on winxp JS_PUBLIC_API(void *) JS_GetPrivate(JSContext *cx, JSObject *obj) { jsval v; => JS_ASSERT(OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE); v = GC_AWARE_GET_SLOT(cx, obj, JSSLOT_PRIVATE); if (!JSVAL_IS_INT(v)) return NULL; return JSVAL_TO_PRIVATE(v); } - cx 0x03f972f0 + links {...} interpLevel 0x00000002 stackLimit 0x000af9d4 version 0x0000 jsop_eq 0x12 '' jsop_ne 0x13 '' + runtime 0x00fb2340 + stackPool {...} + fp 0x04c0c6ec + tempPool {...} + globalObject 0x0336f198 + newborn 0x03f97348 + lastAtom 0x04b38fd0 lastInternalResult 0x04523dfc + regExpStatics {...} + sharpObjectMap {...} + argumentFormatMap 0x03f97580 + lastMessage 0x00000000 "" tracefp 0x00000000 branchCallback 0x01c2efd0 nsJSContext::DOMBranchCallback(JSContext *, JSScript *) errorReporter 0x01c2e170 NS_ScriptErrorReporter(JSContext *, const char *, JSErrorReport *) data 0x03f971a0 + dormantFrameChain 0x00000000 thread 0x003f4c98 requestDepth 0x00000000 + scopeToShare 0x00000000 + lockedSealedScope 0x00000000 rval2 0x00000000 rval2set 0x00 '' xmlSettingFlags 0x00 '' creatingException 0x00 '' throwing 0x00 '' exception 0x80000001 options 0x00000088 + localeCallbacks 0x0210e7b0 localeCallbacks + resolvingTable 0x03f97e00 + stackHeaders 0x04c0bff0 + localRootStack 0x00000000 - obj 0x00000920 map CXX0017: Error: symbol "" not found slots CXX0030: Error: expression cannot be evaluated v 0x04b06f85 JS_GetPrivate(JSContext * 0x03f972f0, JSObject * 0x00000920) line 2147 + 3 bytes call_resolve(JSContext * 0x03f972f0, JSObject * 0x04e085a8, long 0x04e0849c, unsigned int 0x00000002, JSObject * * 0x0012d0ec) line 812 + 13 bytes js_LookupPropertyWithFlags(JSContext * 0x03f972f0, JSObject * 0x04e085a8, long 0x04b38fd0, unsigned int 0x00000002, JSObject * * 0x0012d18c, JSProperty * * 0x0012d178) line 2714 + 78 bytes js_LookupProperty(JSContext * 0x03f972f0, JSObject * 0x04e085a8, long 0x04b38fd0, JSObject * * 0x0012d18c, JSProperty * * 0x0012d178) line 2619 + 27 bytes js_FindProperty(JSContext * 0x03f972f0, long 0x04b38fd0, JSObject * * 0x0012d1bc, JSObject * * 0x0012d1c0, JSProperty * * 0x0012d1b8) line 2828 + 31 bytes js_FindIdentifierBase(JSContext * 0x03f972f0, long 0x04b38fd0) line 2859 + 25 bytes js_Interpret(JSContext * 0x03f972f0, unsigned char * 0x04e0c4ed, long * 0x0012dc1c) line 2788 + 16 bytes js_Invoke(JSContext * 0x03f972f0, unsigned int 0x00000005, unsigned int 0x00000001) line 1254 + 19 bytes js_Interpret(JSContext * 0x03f972f0, unsigned char * 0x04516766, long * 0x0012e690) line 3292 + 15 bytes js_Invoke(JSContext * 0x03f972f0, unsigned int 0x00000001, unsigned int 0x00000002) line 1254 + 19 bytes js_InternalInvoke(JSContext * 0x03f972f0, JSObject * 0x04f92140, long 0x042c8238, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012e88c, long * 0x0012e888) line 1331 + 20 bytes JS_CallFunctionValue(JSContext * 0x03f972f0, JSObject * 0x04f92140, long 0x042c8238, unsigned int 0x00000001, long * 0x0012e88c, long * 0x0012e888) line 4169 + 31 bytes nsJSContext::CallEventHandler(JSObject * 0x04f92140, JSObject * 0x042c8238, unsigned int 0x00000001, long * 0x0012e88c, long * 0x0012e888) line 1424 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04cd1188, nsIDOMEvent * 0x04d706b8) line 186 + 54 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x04ccc820, nsIDOMEventListener * 0x04cd1188, nsIDOMEvent * 0x04d706b8, nsIDOMEventTarget * 0x04ccc4c0, unsigned int 0x00000004, unsigned int 0x00000007) line 1653 + 16 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x04ccc7c8, nsPresContext * 0x042f9468, nsEvent * 0x0012ef28, nsIDOMEvent * * 0x0012eba4, nsIDOMEventTarget * 0x04ccc4c0, unsigned int 0x00000007, nsEventStatus * 0x0012f3b4) line 1760 nsGenericElement::HandleDOMEvent(nsPresContext * 0x042f9468, nsEvent * 0x0012ef28, nsIDOMEvent * * 0x0012eba4, unsigned int 0x00000007, nsEventStatus * 0x0012f3b4) line 2199 nsGenericHTMLElement::HandleDOMEventForAnchors(nsPresContext * 0x042f9468, nsEvent * 0x0012ef28, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012f3b4) line 1459 + 31 bytes nsHTMLAnchorElement::HandleDOMEvent(nsPresContext * 0x042f9468, nsEvent * 0x0012ef28, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012f3b4) line 296 PresShell::HandleEventInternal(nsEvent * 0x0012ef28, nsIView * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012f3b4) line 6056 + 52 bytes PresShell::HandleEventWithTarget(PresShell * const 0x044db120, nsEvent * 0x0012ef28, nsIFrame * 0x04c52418, nsIContent * 0x04ccc5e0, unsigned int 0x00000001, nsEventStatus * 0x0012f3b4) line 5953 + 22 bytes nsEventStateManager::CheckForAndDispatchClick(nsPresContext * 0x042f9468, nsMouseEvent * 0x0012f5d0, nsEventStatus * 0x0012f3b4) line 3019 + 66 bytes nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x042fa2f8, nsPresContext * 0x042f9468, nsEvent * 0x0012f5d0, nsIFrame * 0x04c52418, nsEventStatus * 0x0012f3b4, nsIView * 0x042ad020) line 2008 + 23 bytes PresShell::HandleEventInternal(nsEvent * 0x0012f5d0, nsIView * 0x042ad020, unsigned int 0x00000001, nsEventStatus * 0x0012f3b4) line 6110 + 61 bytes PresShell::HandlePositionedEvent(nsIView * 0x042ad020, nsIFrame * 0x04c52418, nsGUIEvent * 0x0012f5d0, nsEventStatus * 0x0012f3b4) line 5937 + 22 bytes PresShell::HandleEvent(PresShell * const 0x044db198, nsIView * 0x042ad020, nsGUIEvent * 0x0012f5d0, nsEventStatus * 0x0012f3b4) line 5748 + 27 bytes nsViewManager::HandleEvent(nsView * 0x042ad020, nsPoint {...}, nsGUIEvent * 0x0012f5d0, int 0x00000000) line 1675 nsViewManager::DispatchEvent(nsViewManager * const 0x042acf78, nsGUIEvent * 0x0012f5d0, nsEventStatus * 0x0012f4d8) line 1628 + 37 bytes HandleEvent(nsGUIEvent * 0x0012f5d0) line 176 nsWindow::DispatchEvent(nsWindow * const 0x04aa69bc, nsGUIEvent * 0x0012f5d0, nsEventStatus & nsEventStatus_eIgnore) line 1168 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f5d0) line 1189 nsWindow::DispatchMouseEvent(unsigned int 0x0000012d, unsigned int 0x00000000, long 0x01760063) line 6077 + 24 bytes ChildWindow::DispatchMouseEvent(unsigned int 0x0000012d, unsigned int 0x00000000, long 0x01760063) line 6259 nsWindow::ProcessMessage(unsigned int 0x00000202, unsigned int 0x00000000, long 0x01760063, long * 0x0012fad4) line 4554 + 30 bytes nsWindow::WindowProc(HWND__ * 0x002601e8, unsigned int 0x00000202, unsigned int 0x00000000, long 0x01760063) line 1357 + 27 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d489cd() USER32! 77d48a10() nsAppShell::Run(nsAppShell * const 0x0341c268) line 135 nsAppStartup::Run(nsAppStartup * const 0x0341c1c8) line 161 + 26 bytes XRE_main(int 0x00000003, char * * 0x003f7228, const nsXREAppData * 0x0040301c kAppData) line 2321 + 35 bytes main(int 0x00000003, char * * 0x003f7228) line 61 + 19 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 7c816d4f()
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash,
regression
Version: 1.8 Branch → Trunk
Comment 4•19 years ago
|
||
1. load the http://simonbaird.com/mptw1/ page 2. open venkman 3. load the source for http://simonbaird.com/mptw1/ in venkman's source view 4. search for createTiddlerViewer 5. set break point at line 1905 at the call to createTiddlerViewer 6. click Minesweeper on http://simonbaird.com/mptw1/ 7. you end up in an anonymous function hander. Attempting to access the w argument or lookaheadRegExp will assert JS_ASSERT(fp->fun); call_resolve(JSContext * 0x033bcfb8, JSObject * 0x039c3ef0, long 0x02d8769c, unsigned int 0x00000000, JSObject * * 0x001281e4) line 804 + 31 bytes js_LookupPropertyWithFlags(JSContext * 0x033bcfb8, JSObject * 0x039c3ef0, long 0x03641e98, unsigned int 0x00000000, JSObject * * 0x00128284, JSProperty * * 0x00128270) line 2714 + 78 bytes js_LookupProperty(JSContext * 0x033bcfb8, JSObject * 0x039c3ef0, long 0x03641e98, JSObject * * 0x00128284, JSProperty * * 0x00128270) line 2619 + 27 bytes js_FindProperty(JSContext * 0x033bcfb8, long 0x03641e98, JSObject * * 0x00128b14, JSObject * * 0x00128ba4, JSProperty * * 0x00128ae8) line 2828 + 31 bytes js_Interpret(JSContext * 0x033bcfb8, unsigned char * 0x05d00a88, long * 0x00128c28) line 3839 + 34 bytes js_Execute(JSContext * 0x033bcfb8, JSObject * 0x05f43690, JSScript * 0x05d00a58, JSStackFrame * 0x05e78fa4, unsigned int 0x00000030, long * 0x00128d40) line 1480 + 19 bytes JS_EvaluateUCInStackFrame(JSContext * 0x033bcfb8, JSStackFrame * 0x05e78fa4, const unsigned short * 0x0603fa20, unsigned int 0x0000000f, const char * 0x05ede988, unsigned int 0x00000001, long * 0x00128d40) line 929 + 30 bytes jsd_EvaluateUCScriptInStackFrame(JSDContext * 0x0100eec0, JSDThreadState * 0x05f3a1b8, JSDStackFrameInfo * 0x05db3ee8, const unsigned short * 0x0603fa20, unsigned int 0x0000000f, const char * 0x05ede988, unsigned int 0x00000001, int 0x00000000, long * 0x00128d40) line 456 + 37 bytes JSD_AttemptUCScriptInStackFrame(JSDContext * 0x0100eec0, JSDThreadState * 0x05f3a1b8, JSDStackFrameInfo * 0x05db3ee8, const unsigned short * 0x0603fa20, unsigned int 0x0000000f, const char * 0x05ede988, unsigned int 0x00000001, long * 0x00128d40) line 795 + 39 bytes jsdStackFrame::Eval(jsdStackFrame * const 0x05f7ca78, const nsAString_internal & {...}, const char * 0x05ede988, unsigned int 0x00000001, jsdIValue * * 0x00128f0c, int * 0x00128f1c) line 1920 + 52 bytes XPTC_InvokeByIndex(nsISupports * 0x05f7ca78, unsigned int 0x00000014, unsigned int 0x00000005, nsXPTCVariant * 0x00128edc) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2152 + 43 bytes XPC_WN_CallMethod(JSContext * 0x03815fd0, JSObject * 0x05f43640, unsigned int 0x00000004, long * 0x063e8b58, long * 0x001291b4) line 1444 + 14 bytes js_Invoke(JSContext * 0x03815fd0, unsigned int 0x00000004, unsigned int 0x00000000) line 1230 + 23 bytes js_Interpret(JSContext * 0x03815fd0, unsigned char * 0x0425a412, long * 0x00129c78) line 3779 + 15 bytes js_Invoke(JSContext * 0x03815fd0, unsigned int 0x00000001, unsigned int 0x00000000) line 1254 + 19 bytes js_Interpret(JSContext * 0x03815fd0, unsigned char * 0x0430b317, long * 0x0012a6ec) line 3779 + 15 bytes js_Invoke(JSContext * 0x03815fd0, unsigned int 0x00000003, unsigned int 0x00000000) line 1254 + 19 bytes js_Interpret(JSContext * 0x03815fd0, unsigned char * 0x04255a40, long * 0x0012b160) line 3779 + 15 bytes js_Invoke(JSContext * 0x03815fd0, unsigned int 0x00000001, unsigned int 0x00000002) line 1254 + 19 bytes js_InternalInvoke(JSContext * 0x03815fd0, JSObject * 0x050c5878, long 0x05fbc828, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012b35c, long * 0x0012b358) line 1331 + 20 bytes JS_CallFunctionValue(JSContext * 0x03815fd0, JSObject * 0x050c5878, long 0x05fbc828, unsigned int 0x00000001, long * 0x0012b35c, long * 0x0012b358) line 4169 + 31 bytes nsJSContext::CallEventHandler(JSObject * 0x050c5878, JSObject * 0x05fbc828, unsigned int 0x00000001, long * 0x0012b35c, long * 0x0012b358) line 1424 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x043ceb68, nsIDOMEvent * 0x05fa89d8) line 186 + 54 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03837ae8, nsIDOMEventListener * 0x043ceb68, nsIDOMEvent * 0x05fa89d8, nsIDOMEventTarget * 0x05fa8da8, unsigned int 0x00000004, unsigned int 0x00000002) line 1653 + 16 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x043bc218, nsPresContext * 0x0385fe18, nsEvent * 0x0012c14c, nsIDOMEvent * * 0x0012ba54, nsIDOMEventTarget * 0x05fa8da8, unsigned int 0x00000002, nsEventStatus * 0x0012bf78) line 1760 nsXULElement::HandleDOMEvent(nsPresContext * 0x0385fe18, nsEvent * 0x0012c14c, nsIDOMEvent * * 0x0012ba54, unsigned int 0x00000002, nsEventStatus * 0x0012bf78) line 1885 nsXULElement::HandleDOMEvent(nsPresContext * 0x0385fe18, nsEvent * 0x0012c14c, nsIDOMEvent * * 0x0012ba54, unsigned int 0x00000002, nsEventStatus * 0x0012bf78) line 1904 + 60 bytes nsGenericElement::HandleDOMEvent(nsPresContext * 0x0385fe18, nsEvent * 0x0012c14c, nsIDOMEvent * * 0x0012ba54, unsigned int 0x00000007, nsEventStatus * 0x0012bf78) line 2224 + 60 bytes nsHTMLInputElement::HandleDOMEvent(nsPresContext * 0x0385fe18, nsEvent * 0x0012c14c, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012bf78) line 1359 + 31 bytes PresShell::HandleEventInternal(nsEvent * 0x0012c14c, nsIView * 0x04175860, unsigned int 0x00000001, nsEventStatus * 0x0012bf78) line 6056 + 52 bytes PresShell::HandleEvent(PresShell * const 0x04175100, nsIView * 0x04175860, nsGUIEvent * 0x0012c14c, nsEventStatus * 0x0012bf78) line 5831 + 25 bytes nsViewManager::HandleEvent(nsView * 0x04175860, nsPoint {...}, nsGUIEvent * 0x0012c14c, int 0x00000000) line 1675 nsViewManager::DispatchEvent(nsViewManager * const 0x03809418, nsGUIEvent * 0x0012c14c, nsEventStatus * 0x0012c09c) line 1628 + 37 bytes HandleEvent(nsGUIEvent * 0x0012c14c) line 176 nsWindow::DispatchEvent(nsWindow * const 0x037d62d4, nsGUIEvent * 0x0012c14c, nsEventStatus & nsEventStatus_eIgnore) line 1168 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012c14c) line 1189 nsWindow::DispatchKeyEvent(unsigned int 0x00000083, unsigned short 0x0000, unsigned int 0x0000000d, long 0x001c0001, unsigned int 0x00000000) line 3381 + 15 bytes nsWindow::OnKeyDown(unsigned int 0x0000000d, unsigned int 0x0000001c, long 0x001c0001) line 3519 nsWindow::ProcessMessage(unsigned int 0x00000100, unsigned int 0x0000000d, long 0x001c0001, long * 0x0012c69c) line 4462 + 32 bytes nsWindow::WindowProc(HWND__ * 0x000b01b4, unsigned int 0x00000100, unsigned int 0x0000000d, long 0x001c0001) line 1357 + 27 bytes
Reporter | ||
Comment 5•19 years ago
|
||
Although its already been confirmed, I created a reduced version of the URL: http://members.cox.net/paul.dickson/TiddlyWiki-1.2.39.empty.html TiddlyWiki itself doesn't seem to have this problem, only the plugins like Minesweeper. The above web page includes only TiddlyWiki and Minesweeper for 140K (the original page was 500+K).
Updated•19 years ago
|
Severity: major → critical
Flags: blocking1.8.1?
Flags: blocking1.8.0.2?
Comment 6•19 years ago
|
||
Is it actually an assertion or are we just crashing on that line? Tentatively marking as a dupe of bug 325540, but please reopen if this isn't the case. *** This bug has been marked as a duplicate of 325540 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Updated•19 years ago
|
Flags: blocking1.8.1?
Flags: blocking1.8.1-
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.2-
Comment 8•18 years ago
|
||
*** Bug 331253 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•