Closed Bug 327199 Opened 20 years ago Closed 16 years ago

crash on infinite loop creating new arrays Part deux

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.7 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: crash, testcase)

forked from Bug 271716. 1.7 branch only. Marsha found a crash with talkback id 15139705 and stack js_Mark [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 3978] js_MarkGCThing [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 865] js_MarkGCThing [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 919] ditto. Running 1.0.8/winxp/debug from this morning on the attached testcase I hit an assert JS_PUBLIC_API(void *) JS_GetPrivate(JSContext *cx, JSObject *obj) { jsval v; => JS_ASSERT(OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE); v = GC_AWARE_GET_SLOT(cx, obj, JSSLOT_PRIVATE); if (!JSVAL_IS_INT(v)) return NULL; return JSVAL_TO_PRIVATE(v); } JS_GetPrivate(JSContext * 0x03bafcf0, JSObject * 0x03bbb700) line 2003 + 231 bytes nsScriptSecurityManager::GetFunctionObjectPrincipal(JSContext * 0x03bafcf0, JSObject * 0x03bbb700, JSStackFrame * 0x0012e85c, nsIPrincipal * * 0x0012e3b8) line 1842 + 14 bytes nsScriptSecurityManager::GetFramePrincipal(JSContext * 0x03bafcf0, JSStackFrame * 0x0012e85c, nsIPrincipal * * 0x0012e3b8) line 1916 + 24 bytes nsScriptSecurityManager::GetPrincipalAndFrame(JSContext * 0x03bafcf0, nsIPrincipal * * 0x0012e3b8, JSStackFrame * * 0x0012e378) line 1940 + 20 bytes nsScriptSecurityManager::GetSubjectPrincipal(JSContext * 0x03bafcf0, nsIPrincipal * * 0x0012e3b8) line 1980 nsScriptSecurityManager::GetSubjectPrincipal(nsScriptSecurityManager * const 0x00ee6340, nsIPrincipal * * 0x0012e3b8) line 1630 nsScriptSecurityManager::SubjectPrincipalIsSystem(nsScriptSecurityManager * const 0x00ee6340, int * 0x0012e3cc) line 1663 + 36 bytes nsContentUtils::IsCallerChrome() line 920 + 21 bytes PresShell::HandleEventInternal(nsEvent * 0x0012e748, nsIView * 0x03180070, unsigned int 0x00000001, nsEventStatus * 0x0012e574) line 6027 + 5 bytes PresShell::HandleEvent(PresShell * const 0x032353d4, nsIView * 0x03180070, nsGUIEvent * 0x0012e748, nsEventStatus * 0x0012e574, int 0x00000001, int & 0x00000001) line 5921 + 25 bytes nsViewManager::HandleEvent(nsView * 0x03180070, nsGUIEvent * 0x0012e748, int 0x00000000) line 2275 nsViewManager::DispatchEvent(nsViewManager * const 0x030fb540, nsGUIEvent * 0x0012e748, nsEventStatus * 0x0012e6ac) line 2061 + 20 bytes HandleEvent(nsGUIEvent * 0x0012e748) line 77 nsWindow::DispatchEvent(nsWindow * const 0x031800fc, nsGUIEvent * 0x0012e748, nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012e748) line 1088 nsWindow::DispatchFocus(unsigned int 0x00000069, int 0x00000001) line 5451 + 15 bytes nsWindow::ProcessMessage(unsigned int 0x00000007, unsigned int 0x003002da, long 0x00000000, long * 0x0012ebac) line 4194 + 23 bytes nsWindow::WindowProc(HWND__ * 0x005a0388, unsigned int 0x00000007, unsigned int 0x003002da, long 0x00000000) line 1349 + 27 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d4b4c0() USER32! 77d4b50c() NTDLL! 7c90eae3() GlobalWindowImpl::Focus(GlobalWindowImpl * const 0x02e9dc8c) line 2779 + 25 bytes nsWebShellWindow::HandleEvent(nsGUIEvent * 0x0012ef08) line 610 nsWindow::DispatchEvent(nsWindow * const 0x031bad6c, nsGUIEvent * 0x0012ef08, nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012ef08) line 1088 nsWindow::DispatchFocus(unsigned int 0x00000069, int 0x00000001) line 5451 + 15 bytes nsWindow::ProcessMessage(unsigned int 0x00000007, unsigned int 0x00000000, long 0x00000000, long * 0x0012f36c) line 4194 + 23 bytes nsWindow::WindowProc(HWND__ * 0x003002da, unsigned int 0x00000007, unsigned int 0x00000000, long 0x00000000) line 1349 + 27 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d4b4c0() USER32! 77d4b50c() NTDLL! 7c90eae3() USER32! 77d4b3f9() USER32! 77d4b393() nsWindow::DefaultWindowProc(HWND__ * 0x003002da, unsigned int 0x00000006, unsigned int 0x00000001, long 0x00000000) line 1375 USER32! 77d48734() USER32! 77d48816() USER32! 77d4c63f() USER32! 77d4c665() nsWindow::WindowProc(HWND__ * 0x003002da, unsigned int 0x00000006, unsigned int 0x00000001, long 0x00000000) line 1356 + 31 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d4b4c0() USER32! 77d4b50c() NTDLL! 7c90eae3() USER32! 77d49402() PeekKeyAndIMEMessage(tagMSG * 0x0012f8d4 {msg=0x00000113 wp=0x00003f9b lp=0x01dc6f70}, HWND__ * 0x00000000) line 90 + 24 bytes nsAppShell::Run(nsAppShell * const 0x02dcd788) line 128 + 11 bytes nsAppShellService::Run(nsAppShellService * const 0x02dcd6c8) line 495 xre_main(int 0x00000003, char * * 0x003e6db8, const nsXREAppData * 0x0041e01c kAppData) line 1907 + 35 bytes main(int 0x00000003, char * * 0x003e6db8) line 58 + 18 bytes mainCRTStartup() line 338 + 17 bytes I don't crash in 1.5.0, 1.5, trunk/winxp/debug builds from this morning. Brendan asked: what is the class of that object, which lacks JSCLASS_HAS_PRIVATE? I haven't been able to reproduce the exact assert/stack. If you load the URL, you get different stacks depending on mouse move, focus, ... I have the following in the debugger now: rt = cx->runtime; JS_LOCK_GC(rt); => JS_ASSERT(!rt->gcRunning); if (rt->gcRunning) { METER(rt->gcStats.finalfail++); JS_UNLOCK_GC(rt); return NULL; } js_AllocGCThing(JSContext * 0x025558b8, unsigned int 0x00000000) line 471 + 34 bytes js_NewObject(JSContext * 0x025558b8, JSClass * 0x100cd7b0 _js_FunctionClass, JSObject * 0x025f7f08, JSObject * 0x02a5cbd0) line 1899 + 11 bytes js_NewFunction(JSContext * 0x025558b8, JSObject * 0x00000000, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x00000000, unsigned int 0x00000001, unsigned int 0x00000000, JSObject * 0x02a5cbd0, JSAtom * 0x0304e8c0) line 1950 + 20 bytes JS_CompileUCFunctionForPrincipals(JSContext * 0x025558b8, JSObject * 0x02a5cbd0, JSPrincipals * 0x00f64388, const char * 0x04228f94, unsigned int 0x00000001, const char * * 0x0203a46c char const * * gEventArgv, const unsigned short * 0x02b13560, unsigned int 0x0000002f, const char * 0x02afadb8, unsigned int 0x00000141) line 3436 + 27 bytes nsJSContext::CompileEventHandler(void * 0x02a5cbd0, nsIAtom * 0x04228f88, const nsAString & {...}, const char * 0x02afadb8, unsigned int 0x00000141, int 0x00000001, void * * 0x0012e1b8) line 1192 + 74 bytes nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * 0x03199690, nsIDOMEvent * 0x020aef18) line 443 nsXBLEventHandler::HandleEvent(nsXBLEventHandler * const 0x02b012f8, nsIDOMEvent * 0x020aef18) line 88 nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x02b0bc00, nsIDOMEvent * 0x020aef18, nsIDOMEventTarget * 0x03199690, unsigned int 0x00000000, unsigned int 0x00000002) line 1453 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x02b0f330, nsIPresContext * 0x02998d58, nsEvent * 0x04228ed8, nsIDOMEvent * * 0x0012ed24, nsIDOMEventTarget * 0x03199690, unsigned int 0x00000002, nsEventStatus * 0x0012ed04) line 1554 nsXULElement::HandleDOMEvent(nsIPresContext * 0x02998d58, nsEvent * 0x04228ed8, nsIDOMEvent * * 0x0012ed24, unsigned int 0x00000002, nsEventStatus * 0x0012ed04) line 2853 nsXULElement::HandleDOMEvent(nsIPresContext * 0x02998d58, nsEvent * 0x04228ed8, nsIDOMEvent * * 0x0012ed24, unsigned int 0x00000007, nsEventStatus * 0x0012ed04) line 2870 + 57 bytes nsEventStateManager::DispatchNewEvent(nsEventStateManager * const 0x02952fd0, nsISupports * 0x029f5750, nsIDOMEvent * 0x020aef18, int * 0x0012ed60) line 4607 + 46 bytes nsBoxFrame::FireDOMEvent(nsIPresContext * 0x02998d58, const nsAString & {...}) line 2644 nsMenuFrame::SelectMenu(nsMenuFrame * const 0x02b2e750, int 0x00000001) line 596 nsMenuBarFrame::SetCurrentMenuItem(nsMenuBarFrame * const 0x02af8c40, nsIMenuFrame * 0x02b2e750) line 569 nsMenuFrame::HandleEvent(nsMenuFrame * const 0x02b2e6c8, nsIPresContext * 0x02998d58, nsGUIEvent * 0x0012f2e0, nsEventStatus * 0x0012f0c8) line 502 PresShell::HandleEventInternal(nsEvent * 0x0012f2e0, nsIView * 0x02953580, unsigned int 0x00000001, nsEventStatus * 0x0012f0c8) line 6103 + 39 bytes PresShell::HandleEvent(PresShell * const 0x029594cc, nsIView * 0x02953580, nsGUIEvent * 0x0012f2e0, nsEventStatus * 0x0012f0c8, int 0x00000001, int & 0x00000001) line 5921 + 25 bytes nsViewManager::HandleEvent(nsView * 0x02953580, nsGUIEvent * 0x0012f2e0, int 0x00000000) line 2321 nsViewManager::DispatchEvent(nsViewManager * const 0x029533b0, nsGUIEvent * 0x0012f2e0, nsEventStatus * 0x0012f1cc) line 2061 + 20 bytes HandleEvent(nsGUIEvent * 0x0012f2e0) line 77 nsWindow::DispatchEvent(nsWindow * const 0x0295360c, nsGUIEvent * 0x0012f2e0, nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f2e0) line 1088 nsWindow::DispatchMouseEvent(unsigned int 0x0000012c, unsigned int 0x00000000, nsPoint * 0x00000000) line 5259 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 0x0000012c, unsigned int 0x00000000, nsPoint * 0x00000000) line 5512 nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000000, long 0x00010102, long * 0x0012f784) line 4025 + 28 bytes nsWindow::WindowProc(HWND__ * 0x0047031a, unsigned int 0x00000200, unsigned int 0x00000000, long 0x00010102) line 1349 + 27 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d489cd() USER32! 77d48a10() nsAppShell::Run(nsAppShell * const 0x00f04888) line 135 nsAppShellService::Run(nsAppShellService * const 0x00f241a8) line 495 xre_main(int 0x00000003, char * * 0x003e6d50, const nsXREAppData * 0x0041e01c kAppData) line 1907 + 35 bytes main(int 0x00000003, char * * 0x003e6d50) line 58 + 18 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 7c816d4f()
This also crashes in 1.0.4 and 1.0.7 and possibly eariler.
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
... And 1.0.2. dveditz tested these.
crashes on all three platforms firefox 1.0-1.0.8
URL no longer crashes. but gives two messages of ... Error: too much recursion Source File: https://bugzilla.mozilla.org/attachment.cgi?id=167017 Line: 3 UI is not frozen. On shutdown, firefox goes into a high cpu and task does not terminate Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008020104 Minefield/3.0b3pre
Works fine for me. I get the too-much-recursion messages like wsmwk, but unlike for wsmwk, Firefox has no trouble shutting down.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.