Closed
Bug 342793
Opened 18 years ago
Closed 18 years ago
crash in trunk browser js1_7/geniter/326466-01.js
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 343455
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: crash, fixed1.8.1, Whiteboard: [sg:dupe 343455])
Load the URL in a trunk build on winxp. You may need to click in the url bar or reload to see the crash.
JSTRAP_CONTINUE 0x00000001 int
+ pc 0x04b20f6b "нннннннннннннннннннннннннннннннннннннннннннннннннннн" unsigned char *
+ rt 0x00fa90e0 {state=JSRTS_UP gcArenaList=0x00fa90e4 gcRootsHash={...} ...} JSRuntime *
+ script 0x04b20f28 {code=0xdddddddd <Bad Ptr> length=0xdddddddd main=0xdddddddd <Bad Ptr> ...} JSScript *
> js3250.dll!js_Interpret(JSContext * cx=0x03c54230, unsigned char * pc=0x04b20f6b, long * result=0x0012f808) Line 6140 + 0x42 bytes C
js3250.dll!generator_send(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18, unsigned int argc=0x00000000, long * argv=0x010434a8, long * rval=0x0012f8ec) Line 778 + 0x14 bytes C
js3250.dll!generator_close(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18, unsigned int argc=0x00000000, long * argv=0x010434a8, long * rval=0x0012f8ec) Line 828 + 0x17 bytes C
js3250.dll!js_Invoke(JSContext * cx=0x03c54230, unsigned int argc=0x00000000, unsigned int flags=0x00000002) Line 1328 + 0x20 bytes C
js3250.dll!js_InternalInvoke(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18, long fval=0x04affa00, unsigned int flags=0x00000000, unsigned int argc=0x00000000, long * argv=0x00000000, long * rval=0x0012fa40) Line 1422 + 0x14 bytes C
js3250.dll!generator_closehook(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18) Line 632 + 0x1b bytes C
js3250.dll!ExecuteCloseHooks(JSContext * cx=0x03c54230, const JSObjectsToClose * toClose=0x0012fb04) Line 859 + 0x10 bytes C
js3250.dll!js_GC(JSContext * cx=0x03c54230, unsigned int gcflags=0x00000000) Line 2633 + 0xd bytes C
js3250.dll!js_ForceGC(JSContext * cx=0x03c54230, unsigned int gcflags=0x00000000) Line 2098 + 0xd bytes C
js3250.dll!JS_GC(JSContext * cx=0x03c54230) Line 1907 + 0xb bytes C
gklayout.dll!nsJSContext::Notify(nsITimer * timer=0x03e8b670) Line 2996 + 0xd bytes C++
xpcom_core.dll!nsTimerImpl::Fire() Line 404 C++
xpcom_core.dll!nsTimerEvent::Run() Line 486 C++
xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=0x00000001, int * result=0x0012fc34) Line 483 C++
xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b083b8, int mayWait=0x00000001) Line 225 + 0x16 bytes C++
gkwidget.dll!nsBaseAppShell::Run() Line 153 + 0xc bytes C++
tkitcmps.dll!nsAppStartup::Run() Line 171 + 0x1c bytes C++
xul.dll!XRE_main(int argc=0x00000004, char * * argv=0x00b07fe0, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes C++
firefox.exe!main(int argc=0x00000004, char * * argv=0x00b07fe0) Line 61 + 0x13 bytes C++
firefox.exe!__tmainCRTStartup() Line 586 + 0x19 bytes C
firefox.exe!mainCRTStartup() Line 403 C
kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
|
Reporter | |
Comment 1•18 years ago
|
||
I still get this nasty crash with deleted memory on the trunk during shutdown in the browser test using the v3 js17 rollup patch.
Flags: blocking1.9a1?
|
|
Reporter | |
Updated•18 years ago
|
Group: security
|
|
Reporter | |
Comment 2•18 years ago
|
||
This occurs on 1.8.1a3/winxp as well now that js17 has landed. Note that deleted memory use is exploitable.
Flags: blocking1.8.1?
|
||
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
|
||
Comment 3•18 years ago
|
||
If this is fixed now that the fixes for bug 343455 have landed, please mark dup. /be
|
|
Reporter | |
Comment 4•18 years ago
|
||
ulled cvs and built trunk debug depends and still crash after clicking url bar and reload with same stack as in bug 343295 comment 2.
|
||
Comment 5•18 years ago
|
||
crashes for me on linux trunk with clearing hooks. same stack as in the description.
|
|
||
Comment 6•18 years ago
|
||
*** This bug has been marked as a duplicate of 343455 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 7•18 years ago
|
||
Note test: js1_7/geniter/326466-01.js: result: CRASHED type: browser description: none : results/2006-07-24-05-43-40-firefox-2.0-dbg-1.8.1b1_2006072312-prune.log CRASHED 5 (2.468000 seconds) test: js1_7/geniter/326466-01.js: result: CRASHED type: browser description: none : results/2006-07-24-08-35-59-firefox-2.0-dbg-mac-1.8.1b1_2006072312-pineapple.mozilla.org.log CRASHED signal 6 (4.244419 seconds)
|
|
Reporter | |
Updated•18 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•18 years ago
|
Flags: blocking1.9a1?
Keywords: fixed1.8.1
|
||
Updated•18 years ago
|
Whiteboard: [sg:dupe 343455]
|
|
||
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•