Closed
Bug 343295
Opened 18 years ago
Closed 18 years ago
Crash [@ js_NewGCThing() Line 1159 ] js1_7/GC/regress-341675.js
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 343455
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: crash, regression, Whiteboard: [sg:critical] js1.7 landing)
Crash Data
forked from bug 341675. I think this is a regression but don't have a good range. 1. Start from command line without venkman installed or with venkman disabled. ./firefox <"http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_7/GC/regress-341675.js;language=language;javascript"> 2. Crash + cx 0x03794018 {links={...} interpLevel=1 stackLimit=719224 ...} JSContext * flags 2 unsigned int nbytes 8 unsigned int + flagp 0x00c0d76b " " unsigned char * + lastptr 0x03c664d0 JSGCThing * * maxFreeThings 6 unsigned int + rt 0x00bdb7c8 {state=JSRTS_UP cxCallback=0x00000000 gcArenaList=0x00bdb7d0 ...} JSRuntime * doGC 0 int + flbase 0x00b3f8f4 JSGCThing * * + tmpflagp 0xad05f611 <Bad Ptr> unsigned char * offset 268154 unsigned long + lrs 0x00000000 {scopeMark=??? rootCount=??? topChunk=??? ...} JSLocalRootStack * flindex 0 unsigned int + thing 0x00c0d098 {next=0x03874df8 flagp=0x00c0d76b " " } JSGCThing * + firstPage 0x03c66000 "°" unsigned char * localMallocBytes 384 unsigned int + tmpthing 0x000000aa {next=??? flagp=??? } JSGCThing * + arenaList 0x00bdb7d0 {last=0x03c65f40 lastLimit=1240 thingSize=8 ...} JSGCArenaList * + a 0x03c65f40 {list=0x00bdb7d0 prev=0x03c50400 prevUnscanned=0x00000000 ...} JSGCArena * gcLocked 1 int > js3250.dll!js_NewGCThing(JSContext * cx=0x03794018, unsigned int flags=2, unsigned int nbytes=8) Line 1159 + 0x3 bytes C js3250.dll!js_NewDouble(JSContext * cx=0x03794018, double d=1.#INF000000000000, unsigned int gcflag=0) Line 644 + 0x12 bytes C js3250.dll!js_NewDoubleValue(JSContext * cx=0x03794018, double d=1.#INF000000000000, long * rval=0x0012f514) Line 662 + 0x14 bytes C js3250.dll!js_Interpret(JSContext * cx=0x03794018, unsigned char * pc=0x03c12f3b, long * result=0x0012f730) Line 3350 + 0x261 bytes C js3250.dll!js_Execute(JSContext * cx=0x03794018, JSObject * chain=0x03bf74a0, JSScript * script=0x03c37940, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x0012f85c) Line 1573 + 0x13 bytes C js3250.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=0x03794018, JSObject * obj=0x03bf74a0, JSPrincipals * principals=0x01dad05c, const unsigned short * chars=0x03c27030, unsigned int length=2262, const char * filename=0x03c34bd8, unsigned int lineno=1, long * rval=0x0012f85c) Line 4303 + 0x19 bytes C gklayout.dll!nsJSContext::EvaluateString(const nsAString_internal & aScript={...}, void * aScopeObject=0x03bf74a0, nsIPrincipal * aPrincipal=0x01dad058, const char * aURL=0x03c34bd8, unsigned int aLineNo=1, unsigned int aVersion=0, nsAString_internal * aRetValue=0x00000000, int * aIsUndefined=0x0012f950) Line 1247 + 0x43 bytes C++ gklayout.dll!nsScriptLoader::EvaluateScript(nsScriptLoadRequest * aRequest=0x03c2b950, const nsString & aScript={...}) Line 800 + 0x63 bytes C++ gklayout.dll!nsScriptLoader::ProcessRequest(nsScriptLoadRequest * aRequest=0x03c2b950) Line 704 + 0x13 bytes C++ gklayout.dll!nsScriptLoader::OnStreamComplete(nsIStreamLoader * aLoader=0x03c349d8, nsISupports * aContext=0x03c2b950, unsigned int aStatus=0, unsigned int stringLen=2262, const unsigned char * string=0x03c380a0) Line 1065 C++ necko.dll!nsStreamLoader::OnStopRequest(nsIRequest * request=0x03c3a8f8, nsISupports * ctxt=0x03c2b950, unsigned int aStatus=0) Line 117 C++ necko.dll!nsHttpChannel::OnStopRequest(nsIRequest * request=0x03c3d998, nsISupports * ctxt=0x03c2b950, unsigned int status=0) Line 4054 C++ necko.dll!nsInputStreamPump::OnStateStop() Line 567 C++ necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x03c3e108) Line 391 + 0xb bytes C++ xpcom_core.dll!nsInputStreamReadyEvent::Run() Line 112 C++ xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 483 C++ xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b382a0, int mayWait=1) Line 225 + 0x16 bytes C++ gkwidget.dll!nsBaseAppShell::Run() Line 153 + 0xc bytes C++ tkitcmps.dll!nsAppStartup::Run() Line 171 + 0x1c bytes C++ xul.dll!XRE_main(int argc=4, char * * argv=0x00b37ed8, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes C++ firefox.exe!main(int argc=4, char * * argv=0x00b37ed8) Line 61 + 0x13 bytes C++ firefox.exe!__tmainCRTStartup() Line 586 + 0x19 bytes C firefox.exe!mainCRTStartup() Line 403 C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes If you start the browser, then paste the url into the url bar instead of starting from the command line with the url, you may not crash immediately but may JS_Assert with a different stack if you refresh: + s 0x0053205c "script->length != 0" const char * + file 0x00532020 "c:/work/mozilla/builds/ff/trunk/mozilla/js/src/jsinterp.c" const char * ln 2048 int ntdll.dll!_DbgBreakPoint@0() > js3250.dll!JS_Assert(const char * s=0x0053205c, const char * file=0x00532020, int ln=2048) Line 62 C js3250.dll!js_Interpret(JSContext * cx=0x03d4fd98, unsigned char * pc=0x03b75f81, long * result=0x0012dc38) Line 2048 + 0x22 bytes C js3250.dll!generator_send(JSContext * cx=0x03d4fd98, JSObject * obj=0x02ff2638, unsigned int argc=0, long * argv=0x03dd3968, long * rval=0x0012dd1c) Line 784 + 0x14 bytes C js3250.dll!generator_close(JSContext * cx=0x03d4fd98, JSObject * obj=0x02ff2638, unsigned int argc=0, long * argv=0x03dd3968, long * rval=0x0012dd1c) Line 834 + 0x17 bytes C js3250.dll!js_Invoke(JSContext * cx=0x03d4fd98, unsigned int argc=0, unsigned int flags=2) Line 1328 + 0x20 bytes C js3250.dll!js_InternalInvoke(JSContext * cx=0x03d4fd98, JSObject * obj=0x02ff2638, long fval=63811776, unsigned int flags=0, unsigned int argc=0, long * argv=0x00000000, long * rval=0x0012de70) Line 1422 + 0x14 bytes C js3250.dll!generator_closehook(JSContext * cx=0x03d4fd98, JSObject * obj=0x02ff2638) Line 638 + 0x1b bytes C js3250.dll!ExecuteCloseHooks(JSContext * cx=0x03d4fd98, const JSObjectsToClose * toClose=0x0012df1c) Line 1017 + 0x10 bytes C js3250.dll!js_GC(JSContext * cx=0x03d4fd98, unsigned int gcflags=0) Line 2770 + 0xd bytes C js3250.dll!js_ForceGC(JSContext * cx=0x03d4fd98, unsigned int gcflags=0) Line 2230 + 0xd bytes C js3250.dll!JS_GC(JSContext * cx=0x03d4fd98) Line 1917 + 0xb bytes C gklayout.dll!nsJSContext::Notify(nsITimer * timer=0x03a643b0) Line 2996 + 0xd bytes C++ xpcom_core.dll!nsTimerImpl::Fire() Line 387 C++ xpcom_core.dll!nsTimerEvent::Run() Line 458 C++ xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012e040) Line 483 C++ xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b38218, int mayWait=1) Line 225 + 0x16 bytes C++ appshell.dll!nsXULWindow::ShowModal() Line 402 + 0xc bytes C++ appshell.dll!nsContentTreeOwner::ShowAsModal() Line 503 C++ embedcomponents.dll!nsWindowWatcher::OpenWindowJSInternal(nsIDOMWindow * aParent=0x039428a8, const char * aUrl=0x01bcc6c0, const char * aName=0x01bcd14c, const char * aFeatures=0x01bcd128, int aDialog=1, nsIArray * argv=0x03e2b640, int aCalledFromJS=0, nsIDOMWindow * * _retval=0x0012e568) Line 859 C++ embedcomponents.dll!nsWindowWatcher::OpenWindow(nsIDOMWindow * aParent=0x039428a8, const char * aUrl=0x01bcc6c0, const char * aName=0x01bcd14c, const char * aFeatures=0x01bcd128, nsISupports * aArguments=0x03d969f8, nsIDOMWindow * * _retval=0x0012e568) Line 413 + 0x2b bytes C++ embedcomponents.dll!nsPromptService::DoDialog(nsIDOMWindow * aParent=0x039428a8, nsIDialogParamBlock * aParamBlock=0x03d969f8, const char * aChromeURL=0x01bcc6c0) Line 657 + 0x4f bytes C++ embedcomponents.dll!nsPromptService::ConfirmEx(nsIDOMWindow * parent=0x039428a8, const unsigned short * dialogTitle=0x03e127d8, const unsigned short * text=0x03d96bd0, unsigned int buttonFlags=5, const unsigned short * button0Title=0x03dd8cc8, const unsigned short * button1Title=0x03e12828, const unsigned short * button2Title=0x00000000, const unsigned short * checkMsg=0x03e12778, int * checkValue=0x0012e9f8, int * buttonPressed=0x0012e838) Line 345 + 0x24 bytes C++ embedcomponents.dll!nsPrompt::ConfirmEx(const unsigned short * dialogTitle=0x03e127d8, const unsigned short * text=0x03d96bd0, unsigned int buttonFlags=83918719, const unsigned short * button0Title=0x03dd8cc8, const unsigned short * button1Title=0x03e12828, const unsigned short * button2Title=0x00000000, const unsigned short * checkMsg=0x03e12778, int * checkValue=0x0012e9f8, int * buttonPressed=0x0012e838) Line 286 + 0x4c bytes C++ caps.dll!nsScriptSecurityManager::CheckConfirmDialog(JSContext * cx=0x03087c98, nsIPrincipal * aPrincipal=0x03a55650, const char * aCapability=0x03dd8c00, int * checkValue=0x0012e9f8) Line 2451 + 0x6a bytes C++ caps.dll!nsScriptSecurityManager::RequestCapability(nsIPrincipal * aPrincipal=0x03a55650, const char * capability=0x03dd8c00, short * canEnable=0x0012ebc0) Line 2469 + 0x15 bytes C++ caps.dll!nsScriptSecurityManager::EnableCapability(const char * capability=0x03dd8c00) Line 2537 + 0x1a bytes C++ caps.dll!netscape_security_enablePrivilege(JSContext * cx=0x03087c98, JSObject * obj=0x03d37550, unsigned int argc=1, long * argv=0x03b8ff9c, long * rval=0x0012ec94) Line 172 + 0x1d bytes C++ js3250.dll!js_Invoke(JSContext * cx=0x03087c98, unsigned int argc=1, unsigned int flags=0) Line 1328 + 0x20 bytes C js3250.dll!js_Interpret(JSContext * cx=0x03087c98, unsigned char * pc=0x03e12ae9, long * result=0x0012f730) Line 4021 + 0xf bytes C js3250.dll!js_Execute(JSContext * cx=0x03087c98, JSObject * chain=0x03d37c28, JSScript * script=0x03e15138, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x0012f85c) Line 1573 + 0x13 bytes C js3250.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=0x03087c98, JSObject * obj=0x03d37c28, JSPrincipals * principals=0x03a55654, const unsigned short * chars=0x03a5fe38, unsigned int length=2262, const char * filename=0x03db8e50, unsigned int lineno=1, long * rval=0x0012f85c) Line 4303 + 0x19 bytes C gklayout.dll!nsJSContext::EvaluateString(const nsAString_internal & aScript={...}, void * aScopeObject=0x03d37c28, nsIPrincipal * aPrincipal=0x03a55650, const char * aURL=0x03db8e50, unsigned int aLineNo=1, unsigned int aVersion=0, nsAString_internal * aRetValue=0x00000000, int * aIsUndefined=0x0012f950) Line 1247 + 0x43 bytes C++ gklayout.dll!nsScriptLoader::EvaluateScript(nsScriptLoadRequest * aRequest=0x03cf8450, const nsString & aScript={...}) Line 800 + 0x63 bytes C++ gklayout.dll!nsScriptLoader::ProcessRequest(nsScriptLoadRequest * aRequest=0x03cf8450) Line 704 + 0x13 bytes C++ gklayout.dll!nsScriptLoader::OnStreamComplete(nsIStreamLoader * aLoader=0x03d24948, nsISupports * aContext=0x03cf8450, unsigned int aStatus=0, unsigned int stringLen=2262, const unsigned char * string=0x03e03ab0) Line 1065 C++ necko.dll!nsStreamLoader::OnStopRequest(nsIRequest * request=0x03e19ac8, nsISupports * ctxt=0x03cf8450, unsigned int aStatus=0) Line 117 C++ necko.dll!nsHttpChannel::OnStopRequest(nsIRequest * request=0x03cbef58, nsISupports * ctxt=0x03cf8450, unsigned int status=0) Line 4054 C++ necko.dll!nsInputStreamPump::OnStateStop() Line 567 C++ necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x03cbf058) Line 391 + 0xb bytes C++ xpcom_core.dll!nsInputStreamReadyEvent::Run() Line 112 C++ xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 483 C++ xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b38218, int mayWait=1) Line 225 + 0x16 bytes C++ gkwidget.dll!nsBaseAppShell::Run() Line 153 + 0xc bytes C++ tkitcmps.dll!nsAppStartup::Run() Line 171 + 0x1c bytes C++ xul.dll!XRE_main(int argc=3, char * * argv=0x00b37ed8, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes C++ firefox.exe!main(int argc=3, char * * argv=0x00b37ed8) Line 61 + 0x13 bytes C++ firefox.exe!__tmainCRTStartup() Line 586 + 0x19 bytes C firefox.exe!mainCRTStartup() Line 403 C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
Reporter | ||
Comment 1•18 years ago
|
||
Now happens on 1.8.1 as well due to bug 336373.
Summary: Crash [@ > js3250.dll!js_NewGCThing() Line 1159 ] js1_7/GC/regress-341675.js → Crash [@ js_NewGCThing() Line 1159 ] js1_7/GC/regress-341675.js
Reporter | ||
Comment 2•18 years ago
|
||
pulled cvs and built trunk debug depends and still crash after shutting down but with
/*
* Look for a try block in script that can catch this exception.
*/
=> SCRIPT_FIND_CATCH_START(script, pc, pc);
+ tn_ 0xdddddddd {start=??? length=??? catchStart=??? } JSTryNote *
+ script 0x03952a98 {code=0xdddddddd <Bad Ptr> length=3722304989 main=0xdddddddd <Bad Ptr> ...} JSScript *
> js3250.dll!js_Interpret(JSContext * cx=0x01d40128, unsigned char * pc=0x03952ac9, long * result=0x0012f7f0) Line 6269 + 0x42 bytes C
js3250.dll!generator_send(JSContext * cx=0x01d40128, JSObject * obj=0x01f48310, unsigned int argc=0, long * argv=0x036eccd0, long * rval=0x0012f8d8) Line 790 + 0x14 bytes C
js3250.dll!generator_close(JSContext * cx=0x01d40128, JSObject * obj=0x01f48310, unsigned int argc=0, long * argv=0x036eccd0, long * rval=0x0012f8d8) Line 840 + 0x17 bytes C
js3250.dll!js_Invoke(JSContext * cx=0x01d40128, unsigned int argc=0, unsigned int flags=2) Line 1349 + 0x20 bytes C
js3250.dll!js_InternalInvoke(JSContext * cx=0x01d40128, JSObject * obj=0x01f48310, long fval=32803096, unsigned int flags=0, unsigned int argc=0, long * argv=0x00000000, long * rval=0x0012fa2c) Line 1447 + 0x14 bytes C
js3250.dll!generator_closehook(JSContext * cx=0x01d40128, JSObject * obj=0x01f48310) Line 642 + 0x1b bytes C
js3250.dll!ExecuteCloseHooks(JSContext * cx=0x01d40128, const JSObjectsToClose * toClose=0x0012fad8) Line 1017 + 0x10 bytes C
js3250.dll!js_GC(JSContext * cx=0x01d40128, unsigned int gcflags=0) Line 2788 + 0xd bytes C
js3250.dll!js_ForceGC(JSContext * cx=0x01d40128, unsigned int gcflags=0) Line 2251 + 0xd bytes C
js3250.dll!JS_GC(JSContext * cx=0x01d40128) Line 1917 + 0xb bytes C
gklayout.dll!nsDOMScriptObjectFactory::Observe(nsISupports * aSubject=0x00b3fc2c, const char * aTopic=0x003523f4, const unsigned short * someData=0x00000000) Line 284 + 0xa bytes C++
xpcom_core.dll!nsObserverList::NotifyObservers(nsISupports * aSubject=0x00b3fc2c, const char * aTopic=0x003523f4, const unsigned short * someData=0x00000000) Line 129 C++
xpcom_core.dll!nsObserverService::NotifyObservers(nsISupports * aSubject=0x00b3fc2c, const char * aTopic=0x003523f4, const unsigned short * someData=0x00000000) Line 177 C++
xpcom_core.dll!NS_ShutdownXPCOM_P(nsIServiceManager * servMgr=0x00b3fc2c) Line 720 C++
Reporter | ||
Updated•18 years ago
|
Group: security
Reporter | ||
Comment 3•18 years ago
|
||
comment 2 is same stack as in bug 343455
Updated•18 years ago
|
Flags: blocking1.9a1+
Flags: blocking1.8.1?
Whiteboard: [sg:critical] js1.7 landing
Comment 4•18 years ago
|
||
*** This bug has been marked as a duplicate of 343455 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Updated•18 years ago
|
Flags: blocking1.9a1+
Flags: blocking1.8.1?
Is it worth checking that this was indeed fixed by the patch for the duplicate?
Reporter | ||
Comment 6•18 years ago
|
||
(In reply to comment #5) > Is it worth checking that this was indeed fixed by the patch for the duplicate? > I will check that the testcase no longer crashes. I don't care if that particular patch fixed it though unless someone does.
Reporter | ||
Comment 7•18 years ago
|
||
test: js1_7/GC/regress-341675.js: result: CRASHED type: browser description: none : results/2006-07-24-05-18-34-firefox-2.0-opt-mac-1.8.1b1_2006072312-papaya.mozilla.org.log CRASHED signal 10 (8.875075 seconds) test: js1_7/GC/regress-341675.js: result: CRASHED type: browser description: none : results/2006-07-24-05-43-40-firefox-2.0-dbg-1.8.1b1_2006072312-prune.log CRASHED 5 (2.625000 seconds)
Reporter | ||
Updated•18 years ago
|
Status: RESOLVED → VERIFIED
Updated•18 years ago
|
Group: security
Updated•13 years ago
|
Crash Signature: [@ js_NewGCThing() Line 1159 ]
You need to log in
before you can comment on or make changes to this bug.
Description
•