Closed Bug 351122 Opened 14 years ago Closed 14 years ago

Repeated crashes [@ block_getProperty]

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla1.8.1

People

(Reporter: sciguyryan, Assigned: brendan)

References

Details

(Keywords: crash, fixed1.8.1)

Crash Data

Attachments

(2 files)

This has been happening a lot in recent builds - normally something associated with Gmail but I can't work out exactly what.

TB22779112W, TB22778371Z,TB22783972X are all examples of this.

If I find out exactly how to reproduce I'll post a reply.
This crash occurs on 1.8, too, according to Talkback.

Incident ID: 22783972
Stack Signature	block_getProperty 1aedeef9
Product ID	FirefoxTrunk
Build ID	2006090104
Trigger Time	2006-09-01 13:29:09.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	js3250.dll + (0002f4d4)
URL visited	
User Comments	
Since Last Crash	7087 sec
Total Uptime	23674 sec
Trigger Reason	Access violation
Source File, Line No.	c:\builds\tinderbox\fx-trunk-cairo\winnt_5.2_depend\mozilla\js\src\jsobj.c, line 1960
Stack Trace 	
block_getProperty  [mozilla\js\src\jsobj.c, line 1960]
js_PutBlockObject  [mozilla\js\src\jsobj.c, line 1935]
PutBlockObjects  [mozilla\js\src\jsinterp.c, line 522]
js_Invoke  [mozilla\js\src\jsinterp.c, line 1385]
Severity: major → critical
Keywords: crash
Summary: Repeated crashes [@js3250.dll + (0002f4d4)] → Repeated crashes [@ block_getProperty]
Attached patch fixSplinter Review
Same drill as for JSOP_SETSP.  The scope chain, unlike the block chain, can link to an outer function's block clone.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #236510 - Flags: review?(mrbkap)
Attachment #236510 - Flags: approval1.8.1?
Flags: blocking1.8.1?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8.1
What's the threshold for topcrash?  Anyone who knows, please this if it is one.

/be
Flags: blocking1.8.1? → blocking1.8.1+
Attachment #236510 - Flags: review?(mrbkap) → review+
Fixed on trunk.

/be
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
jay, comment 3?

someone found this with Jesse's fuzzer but didn't file it.
Flags: in-testsuite-
Depends on: 351204
Attachment #236510 - Flags: review+
Attachment #236510 - Flags: approval1.8.1?
This is the combination of the incorrect "fix" patch from this bug, and the followup patch in bug 351204.

/be
Attachment #236591 - Flags: review+
Attachment #236591 - Flags: approval1.8.1?
Blocks: js1.7let
Comment on attachment 236591 [details] [diff] [review]
1.8 branch roll-up patch

a=dbaron.  Please land on the MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.
Attachment #236591 - Flags: approval1.8.1? → approval1.8.1+
Roll-up patch landed on the 1.8 branch.

/be
Keywords: fixed1.8.1
I know this has been marked as fixed but even on todays builds I'm still getting this crash when opening a link from G-Mail and then closing the G-Mail tab:

TB22848559Q, TB22849793Z are both from todays builds.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060903 Minefield/3.0a1 - Build ID: 2006090304
(In reply to comment #9)
> I know this has been marked as fixed but even on todays builds I'm still
> getting this crash when opening a link from G-Mail and then closing the G-Mail
> tab:
> 
> TB22848559Q, TB22849793Z are both from todays builds.

The followup patch (bug 351204) went in after midnight Pacific -- was it in this build, for sure?

/be
(In reply to comment #10)
> The followup patch (bug 351204) went in after midnight Pacific -- was it in
> this build, for sure?
> 
> /be
> 

Just download the latest hourly build:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060904 Minefield/3.0a1 - Build ID: 2006090401

And I can still reproduce the crash. On investigation though its in the same cases but now its crashing @AllocSlots.

TB22871716G, TB22871792H

This is normally reproduced by middle clicking a Bugzilla link in G-Mail, closing the G-mail tab before the Bugzilla page has finished loading. Not even shure if this is the same bug.
Ryan, please file a new bug.  Those stacks look very bogus.  Maybe dbaron or jay can comment here, or in the new bug if you file it before they read this.

/be
(In reply to comment #12)
> Ryan, please file a new bug.  Those stacks look very bogus.  Maybe dbaron or
> jay can comment here, or in the new bug if you file it before they read this.
> 
> /be
> 

Done, reported as bug 351329.
Crash Signature: [@ block_getProperty]
You need to log in before you can comment on or make changes to this bug.