This has been happening a lot in recent builds - normally something associated with Gmail but I can't work out exactly what. TB22779112W, TB22778371Z,TB22783972X are all examples of this. If I find out exactly how to reproduce I'll post a reply.
This crash occurs on 1.8, too, according to Talkback. Incident ID: 22783972 Stack Signature block_getProperty 1aedeef9 Product ID FirefoxTrunk Build ID 2006090104 Trigger Time 2006-09-01 13:29:09.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (0002f4d4) URL visited User Comments Since Last Crash 7087 sec Total Uptime 23674 sec Trigger Reason Access violation Source File, Line No. c:\builds\tinderbox\fx-trunk-cairo\winnt_5.2_depend\mozilla\js\src\jsobj.c, line 1960 Stack Trace block_getProperty [mozilla\js\src\jsobj.c, line 1960] js_PutBlockObject [mozilla\js\src\jsobj.c, line 1935] PutBlockObjects [mozilla\js\src\jsinterp.c, line 522] js_Invoke [mozilla\js\src\jsinterp.c, line 1385]
Severity: major → critical
Summary: Repeated crashes [@js3250.dll + (0002f4d4)] → Repeated crashes [@ block_getProperty]
Created attachment 236510 [details] [diff] [review] fix Same drill as for JSOP_SETSP. The scope chain, unlike the block chain, can link to an outer function's block clone. /be
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8.1
What's the threshold for topcrash? Anyone who knows, please this if it is one. /be
Fixed on trunk. /be
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
jay, comment 3? someone found this with Jesse's fuzzer but didn't file it.
Created attachment 236591 [details] [diff] [review] 1.8 branch roll-up patch This is the combination of the incorrect "fix" patch from this bug, and the followup patch in bug 351204. /be
Comment on attachment 236591 [details] [diff] [review] 1.8 branch roll-up patch a=dbaron. Please land on the MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.
Attachment #236591 - Flags: approval1.8.1? → approval1.8.1+
Roll-up patch landed on the 1.8 branch. /be
I know this has been marked as fixed but even on todays builds I'm still getting this crash when opening a link from G-Mail and then closing the G-Mail tab: TB22848559Q, TB22849793Z are both from todays builds. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060903 Minefield/3.0a1 - Build ID: 2006090304
(In reply to comment #9) > I know this has been marked as fixed but even on todays builds I'm still > getting this crash when opening a link from G-Mail and then closing the G-Mail > tab: > > TB22848559Q, TB22849793Z are both from todays builds. The followup patch (bug 351204) went in after midnight Pacific -- was it in this build, for sure? /be
(In reply to comment #10) > The followup patch (bug 351204) went in after midnight Pacific -- was it in > this build, for sure? > > /be > Just download the latest hourly build: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060904 Minefield/3.0a1 - Build ID: 2006090401 And I can still reproduce the crash. On investigation though its in the same cases but now its crashing @AllocSlots. TB22871716G, TB22871792H This is normally reproduced by middle clicking a Bugzilla link in G-Mail, closing the G-mail tab before the Bugzilla page has finished loading. Not even shure if this is the same bug.
Ryan, please file a new bug. Those stacks look very bogus. Maybe dbaron or jay can comment here, or in the new bug if you file it before they read this. /be
(In reply to comment #12) > Ryan, please file a new bug. Those stacks look very bogus. Maybe dbaron or > jay can comment here, or in the new bug if you file it before they read this. > > /be > Done, reported as bug 351329.
You need to log in before you can comment on or make changes to this bug.