Repeated crashes [@ block_getProperty]

RESOLVED FIXED in mozilla1.8.1

Status

()

Core
JavaScript Engine
P1
critical
RESOLVED FIXED
12 years ago
7 years ago

People

(Reporter: sciguyryan, Assigned: brendan)

Tracking

({crash, fixed1.8.1})

Trunk
mozilla1.8.1
crash, fixed1.8.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

12 years ago
This has been happening a lot in recent builds - normally something associated with Gmail but I can't work out exactly what.

TB22779112W, TB22778371Z,TB22783972X are all examples of this.

If I find out exactly how to reproduce I'll post a reply.

Comment 1

12 years ago
This crash occurs on 1.8, too, according to Talkback.

Incident ID: 22783972
Stack Signature	block_getProperty 1aedeef9
Product ID	FirefoxTrunk
Build ID	2006090104
Trigger Time	2006-09-01 13:29:09.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	js3250.dll + (0002f4d4)
URL visited	
User Comments	
Since Last Crash	7087 sec
Total Uptime	23674 sec
Trigger Reason	Access violation
Source File, Line No.	c:\builds\tinderbox\fx-trunk-cairo\winnt_5.2_depend\mozilla\js\src\jsobj.c, line 1960
Stack Trace 	
block_getProperty  [mozilla\js\src\jsobj.c, line 1960]
js_PutBlockObject  [mozilla\js\src\jsobj.c, line 1935]
PutBlockObjects  [mozilla\js\src\jsinterp.c, line 522]
js_Invoke  [mozilla\js\src\jsinterp.c, line 1385]
Severity: major → critical
Keywords: crash
Summary: Repeated crashes [@js3250.dll + (0002f4d4)] → Repeated crashes [@ block_getProperty]
(Assignee)

Comment 2

12 years ago
Created attachment 236510 [details] [diff] [review]
fix

Same drill as for JSOP_SETSP.  The scope chain, unlike the block chain, can link to an outer function's block clone.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #236510 - Flags: review?(mrbkap)
Attachment #236510 - Flags: approval1.8.1?
(Assignee)

Updated

12 years ago
Flags: blocking1.8.1?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8.1
(Assignee)

Comment 3

12 years ago
What's the threshold for topcrash?  Anyone who knows, please this if it is one.

/be

Updated

12 years ago
Flags: blocking1.8.1? → blocking1.8.1+

Updated

12 years ago
Attachment #236510 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 4

12 years ago
Fixed on trunk.

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Comment 5

12 years ago
jay, comment 3?

someone found this with Jesse's fuzzer but didn't file it.
Flags: in-testsuite-
(Assignee)

Updated

12 years ago
Depends on: 351204
(Assignee)

Updated

12 years ago
Attachment #236510 - Flags: review+
Attachment #236510 - Flags: approval1.8.1?
(Assignee)

Comment 6

12 years ago
Created attachment 236591 [details] [diff] [review]
1.8 branch roll-up patch

This is the combination of the incorrect "fix" patch from this bug, and the followup patch in bug 351204.

/be
Attachment #236591 - Flags: review+
Attachment #236591 - Flags: approval1.8.1?
(Assignee)

Updated

12 years ago
Blocks: 336378
Comment on attachment 236591 [details] [diff] [review]
1.8 branch roll-up patch

a=dbaron.  Please land on the MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.
Attachment #236591 - Flags: approval1.8.1? → approval1.8.1+
(Assignee)

Comment 8

12 years ago
Roll-up patch landed on the 1.8 branch.

/be
Keywords: fixed1.8.1
(Reporter)

Comment 9

12 years ago
I know this has been marked as fixed but even on todays builds I'm still getting this crash when opening a link from G-Mail and then closing the G-Mail tab:

TB22848559Q, TB22849793Z are both from todays builds.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060903 Minefield/3.0a1 - Build ID: 2006090304
(Assignee)

Comment 10

12 years ago
(In reply to comment #9)
> I know this has been marked as fixed but even on todays builds I'm still
> getting this crash when opening a link from G-Mail and then closing the G-Mail
> tab:
> 
> TB22848559Q, TB22849793Z are both from todays builds.

The followup patch (bug 351204) went in after midnight Pacific -- was it in this build, for sure?

/be
(Reporter)

Comment 11

12 years ago
(In reply to comment #10)
> The followup patch (bug 351204) went in after midnight Pacific -- was it in
> this build, for sure?
> 
> /be
> 

Just download the latest hourly build:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060904 Minefield/3.0a1 - Build ID: 2006090401

And I can still reproduce the crash. On investigation though its in the same cases but now its crashing @AllocSlots.

TB22871716G, TB22871792H

This is normally reproduced by middle clicking a Bugzilla link in G-Mail, closing the G-mail tab before the Bugzilla page has finished loading. Not even shure if this is the same bug.
(Assignee)

Comment 12

12 years ago
Ryan, please file a new bug.  Those stacks look very bogus.  Maybe dbaron or jay can comment here, or in the new bug if you file it before they read this.

/be
(Reporter)

Comment 13

12 years ago
(In reply to comment #12)
> Ryan, please file a new bug.  Those stacks look very bogus.  Maybe dbaron or
> jay can comment here, or in the new bug if you file it before they read this.
> 
> /be
> 

Done, reported as bug 351329.
Crash Signature: [@ block_getProperty]
You need to log in before you can comment on or make changes to this bug.