Closed Bug 367285 Opened 18 years ago Closed 15 years ago

startup Crash in [@ nsJSContext::ClearScope(void*, int)]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: bugzilla-graveyard, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Visiting the above link will kill Camino trunk a high percentage of the time. It may not happen every single time -- I think a rotating ad is doing it, and I can't determine which one -- but if you keep launching Camino and loading that page, you'll hit it eventually.
Talkback ID TB28454869E contains the following, which I got the first time I accessed the URL with a clean profile on the 2007011622 trunk build:


Date/Time:      2007-01-17 17:09:54.000 -0500
OS Version:     10.4.8 (Build 8L127)
Report Version: 4

Command: Camino
Path:    /Applications/Internet/Camino Official Nightlies/Camino.app/Contents/MacOS/Camino
Parent:  WindowServer [61]

Version: 1.2+ (1.2+)

PID:    23337
Thread: Unknown

Link (dyld) error:

no suitable image found.  Did find:
	/Library/Internet Plug-Ins/NP-PPC-Dir-Shockwave: unknown file type, first eight bytes: 0x4A 0x6F 0x79 0x21 0x70 0x65 0x66 0x66

Talkback TB28453077G contains the following, which is the same crash I initially saw before I started trying to narrow down the crash. I have seen this stack with my regular profile and with a clean profile. The only difference was in the Exception and Codes lines; the stack was the same.


Date/Time:      2007-01-17 16:09:05.711 -0500
OS Version:     10.4.8 (Build 8L127)
Report Version: 4

Command: Camino
Path:    /Applications/Internet/Camino Official Nightlies/Camino.app/Contents/MacOS/Camino
Parent:  WindowServer [61]

Version: 1.2+ (1.2+)

PID:    23282
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x20740060

Thread 0 Crashed:
0   <<00000000>> 	0x20740060 0 + 544473184
1   org.mozilla.camino             	0x0046f298 nsJSContext::ClearScope(void*, int) + 68
2   org.mozilla.camino             	0x003d38ec nsGlobalWindow::ClearWindowScope(nsISupports*) + 136
3   org.mozilla.camino             	0x0046f388 nsJSContext::ScriptEvaluated(int) + 76
4   org.mozilla.camino             	0x0046d554 nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) + 1136
5   org.mozilla.camino             	0x004b09d0 nsJSEventListener::HandleEvent(nsIDOMEvent*) + 1492
6   org.mozilla.camino             	0x0035f418 nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsISupports*, unsigned) + 404
7   org.mozilla.camino             	0x0035f7b8 nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsISupports*, unsigned, nsEventStatus*) + 892
8   org.mozilla.camino             	0x003ee7ac nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned) + 132
9   org.mozilla.camino             	0x003ee9fc nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned, nsDispatchingCallback*) + 352
10  org.mozilla.camino             	0x003eef2c nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, int) + 964
11  org.mozilla.camino             	0x0032349c DocumentViewerImpl::LoadComplete(unsigned) + 356
12  org.mozilla.camino             	0x0021d1dc nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) + 112
13  org.mozilla.camino             	0x001fafac nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) + 208
14  org.mozilla.camino             	0x0021d008 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned, unsigned) + 744
15  org.mozilla.camino             	0x001fdf2c nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, unsigned) + 332
16  org.mozilla.camino             	0x001fd37c nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned) + 56
17  org.mozilla.camino             	0x001fd298 nsDocLoader::DocLoaderIsEmpty() + 292
18  org.mozilla.camino             	0x001fd014 nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned) + 576
19  org.mozilla.camino             	0x000b81e4 nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned) + 320
20  org.mozilla.camino             	0x001017d8 nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned) + 748
21  org.mozilla.camino             	0x000df1fc nsInputStreamPump::OnStateStop() + 160
22  org.mozilla.camino             	0x000deda0 nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) + 128
23  libxpcom_core.dylib            	0x2c0825f4 nsInputStreamReadyEvent::OnInputStreamReady(nsIAsyncInputStream*) + 168
24  libxpcom_core.dylib            	0x2c044260 nsThread::ProcessNextEvent(int, int*) + 280
25  libxpcom_core.dylib            	0x2c00a0d8 NS_ProcessPendingEvents_P(nsIThread*, unsigned) + 84
26  org.mozilla.camino             	0x006e8bc4 nsBaseAppShell::NativeEventCallback() + 80
27  org.mozilla.camino             	0x006c9f58 nsAppShell::ProcessGeckoEvents() + 172
28  org.mozilla.camino             	0x006ca4cc non-virtual thunk [nv:-4] to nsAppShell::AfterProcessNextEvent(nsIThreadInternal*, unsigned) + 336
29  com.apple.Foundation           	0x92959918 __NSFireMachPort + 276
30  com.apple.CoreFoundation       	0x907ea820 __CFMachPortPerform + 176
31  com.apple.CoreFoundation       	0x907ea734 __CFRunLoopDoSource1 + 152
32  com.apple.CoreFoundation       	0x907dce4c __CFRunLoopRun + 1556
33  com.apple.CoreFoundation       	0x907dc47c CFRunLoopRunSpecific + 268
34  com.apple.HIToolbox            	0x93208740 RunCurrentEventLoopInMode + 264
35  com.apple.HIToolbox            	0x93207dd4 ReceiveNextEventCommon + 380
36  com.apple.HIToolbox            	0x93207c40 BlockUntilNextEventMatchingListInMode + 96
37  com.apple.AppKit               	0x9370bae4 _DPSNextEvent + 384
38  com.apple.AppKit               	0x9370b7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
39  com.apple.AppKit               	0x93707cec -[NSApplication run] + 472
40  com.apple.AppKit               	0x937f887c NSApplicationMain + 452
41  org.mozilla.camino             	0x00008fb8 start + 456
42  dyld                           	0x8fe01048 _dyld_start + 60


(In reply to comment #1)
> Link (dyld) error:
> 
> no suitable image found.  Did find:
>         /Library/Internet Plug-Ins/NP-PPC-Dir-Shockwave: unknown file type,
> first eight bytes: 0x4A 0x6F 0x79 0x21 0x70 0x65 0x66 0x66

What does:
file /Library/Internet\ Plug-Ins/NP-PPC-Dir-Shockwave
give you when run from Terminal?

(In reply to comment #3)
> What does:

> file /Library/Internet\ Plug-Ins/NP-PPC-Dir-Shockwave

> give you when run from Terminal?

/Library/Internet Plug-Ins/NP-PPC-Dir-Shockwave: header for PowerPC PEF executable

So, uh, yeah...

> Link (dyld) error:
> 
> no suitable image found.  Did find:
>         /Library/Internet Plug-Ins/NP-PPC-Dir-Shockwave: unknown file type,
> first eight bytes: 0x4A 0x6F 0x79 0x21 0x70 0x65 0x66 0x66

That can be a spurious error sometimes (often related to wacky Apple plugins, like the iPhoto Podcast plugin and whatnot), pointing at the wrong plugin(!) and totally obscuring the actual crash. 


(In reply to comment #6)
> *** Bug 367346 has been marked as a duplicate of this bug. ***
> 

Bug 367346 was on SeaMonkey/PC/Linux; if it _is_ a duplicate, this one should be labeled Core/All/All rather than Camino/Macintosh/MacOsX.
sure, but you're fully capable of moving it.
Assignee: nobody → general
Component: General → DOM
OS: Mac OS X → All
Product: Camino → Core
QA Contact: general → ian
Hardware: Macintosh → All
(In reply to comment #8)
> sure, but you're fully capable of moving it.
> 

no, I don't have ChangeBug privileges on bugs reported by other people.
(In reply to comment #1)
> Talkback ID TB28454869E contains the following, which I got the first time I
> accessed the URL with a clean profile on the 2007011622 trunk build: [...]

Incident ID: 28454869
Stack Signature	_mh_dylib_header() a308fe19
Product ID	MozillaTrunk
Build ID	2007011701
Trigger Time	2007-01-17 14:09:59.0
Platform	MacOSX
Operating System	Darwin 8.8.0
Module	libnspr4.dylib.1.0.0 + (00000000)
URL visited	
User Comments	
Since Last Crash	913 sec
Total Uptime	14724 sec
Trigger Reason	SIGILL: Illegal Instruction: (signal 4)
Source File, Line No.	N/A
Stack Trace 	
_mh_dylib_header()
JS_ClearScope()
nsGlobalWindow::ClearWindowScope()  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 6378]
nsJSContext::ScriptEvaluated()  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 3040]
nsJSContext::CallEventHandler()  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 453]
nsJSEventListener::HandleEvent()
nsEventListenerManager::HandleEventSubType()  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1280]
nsEventListenerManager::HandleEvent()  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1364]
nsEventTargetChainItem::HandleEvent()
nsEventTargetChainItem::HandleEventTargetChain()
nsEventDispatcher::Dispatch()
DocumentViewerImpl::LoadComplete()  [mozilla/layout/base/nsDocumentViewer.cpp, line 1650]
nsDocShell::EndPageLoad()  [mozilla/docshell/base/nsDocShell.cpp, line 4748]
nsWebShell::EndPageLoad()  [mozilla/docshell/base/nsWebShell.cpp, line 496]
nsDocShell::OnStateChange()  [mozilla/docshell/base/nsDocShell.cpp, line 205]
nsDocLoader::FireOnStateChange()  [mozilla/uriloader/base/nsDocLoader.cpp, line 846]
nsDocLoader::doStopDocumentLoad()  [mozilla/uriloader/base/nsDocLoader.cpp, line 864]
nsDocLoader::DocLoaderIsEmpty()  [mozilla/uriloader/base/nsDocLoader.cpp, line 1119]
nsDocLoader::OnStopRequest()  [mozilla/uriloader/base/nsDocLoader.cpp, line 679]
nsLoadGroup::RemoveRequest()  [mozilla/netwerk/base/src/nsLoadGroup.cpp, line 846]
nsDocument::DoUnblockOnload()  [mozilla/content/base/src/nsDocument.cpp, line 439]
nsUnblockOnloadEvent::Run()
nsThread::ProcessNextEvent()
NS_ProcessPendingEvents_P()
nsBaseAppShell::NativeEventCallback()  [mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp, line 115]
nsAppShell::ProcessGeckoEvents()
-   __NSFireMachPort()
__CFMachPortPerform()
__CFRunLoopDoSource1()
__CFRunLoopRun()
CFRunLoopRunSpecific()
RunCurrentEventLoopInMode()
ReceiveNextEventCommon()
BlockUntilNextEventMatchingListInMode()
_DPSNextEvent()
-   -   NSApplicationMain()
_start()   0x8fe01048
Keywords: crash
Summary: Crash in nsJSContext::ClearScope → Crash in [@ nsJSContext::ClearScope]
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0x20
01 js3250!JS_ClearScope(struct JSContext * cx = 0x241d4fd0, struct JSObject * obj = 0x44633120)+0x27
02 gklayout!nsJSContext::ClearScope(void * aGlobalObj = 0x44633120, int aClearFromProtoChain = 1)+0x39
03 gklayout!nsGlobalWindow::FreeInnerObjects(int aClearScope = 1)+0x10a
04 gklayout!nsGlobalWindow::SetDocShell(class nsIDocShell * aDocShell = 0x00000000)+0x8b
05 docshell!nsDocShell::Destroy(void)+0x34f
06 gklayout!nsFrameLoader::Destroy(void)+0x1f6
07 gklayout!nsGenericHTMLFrameElement::UnbindFromTree(int aDeep = 1, int aNullParent = 0)+0x34
08 gklayout!nsGenericElement::UnbindFromTree(int aDeep = 1, int aNullParent = 0)+0x115
09 gklayout!nsGenericElement::UnbindFromTree(int aDeep = 1, int aNullParent = 0)+0x115
0a gklayout!nsGenericElement::UnbindFromTree(int aDeep = 1, int aNullParent = 1)+0x115
0b gklayout!nsDocument::Destroy(void)+0x8f
0c gklayout!DocumentViewerImpl::Destroy(void)+0x381
0d docshell!nsSHEntry::~nsSHEntry(void)+0x7f
0e docshell!nsSHEntry::`scalar deleting destructor'(void)+0xf
0f docshell!nsSHEntry::Release(void)+0x4d
10 xpc3250!XPCJSRuntime::GCCallback(struct JSContext * cx = 0x026db350, JSGCStatus status = JSGC_END (1))+0x5f9
11 jsd3250!jsds_GCCallbackProc(struct JSContext * cx = 0x026db350, JSGCStatus status = JSGC_END (1))+0x3d
12 gklayout!DOMGCCallback(struct JSContext * cx = 0x026db350, JSGCStatus status = JSGC_END (1))+0x1d
13 js3250!js_GC(struct JSContext * cx = 0x026db350, JSGCInvocationKind gckind = GC_NORMAL (0))+0xcea
14 js3250!JS_GC(struct JSContext * cx = 0x026db350)+0x54
15 xpc3250!nsXPConnect::BeginCycleCollection(void)+0xb9
16 xpcom_core!nsCycleCollector::Collect(void)+0x48
17 xpcom_core!nsCycleCollector_collect(void)+0x18
18 gklayout!nsJSContext::Notify(class nsITimer * timer = 0x23da6458)+0x54
19 xpcom_core!nsTimerImpl::Fire(void)+0xc4
1a xpcom_core!nsTimerEvent::Run(void)+0x57
1b xpcom_core!nsThread::ProcessNextEvent(int mayWait = 1, int * result = 0x0012f6c4)+0x12a
1c xpcom_core!NS_ProcessNextEvent_P(class nsIThread * thread = 0x003f9f18, int mayWait = 1)+0x3f
1d gkwidget!nsBaseAppShell::Run(void)+0x45
1e tkitcmps!nsAppStartup::Run(void)+0x41
1f xul!XRE_main(int argc = 1, char ** argv = 0x003f8388, struct nsXREAppData * aAppData = 0x00402164)+0x2259
20 firefox!main(int argc = 1, char ** argv = 0x003f8388)+0x16
21 firefox!WinMain(struct HINSTANCE__ * __formal = 0x00400000, struct HINSTANCE__ * __formal = 0x00000000, char * args = 0x00152306 "", int __formal = 10)+0x19
22 firefox!__tmainCRTStartup(void)+0x140
23 kernel32!BaseProcessStart+0x23
0:000> .frame 1
01 0012f070 01547139 js3250!JS_ClearScope+0x27 [mozilla\js\src\jsapi.c @ 3222]
0:000> ?? obj->map->ops->clear
<function> * 0x00000020
0:000> .frame 3
03 0012f0b8 0152ee7b gklayout!nsGlobalWindow::FreeInnerObjects+0x10a [mozilla\dom\src\base\nsglobalwindow.cpp @ 637]
0:000> dt this mScriptGlobals[0]
Local var @ 0x12f0ac Type nsGlobalWindow*
0x24d3c308 
   +0x0f0 mScriptGlobals    : [0] 0x44633120 
0:000> .frame 4
04 0012f124 00f54d3f gklayout!nsGlobalWindow::SetDocShell+0x8b [mozilla\dom\src\base\nsglobalwindow.cpp @ 1694]
0:000> dv
          inner = 0x24d3c308
   currentInner = 0x0012f124
         st_ndx = 0x12f17c
           this = 0x3f2397c0
      aDocShell = 0x00000000
        langCtx = 0x0012f128
        lang_id = 0xf764c3
0:000> ?? this->next
struct PRCListStr * 0x24eeab30
   +0x000 next             : 0x24d3c360 PRCListStr
   +0x004 prev             : 0x3f239818 PRCListStr
0:000> ?? this->next->next
struct PRCListStr * 0x24d3c360
   +0x000 next             : 0x239dd5a8 PRCListStr
   +0x004 prev             : 0x24eeab30 PRCListStr

this->next->next is the thing that's basically inner. are we properly walking through these inner references?

0:000> ?? this->next->next->next
struct PRCListStr * 0x239dd5a8
   +0x000 next             : 0x3f239818 PRCListStr
   +0x004 prev             : 0x24d3c360 PRCListStr
0:000> ?? this->next->next->next->next
struct PRCListStr * 0x3f239818
   +0x000 next             : 0x24eeab30 PRCListStr
   +0x004 prev             : 0x239dd5a8 PRCListStr
0:000> .frame 11
0b 0012f2cc 0127ae61 gklayout!nsDocument::Destroy+0x8f [mozilla\content\base\src\nsdocument.cpp @ 5382]
0:000> dt mDocumentTitle mData
Symbol mDocumentTitle not found.
0:000> dt this mDocumentTitle.mData
Local var @ 0x12f2b4 Type nsDocument*
0x249be008 
   +0x010 mDocumentTitle       : 
      +0x004 mData                : 0x23de84e0  "Freeware for Solaris"
0:000> dt this mDocumentURI.mRawPtr
Local var @ 0x12f2b4 Type nsDocument*
0x249be008 
   +0x020 mDocumentURI         : 
      +0x000 mRawPtr              : 0x24c98090 nsISupports
0:000> dt necko!nsStandardURL 0x24c98090 mSpec.mData
   +0x014 mSpec       : 
      +0x004 mData       : 0x24c17210  "http://sunfreeware.mirrors.tds.net/indexintel10.html"

fwiw, I've been using undo close tab more often than i used to, but i don't know if that's relevant.

In this session, I loaded sunfreeware (which has frames), clicked on a mirror link, went back, and clicked on a new link. The page listed here would be the mirror.

my build should be from a pull from 02/08/07  03:53 PM finnish local time (EEST?).
Assignee: general → nobody
QA Contact: ian → general
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6pre) Gecko/20091114 SeaMonkey/2.0.1pre - Build ID: 20091114000507

I reported a dupe of this bug while on Sm 1.5a; it's been a long time since I last saw it. I see no significant activity since 2007. Anyone been bugged by this recently?
Whiteboard: CLOSEME 2009-12-15 WFM
still a rare crash, about 7 per month ... nsJSContext::ClearScope(void*, int).
mostly, but not all, are startup
Summary: Crash in [@ nsJSContext::ClearScope] → startup Crash in [@ nsJSContext::ClearScope(void*, int)]
extension related?

bp-0259fa29-70ae-4652-aeed-65eb62091124
0	xul.dll	nsJSContext::ClearScope	 dom/src/base/nsJSEnvironment.cpp:3321
1	xul.dll	nsGlobalWindow::SetNewDocument	dom/src/base/nsGlobalWindow.cpp:1717
2	xul.dll	nsGlobalWindow::SetNewDocument	dom/src/base/nsGlobalWindow.cpp:1535
3	xul.dll	DocumentViewerImpl::InitInternal	layout/base/nsDocumentViewer.cpp:930
4	xul.dll	DocumentViewerImpl::Init	layout/base/nsDocumentViewer.cpp:684
5	xul.dll	nsDocShell::SetupNewViewer	docshell/base/nsDocShell.cpp:6707
6	xul.dll	nsDocShell::Embed	docshell/base/nsDocShell.cpp:5139 

https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=nsJSContext%3A%3AClearScope%28void*%2C%20int%29&date=11%2F10%2F2009&range_value=4&range_unit=weeks&do_query=1&signature=nsJSContext%3A%3AClearScope%28void*%2C%20int%29&page=1

https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=nsJSContext%3A%3AClearScope%28void*%2C%20int%29&date=11%2F10%2F2009&range_value=4&range_unit=weeks&do_query=1&signature=nsJSContext%3A%3AClearScope%28void*%2C%20int%29&page=1
Whiteboard: CLOSEME 2009-12-15 WFM
The URL is gone.  I don't think it's worth it to chase such a rare crash signature based on crash-stats info alone.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
Crash Signature: [@ nsJSContext::ClearScope(void*, int)]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.