Closed
Bug 433289
Opened 16 years ago
Closed 16 years ago
Repeated crashes when interacting with Digg [@ JS_GetReservedSlot - xpc_CloneJSFunction]
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 434673
People
(Reporter: david_dillard, Unassigned)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(4 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008051006 Minefield/3.0pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008051006 Minefield/3.0pre After either posting a comment to Digg or digg'ing something up or down I will get a crash. It appears to be JavaScript related as when a crash occurs it will happen several seconds after I've performed the action. Reproducible: Sometimes Steps to Reproduce: 1.Go to Digg 2.Post a comment or digg someone else's comment up or down 3.Repeat step #2 a few times Actual Results: Crash Expected Results: No crash I've got a bunch of crash reports for this. Here are a few of the latest: http://crash-stats.mozilla.com/report/index/8b9dbc38-1fac-11dd-a598-001321b13766 http://crash-stats.mozilla.com/report/index/e5140bd4-1f53-11dd-9e96-001cc4e2bf68 http://crash-stats.mozilla.com/report/index/5f0c2919-1ea1-11dd-9467-001cc45a2c28 http://crash-stats.mozilla.com/report/index/3d089feb-1ded-11dd-abbd-001cc4e2bf68 http://crash-stats.mozilla.com/report/index/3c8be5fa-1dec-11dd-92d3-001321b13766 http://crash-stats.mozilla.com/report/index/11f97445-1dca-11dd-a676-001cc45a2c28 http://crash-stats.mozilla.com/report/index/9cf600d9-1d51-11dd-a2b7-001cc45a2ce4 http://crash-stats.mozilla.com/report/index/b1b06800-1d50-11dd-830a-001a4bd46e84 http://crash-stats.mozilla.com/report/index/e9288edc-1d4f-11dd-9aba-001cc45a2ce4 Here's the earliest crash I found: http://crash-stats.mozilla.com/report/index/75f90c6e-0cc1-11dd-91c3-001321b13766 I'm usually given the opportunity to create a crash dump file. If it's useful if someone will tell me where to find this file I'll create one (or several) and attach it to this incident.
I can't repro this bug using Vista and Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9) Gecko/2008051206 Firefox/3.0. I even installed Google Desktop so that I had GoogleDesktopResources_*.dll loaded into the firefox.exe process but no problems digging stuff. I did not see the GoogleDesktopNetwork3.dll module loaded into my process though, any ideas on what that is? Regarding your question about crash dumps. It's possible to save such a dump from WinDbg and they are usually quite useful. There are different types of crash dumps though, and note that some of these dump files can contain sigificant amounts of private data such as what websites you're visiting, your IP and even passwords. To save a crash dump, follow along the steps for getting a stacktrace and then after you've entered the "kp" command to print the stack you also type _ONE_ of these commands: .dump /mrR c:\minimal_crash_dump_without_variables.dmp .dump /m c:\regular_crash_minidump.dmp .dump /ma c:\huge_crash_dump_includes_everything.dmp The first one saves a tiny minimal crash dump where all variables have been removed (this dump is mostly useful for recreating the stacktrace of all threads). The second command saves a regular minidump, from which you can extract variable values, parameters etc. The third and last command will save a HUGE dump will all the information about the crash including a copy of all the heap memory firefox had allocated and copies of all EXE and DLL files (this last option typically generates a dump which is tens of megabytes in size and can't be attached to a bug report at all).
Reporter | ||
Comment 3•16 years ago
|
||
Here's the result: 0:000> !analyze -v -f ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for C:\WINDOWS\system32\bmnet.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\bmnet.dll - ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: +1000000 01000000 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 01000000 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 01000000 Attempt to read from address 01000000 FAULTING_THREAD: 000010fc DEFAULT_BUCKET_ID: NULL_INSTRUCTION_PTR PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 01000000 FAILED_INSTRUCTION_ADDRESS: +1000000 01000000 ?? ??? NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 01000000 IP_IN_RESERVED_BLOCK: 1000000 PRIMARY_PROBLEM_CLASS: NULL_INSTRUCTION_PTR BUGCHECK_STR: APPLICATION_FAULT_NULL_INSTRUCTION_PTR LAST_CONTROL_TRANSFER: from 6014d754 to 01000000 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 0012f670 6014d754 0131f690 085fa658 00000004 0x1000000 0012f694 6056ea14 0131f690 085fa658 00000000 js3250!JS_GetReservedSlot+0x34164 0012f6e8 605568c7 085fa658 06d8c260 0131f690 xul!xpc_CloneJSFunction+0x6c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrappednativeinfo.cpp @ 77] 0012f728 605986f6 0131f690 0012f74c 0131f690 xul!XPCWrapper::GetOrSetNativeProperty+0x147 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrapper.cpp @ 686] 0012f7dc 605987f8 cca3f85b 0aa63040 0012f818 xul!EnsureLegalActivity+0x56 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 216] 0012f7ec 6059868f 0aa63040 093dbf40 00000000 xul!ShouldBypassNativeWrapper+0x14 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 142] 0012f818 60598844 0131f690 0aa63040 015f4194 xul!XPC_NW_GetOrSetProperty+0xa1 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 499] 0012f830 6010dc5b 0131f690 0aa63040 015f4194 xul!XPC_NW_GetProperty+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 534] 0012f86c 6011c135 0aa63040 0aa63040 0012f8b8 js3250!js_NativeGet+0x13b [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsobj.c @ 3561] 0012f9e4 6010ed5e 0131f690 0131f690 02f21020 js3250!js_Interpret+0x1565 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 4160] 0012faa4 60109129 0131f690 00000001 02f21020 js3250!js_Invoke+0x37e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1313] 0012fae0 60552e92 0131f690 0183a2a0 021b4b80 js3250!JS_CallFunctionValue+0xb9 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 5054] 0012fb4c 604b472e 01391340 0183a2a0 021b4b80 xul!nsJSContext::CallEventHandler+0x192 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsjsenvironment.cpp @ 1962] 0012fc28 605b7af2 01391340 02fb1640 02fb9280 xul!nsGlobalWindow::RunTimeout+0x2ae [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 7896] 0012fc40 60562c3e 02fb9280 02fb1640 003193b0 xul!nsGlobalWindow::TimerCallback+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 8228] 0012fc58 60562bb5 00000000 00000001 604d3dc8 xul!nsTimerImpl::Fire+0x7c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 400] 0012fc64 604d3dc8 06eef240 013169c0 0031f2e0 xul!nsTimerEvent::Run+0x1f [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 492] 0012fc88 604bc53a 00000001 00000001 0012fca8 xul!nsThread::ProcessNextEvent+0x218 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nsthread.cpp @ 511] 0012fca0 6064134f 00000001 80000000 60581572 xul!nsBaseAppShell::Run+0x4a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 169] 0012fcac 60581572 01313d60 0031c0b0 00000000 xul!nsAppStartup::Run+0x1e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 182] 0012fcb4 0031c0b0 00000000 0031c0a8 003004a0 xul!XRE_main+0xdba [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\xre\nsapprunner.cpp @ 3174] 0012fcb8 00000000 0031c0a8 003004a0 0032e260 0x31c0b0 FOLLOWUP_IP: js3250!JS_GetReservedSlot+34164 6014d754 83c40c add esp,0Ch SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: js3250!JS_GetReservedSlot+34164 FOLLOWUP_NAME: MachineOwner MODULE_NAME: js3250 IMAGE_NAME: js3250.dll DEBUG_FLR_IMAGE_TIMESTAMP: 48270def STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: NULL_INSTRUCTION_PTR_c0000005_js3250.dll!JS_GetReservedSlot BUCKET_ID: APPLICATION_FAULT_NULL_INSTRUCTION_PTR_BAD_IP_js3250!JS_GetReservedSlot+34164 Followup: MachineOwner --------- Not sure why I'm getting the messages about bad symbol files. Here's the symbol search path: SRV*c:\oss\Firefox3\Symbols\*http://msdl.microsoft.com/download/symbols;SRV*c:\oss\Firefox3\Symbols\*http://symbols.mozilla.org/firefox
Reporter | ||
Comment 4•16 years ago
|
||
(In reply to comment #2) Okay, I'll try to get a crash dump. Regarding the Google Desktop, I have no idea what the files are. I inherited this laptop and the previous owner had installed it. I never used it and never had enough of a reason to get rid of it until now. I should say I also have Visual Studio 2005 on this system, so if there's anything in particular you'd like to see that can't be done with Winbag that's an option.
Reporter | ||
Comment 5•16 years ago
|
||
(In reply to comment #3) > SYMBOL_NAME: js3250!JS_GetReservedSlot+34164 > > FOLLOWUP_NAME: MachineOwner > > MODULE_NAME: js3250 > > IMAGE_NAME: js3250.dll > > DEBUG_FLR_IMAGE_TIMESTAMP: 48270def > > STACK_COMMAND: ~0s ; kb > > FAILURE_BUCKET_ID: NULL_INSTRUCTION_PTR_c0000005_js3250.dll!JS_GetReservedSlot > > BUCKET_ID: > APPLICATION_FAULT_NULL_INSTRUCTION_PTR_BAD_IP_js3250!JS_GetReservedSlot+34164 > > Followup: MachineOwner That JS_GetReservedSlot looked familiar so I went back through the crashes I've had and found one where it was mentioned: http://crash-stats.mozilla.com/report/index/bd8983a3-13a3-11dd-822b-001321b13766 Perhaps this will be useful.
Reporter | ||
Comment 6•16 years ago
|
||
0:000> !analyze -v -f ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS\system32\xpsp2res.dll *** WARNING: Unable to verify checksum for C:\WINDOWS\system32\bmnet.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\bmnet.dll - ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: js3250!JS_GetReservedSlot+30 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 4174] 60119620 8b4058 mov eax,dword ptr [eax+58h] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 60119620 (js3250!JS_GetReservedSlot+0x00000030) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 07fa000e Attempt to read from address 07fa000e FAULTING_THREAD: 000016e4 DEFAULT_BUCKET_ID: STATUS_ACCESS_VIOLATION PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 07fa000e NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 PRIMARY_PROBLEM_CLASS: STATUS_ACCESS_VIOLATION BUGCHECK_STR: APPLICATION_FAULT_STATUS_ACCESS_VIOLATION LAST_CONTROL_TRANSFER: from 6056ea14 to 60119620 STACK_TEXT: 0012f414 6056ea14 0131f690 07f9fc40 00000000 js3250!JS_GetReservedSlot+0x30 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 4174] 0012f468 605568c7 07f9fc40 02fa0920 0131f690 xul!xpc_CloneJSFunction+0x6c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrappednativeinfo.cpp @ 77] 0012f56c 6059868f 066062c0 025122b0 00000000 xul!XPCWrapper::GetOrSetNativeProperty+0x147 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrapper.cpp @ 686] 0012f598 60598844 0131f690 066062c0 015f4194 xul!XPC_NW_GetOrSetProperty+0xa1 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 499] 0012f5b0 6010dc5b 0131f690 066062c0 015f4194 xul!XPC_NW_GetProperty+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 534] 0012f5ec 6011c135 066062c0 066062c0 0012f638 js3250!js_NativeGet+0x13b [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsobj.c @ 3561] 0012f74c 6010ed5e 0131f690 021de4f4 021de4f8 js3250!js_Interpret+0x1565 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 4160] 0012f808 6010715e 0131f690 00000003 021de4f8 js3250!js_Invoke+0x37e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1313] 0012f858 60140c56 00000000 00000003 021de4c8 js3250!array_extra+0x1be [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsarray.c @ 2736] 0012f86c 6011c565 0131f690 00000001 021de4c8 js3250!array_forEach+0x16 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsarray.c @ 2792] 0012f9e4 6010ed5e 0131f690 0131f690 021dd020 js3250!js_Interpret+0x1995 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 4834] 0012faa4 60109129 0131f690 00000001 021dd020 js3250!js_Invoke+0x37e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1313] 0012fae0 60552e92 0131f690 01826ba0 02436de0 js3250!JS_CallFunctionValue+0xb9 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 5054] 0012fb4c 604b472e 01391340 01826ba0 02436de0 xul!nsJSContext::CallEventHandler+0x192 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsjsenvironment.cpp @ 1962] 0012fc28 605b7af2 01391340 0a028a00 0a02d610 xul!nsGlobalWindow::RunTimeout+0x2ae [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 7896] 0012fc40 60562c3e 0a02d610 0a028a00 003193b0 xul!nsGlobalWindow::TimerCallback+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 8228] 0012fc58 60562bb5 00000000 00000001 604d3dc8 xul!nsTimerImpl::Fire+0x7c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 400] 0012fc64 604d3dc8 04fb48d0 013169c0 0031f2e0 xul!nsTimerEvent::Run+0x1f [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 492] 0012fc88 604bc53a 00000001 00000001 0012fca8 xul!nsThread::ProcessNextEvent+0x218 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nsthread.cpp @ 511] 0012fca0 6064134f 00000001 80000000 60581572 xul!nsBaseAppShell::Run+0x4a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 169] 0012fcac 60581572 01313d60 0031c0b0 00000000 xul!nsAppStartup::Run+0x1e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 182] 0012fcb4 0031c0b0 00000000 0031c0a8 003004a0 xul!XRE_main+0xdba [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\xre\nsapprunner.cpp @ 3174] WARNING: Frame IP not in any known module. Following frames may be wrong. 0012fcb8 00000000 0031c0a8 003004a0 0032e260 0x31c0b0
Reporter | ||
Comment 7•16 years ago
|
||
I've attached the crash file for the analysis in comment #6.
Reporter | ||
Comment 8•16 years ago
|
||
I've attached the crash file for the analysis in comment #6.
Reporter | ||
Comment 9•16 years ago
|
||
Sorry about double posting the dump, the first time it didn't appear to work so I did it again. The dumps in #7 and #8 are the same file.
Component: General → XPConnect
Keywords: crash
Product: Firefox → Core
QA Contact: general → xpconnect
Summary: Repeated crashes when interacting with Digg → Repeated crashes when interacting with Digg [@ JS_GetReservedSlot - xpc_CloneJSFunction]
Whiteboard: DUPEME
Version: unspecified → Trunk
Reporter | ||
Comment 10•16 years ago
|
||
Here's another crash. It's similar in that it appears to happen in JS_GetReservedSlot(), but it's different in that it has a bad instruction pointer suggesting stack corruption. (1144.8c4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=1a48e10a ebx=00000000 ecx=0131eae0 edx=00000006 esi=00000004 edi=601a48e0 eip=1a48e10a esp=0012f3f4 ebp=0a629ce8 iopl=0 nv up ei ng nz na po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010283 1a48e10a ?? ??? 0:000> !analyze -v -f ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for C:\WINDOWS\system32\bmnet.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\bmnet.dll - ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: +1a48e10a 1a48e10a ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 1a48e10a ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 1a48e10a Attempt to read from address 1a48e10a FAULTING_THREAD: 000008c4 DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 1a48e10a FAILED_INSTRUCTION_ADDRESS: +1a48e10a 1a48e10a ?? ??? NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 1a48e10a IP_IN_FREE_BLOCK: 1a48e10a PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR LAST_CONTROL_TRANSFER: from 6014d689 to 1a48e10a STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 0012f3f0 6014d689 0131eae0 0a629ce8 00000004 0x1a48e10a 0012f414 6059394b 0131eae0 0a629ce8 00000000 js3250!JS_GetReservedSlot+0x34039 0012f468 6057cb67 0a629ce8 0aad4380 0131eae0 xul!xpc_CloneJSFunction+0x6c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrappednativeinfo.cpp @ 77] 0012f4a8 605bcdc6 0131eae0 0012f4cc 0131eae0 xul!XPCWrapper::GetOrSetNativeProperty+0x147 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrapper.cpp @ 686] 0012f55c 605bcec8 3b579ff4 0aad43a0 0012f598 xul!EnsureLegalActivity+0x56 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 216] 0012f56c 605bcd59 0aad43a0 083acf10 00000000 xul!ShouldBypassNativeWrapper+0x14 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 142] 0012f598 605bcf14 0131eae0 0aad43a0 015f3194 xul!XPC_NW_GetOrSetProperty+0xa1 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 499] 0012f5b0 6010e0db 0131eae0 0aad43a0 015f3194 xul!XPC_NW_GetProperty+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 534] 0012f5ec 6011c1aa 0aad43a0 0aad43a0 0012f638 js3250!js_NativeGet+0x13b [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsobj.c @ 3561] 0012f74c 6010ef2e 0131eae0 0222802c 02228030 js3250!js_Interpret+0x156a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 4160] 0012f808 601073fe 0131eae0 00000003 02228030 js3250!js_Invoke+0x37e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1313] 0012f858 60140b16 00000000 00000003 02228000 js3250!array_extra+0x1be [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsarray.c @ 2736] 0012f86c 6011c57a 0131eae0 00000001 02228000 js3250!array_forEach+0x16 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsarray.c @ 2792] 0012f9e4 6010ef2e 0131eae0 0131eae0 02227020 js3250!js_Interpret+0x193a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 4834] 0012faa4 601092c9 0131eae0 00000001 02227020 js3250!js_Invoke+0x37e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1313] 0012fae0 605792c2 0131eae0 01aad4c0 02410a40 js3250!JS_CallFunctionValue+0xb9 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 5054] 0012fb4c 604da654 0154fd60 01aad4c0 02410a40 xul!nsJSContext::CallEventHandler+0x192 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsjsenvironment.cpp @ 1962] 0012fc28 604affec 0154fd60 05599180 05593a00 xul!nsGlobalWindow::RunTimeout+0x2a4 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 7896] 0012fc40 605893da 05593a00 05599180 003193b0 xul!nsGlobalWindow::TimerCallback+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 8228] 0012fc58 60589351 00000000 00000001 60502418 xul!nsTimerImpl::Fire+0x7c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 400] 0012fc64 60502418 0506ce70 01316940 0031f2e0 xul!nsTimerEvent::Run+0x1f [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 492] 0012fc88 604eb48a 00000001 00000001 0012fca8 xul!nsThread::ProcessNextEvent+0x218 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nsthread.cpp @ 511] 0012fca0 60642983 00000001 80000000 605a730c xul!nsBaseAppShell::Run+0x4a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 169] 0012fcac 605a730c 01313cd0 0031c0b0 00000000 xul!nsAppStartup::Run+0x1e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 182] 0012fcb4 0031c0b0 00000000 0031c0a8 003004a0 xul!XRE_main+0xdba [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\xre\nsapprunner.cpp @ 3174] 0012fcb8 00000000 0031c0a8 003004a0 0032e260 0x31c0b0 FOLLOWUP_IP: js3250!JS_GetReservedSlot+34039 6014d689 83c40c add esp,0Ch SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: js3250!JS_GetReservedSlot+34039 FOLLOWUP_NAME: MachineOwner
Reporter | ||
Comment 11•16 years ago
|
||
Reporter | ||
Comment 12•16 years ago
|
||
Just got another of these crashes, the exact address is a little different than the others recorded here, but it's the same basic crash. I was poking around in the disassembly in the debugger and it appears that the first call to JS_GetReservedSlot() below is the direct cause of the crash. JSObject * xpc_CloneJSFunction(XPCCallContext &ccx, JSObject *funobj, JSObject *parent) { JSObject *clone = JS_CloneFunctionObject(ccx, funobj, parent); if(!clone) return nsnull; AUTO_MARK_JSVAL(ccx, OBJECT_TO_JSVAL(clone)); XPCWrappedNativeScope *scope = XPCWrappedNativeScope::FindInJSObjectScope(ccx, parent); if (!scope) { return nsnull; } // Make sure to break the prototype chain to the function object // we cloned to prevent its scope from leaking into the clones // scope. JS_SetPrototype(ccx, clone, scope->GetPrototypeJSFunction()); // Copy the reserved slots to the clone. jsval ifaceVal, memberVal; if(!JS_GetReservedSlot(ccx, funobj, 0, &ifaceVal) || !JS_GetReservedSlot(ccx, funobj, 1, &memberVal)) return nsnull; The value of ccx is 0x200. Kind of odd for a reference to an object that was allocated on the stack by the caller of this function. Thus, it would appear that the call to JS_SetPrototype() (or something it calls) is corrupting the stack. The other possibility being that EDI is corrupted coming back from the call to JS_SetPrototype(). 0:000> !analyze -v -f ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for C:\WINDOWS\system32\bmnet.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\bmnet.dll - ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: +200 00000200 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00000200 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000200 Attempt to read from address 00000200 FAULTING_THREAD: 00000b74 DEFAULT_BUCKET_ID: NULL_INSTRUCTION_PTR PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 00000200 FAILED_INSTRUCTION_ADDRESS: +200 00000200 ?? ??? NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 PRIMARY_PROBLEM_CLASS: NULL_INSTRUCTION_PTR BUGCHECK_STR: APPLICATION_FAULT_NULL_INSTRUCTION_PTR LAST_CONTROL_TRANSFER: from 6014d6f9 to 00000200 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 0012f3f0 6014d6f9 0131d690 029e1b28 00000004 0x200 0012f414 605b865a 0131d690 029e1b28 00000000 js3250!JS_GetReservedSlot+0x34109 0012f468 605a2fe7 029e1b28 03808760 0131d690 xul!xpc_CloneJSFunction+0x6c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrappednativeinfo.cpp @ 77] 0012f4a8 604d1126 0131d690 0012f4cc 0131d690 xul!XPCWrapper::GetOrSetNativeProperty+0x147 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrapper.cpp @ 686] 0012f55c 604d0fd3 83da7ee9 03808780 0012f598 xul!EnsureLegalActivity+0x56 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 216] 0012f56c 604d11f5 03808780 025a4ca0 00000000 xul!ShouldBypassNativeWrapper+0x14 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 142] 0012f598 604d0fbb 0131d690 03808780 015f3194 xul!XPC_NW_GetOrSetProperty+0xa1 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 499] 0012f5b0 6010e09b 0131d690 03808780 015f3194 xul!XPC_NW_GetProperty+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 534] 0012f5ec 6011c135 03808780 03808780 0012f638 js3250!js_NativeGet+0x13b [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsobj.c @ 3561] 0012f74c 6010eeee 0131d690 03555900 03555904 js3250!js_Interpret+0x1565 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 4160] 0012f808 601073be 0131d690 00000003 03555904 js3250!js_Invoke+0x37e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1313] 0012f858 60140b66 00000000 00000003 035558d4 js3250!array_extra+0x1be [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsarray.c @ 2736] 0012f86c 6011c563 0131d690 00000001 035558d4 js3250!array_forEach+0x16 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsarray.c @ 2792] 0012f9e4 6010eeee 0131d690 0131d690 03555020 js3250!js_Interpret+0x1993 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 4834] 0012faa4 60109289 0131d690 00000001 03555020 js3250!js_Invoke+0x37e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1313] 0012fae0 6059f982 0131d690 0183b2a0 0219c460 js3250!JS_CallFunctionValue+0xb9 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 5054] 0012fb4c 6058a8de 0154f340 0183b2a0 0219c460 xul!nsJSContext::CallEventHandler+0x192 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsjsenvironment.cpp @ 1962] 0012fc28 604b1472 0154f340 082f09c0 082ef610 xul!nsGlobalWindow::RunTimeout+0x2ae [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 7896] 0012fc40 605ad664 082ef610 082f09c0 003193b0 xul!nsGlobalWindow::TimerCallback+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 8228] 0012fc58 605ad5cf 00000000 00000001 60552408 xul!nsTimerImpl::Fire+0x88 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 400] 0012fc64 60552408 06bd1490 01316940 0031f2e0 xul!nsTimerEvent::Run+0x1f [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 492] 0012fc88 60566b2a 00000001 00000001 0012fca8 xul!nsThread::ProcessNextEvent+0x218 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nsthread.cpp @ 511] 0012fca0 60642175 00000001 80000000 605cd10e xul!nsBaseAppShell::Run+0x4a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 169] 0012fcac 605cd10e 01313cd0 0031c0b0 00000000 xul!nsAppStartup::Run+0x1e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 182] 0012fcb4 0031c0b0 00000000 0031c0a8 003004a0 xul!XRE_main+0xdba [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\xre\nsapprunner.cpp @ 3174] 0012fcb8 00000000 0031c0a8 003004a0 0032e260 0x31c0b0 FOLLOWUP_IP: js3250!JS_GetReservedSlot+34109 6014d6f9 83c40c add esp,0Ch SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: js3250!JS_GetReservedSlot+34109 FOLLOWUP_NAME: MachineOwner MODULE_NAME: js3250 IMAGE_NAME: js3250.dll DEBUG_FLR_IMAGE_TIMESTAMP: 482af3e9 STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: NULL_INSTRUCTION_PTR_c0000005_js3250.dll!JS_GetReservedSlot BUCKET_ID: APPLICATION_FAULT_NULL_INSTRUCTION_PTR_BAD_IP_js3250!JS_GetReservedSlot+34109 Followup: MachineOwner ---------
Comment 13•16 years ago
|
||
sorry. please be careful, we use optimizing compilers and the debuggers don't try to handle all those optimizations, understanding them is left as an exercise for the engineer. in many cases you'll need to look at a calling frame to find the correct variable. I'm 75% certain that the general cause for crashes in xpc_CloneJSFunction is that an object was garbage collected, this typically means that someone failed to root an object during construction and it died.
Reporter | ||
Comment 14•16 years ago
|
||
I was worried that Digg's revamping of its comment system would make it harder or impossible to reproduce this problem. Silly me.
It's a little different this time - and a lot cleaner on the crash.
(1cf4.1ff4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=04e90fd9 ebx=00000000 ecx=04e904d0 edx=00000006 esi=00000004 edi=601a48e0
eip=60119620 esp=0012f404 ebp=04e90460 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
js3250!JS_GetReservedSlot+0x30:
60119620 8b4058 mov eax,dword ptr [eax+58h] ds:0023:04e91031=????????
0:000> !analyze -v -f
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for C:\WINDOWS\system32\bmnet.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\bmnet.dll -
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
FAULTING_IP:
js3250!JS_GetReservedSlot+30 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 4174]
60119620 8b4058 mov eax,dword ptr [eax+58h]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 60119620 (js3250!JS_GetReservedSlot+0x00000030)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 04e91031
Attempt to read from address 04e91031
FAULTING_THREAD: 00001ff4
DEFAULT_BUCKET_ID: STATUS_ACCESS_VIOLATION
PROCESS_NAME: firefox.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
READ_ADDRESS: 04e91031
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
PRIMARY_PROBLEM_CLASS: STATUS_ACCESS_VIOLATION
BUGCHECK_STR: APPLICATION_FAULT_STATUS_ACCESS_VIOLATION
LAST_CONTROL_TRANSFER: from 605b865a to 60119620
STACK_TEXT:
0012f414 605b865a 0131eae0 04e90460 00000000 js3250!JS_GetReservedSlot+0x30 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 4174]
0012f468 605a2fe7 04e90460 0802da40 0131eae0 xul!xpc_CloneJSFunction+0x6c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrappednativeinfo.cpp @ 77]
0012f56c 604d11f5 081eebc0 06899340 00000000 xul!XPCWrapper::GetOrSetNativeProperty+0x147 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrapper.cpp @ 686]
0012f598 604d0fbb 0131eae0 081eebc0 015f3194 xul!XPC_NW_GetOrSetProperty+0xa1 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 499]
0012f5b0 6010e09b 0131eae0 081eebc0 015f3194 xul!XPC_NW_GetProperty+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 534]
0012f5ec 6011c135 081eebc0 081eebc0 0012f638 js3250!js_NativeGet+0x13b [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsobj.c @ 3561]
0012f74c 6010eeee 0131eae0 01ba9c30 01ba9c34 js3250!js_Interpret+0x1565 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 4160]
0012f808 601073be 0131eae0 00000003 01ba9c34 js3250!js_Invoke+0x37e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1313]
0012f858 60140b66 00000000 00000003 01ba9c04 js3250!array_extra+0x1be [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsarray.c @ 2736]
0012f86c 6011c563 0131eae0 00000001 01ba9c04 js3250!array_forEach+0x16 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsarray.c @ 2792]
0012f9e4 6010eeee 0131eae0 0131eae0 01ba9020 js3250!js_Interpret+0x1993 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 4834]
0012faa4 60109289 0131eae0 00000001 01ba9020 js3250!js_Invoke+0x37e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1313]
0012fae0 6059f982 0131eae0 01a98d60 02425760 js3250!JS_CallFunctionValue+0xb9 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 5054]
0012fb4c 6058a8de 0154fd60 01a98d60 02425760 xul!nsJSContext::CallEventHandler+0x192 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsjsenvironment.cpp @ 1962]
0012fc28 604b1472 0154fd60 05d03c80 05d08430 xul!nsGlobalWindow::RunTimeout+0x2ae [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 7896]
0012fc40 605ad664 05d08430 05d03c80 003193b0 xul!nsGlobalWindow::TimerCallback+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 8228]
0012fc58 605ad5cf 00000000 00000001 60552408 xul!nsTimerImpl::Fire+0x88 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 400]
0012fc64 60552408 0967b050 01316940 0031f2e0 xul!nsTimerEvent::Run+0x1f [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 492]
0012fc88 60566b2a 00000001 00000001 0012fca8 xul!nsThread::ProcessNextEvent+0x218 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nsthread.cpp @ 511]
0012fca0 60642175 00000001 80000000 605cd10e xul!nsBaseAppShell::Run+0x4a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 169]
0012fcac 605cd10e 01313cd0 0031c0b0 00000000 xul!nsAppStartup::Run+0x1e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 182]
0012fcb4 0031c0b0 00000000 0031c0a8 003004a0 xul!XRE_main+0xdba [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\xre\nsapprunner.cpp @ 3174]
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fcb8 00000000 0031c0a8 003004a0 0032e260 0x31c0b0
FOLLOWUP_IP:
js3250!JS_GetReservedSlot+30 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 4174]
60119620 8b4058 mov eax,dword ptr [eax+58h]
FAULTING_SOURCE_CODE:
4170: limit = JSCLASS_RESERVED_SLOTS(clasp);
4171: if (index >= limit && !ReservedSlotIndexOK(cx, obj, clasp, index, limit))
4172: return JS_FALSE;
4173: slot = JSSLOT_START(clasp) + index;
> 4174: *vp = OBJ_GET_REQUIRED_SLOT(cx, obj, slot);
4175: return JS_TRUE;
4176: }
4177:
4178: JS_PUBLIC_API(JSBool)
4179: JS_SetReservedSlot(JSContext *cx, JSObject *obj, uint32 index, jsval v)
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: js3250!JS_GetReservedSlot+30
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: js3250
IMAGE_NAME: js3250.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 482af3e9
STACK_COMMAND: ~0s ; kb
FAILURE_BUCKET_ID: STATUS_ACCESS_VIOLATION_c0000005_js3250.dll!JS_GetReservedSlot
BUCKET_ID: APPLICATION_FAULT_STATUS_ACCESS_VIOLATION_js3250!JS_GetReservedSlot+30
Followup: MachineOwner
---------
Here's the assembly:
js3250!JS_GetReservedSlot:
601195f0 51 push ecx
601195f1 53 push ebx
601195f2 8b5c2414 mov ebx,dword ptr [esp+14h]
601195f6 55 push ebp
601195f7 8b6c2414 mov ebp,dword ptr [esp+14h]
601195fb 56 push esi
601195fc 57 push edi
601195fd 8b7d0c mov edi,dword ptr [ebp+0Ch]
60119600 83e7fc and edi,0FFFFFFFCh
60119603 0fb64705 movzx eax,byte ptr [edi+5]
60119607 3bd8 cmp ebx,eax
60119609 0f8330010000 jae js3250!JS_GetReservedSlot+0x14f (6011973f)
6011960f f6470401 test byte ptr [edi+4],1
60119613 7476 je js3250!JS_GetReservedSlot+0x9b (6011968b)
60119615 be04000000 mov esi,4
6011961a 8b4d00 mov ecx,dword ptr [ebp]
6011961d 8b4104 mov eax,dword ptr [ecx+4]
60119620 8b4058 mov eax,dword ptr [eax+58h] ds:0023:04e91031=????????
Reporter | ||
Comment 15•16 years ago
|
||
Comment 16•16 years ago
|
||
Hi, this is Ian Eure from Digg. We've noticed a few things: - Crashes are reproducible - just post a comment to any story on Digg. - Disabling Firebug (I'm using 1.1.0b12) seems to stop the crashes.
Reporter | ||
Comment 17•16 years ago
|
||
(In reply to comment #16) > Hi, this is Ian Eure from Digg. > > We've noticed a few things: > > - Crashes are reproducible - just post a comment to any story on Digg. > - Disabling Firebug (I'm using 1.1.0b12) seems to stop the crashes. > I don't have Firebug installed for FF3. However, I do have AdBlockPlus and I suspect that it may be helping to expose the problem.
Reporter | ||
Comment 18•16 years ago
|
||
A suggestion on trying to recreate this: 1. Install AdBlockPlus 2. Bring up 10 different stories from Digg. 3. Kill the FF3 process using task manager 4. Start FF3 again and do a restore session
Reporter | ||
Comment 19•16 years ago
|
||
Another crash, that's a little bit different (bad ip). To me, this just reinforces the idea that this problem is caused by stack corruption: (4754.3204): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00044040 ebx=00000000 ecx=0131ec70 edx=00000006 esi=00000004 edi=601a48e0 eip=00044040 esp=0012f3f4 ebp=043e2d58 iopl=0 nv up ei ng nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210287 00044040 ?? ??? 0:000> analyze ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for C:\WINDOWS\system32\bmnet.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\bmnet.dll - ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: +44040 00044040 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00044040 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00044040 Attempt to read from address 00044040 FAULTING_THREAD: 00003204 DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 00044040 FAILED_INSTRUCTION_ADDRESS: +44040 00044040 ?? ??? NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 00044040 IP_IN_RESERVED_BLOCK: 44040 PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR LAST_CONTROL_TRANSFER: from 6014d3f6 to 00044040 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 0012f3f0 6014d3f6 0131ec70 043e2d58 00000004 0x44040 0012f414 604d5248 0131ec70 043e2d58 00000000 js3250!JS_GetReservedSlot+0x27666 0012f468 604eb817 043e2d58 07553480 0131ec70 xul!xpc_CloneJSFunction+0x6c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrappednativeinfo.cpp @ 77] 0012f4a8 604a9eb6 0131ec70 0012f4cc 0131ec70 xul!XPCWrapper::GetOrSetNativeProperty+0x147 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrapper.cpp @ 686] 0012f55c 604a9d68 c67b59dc 075534c0 0012f598 xul!EnsureLegalActivity+0x56 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 216] 0012f56c 604a9f85 075534c0 044059d0 00000000 xul!ShouldBypassNativeWrapper+0x14 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 142] 0012f598 604a9d50 0131ec70 075534c0 015f3194 xul!XPC_NW_GetOrSetProperty+0xa1 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 499] 0012f5b0 601317bb 0131ec70 075534c0 015f3194 xul!XPC_NW_GetProperty+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcnativewrapper.cpp @ 534] 0012f5ec 60120525 075534c0 075534c0 0012f638 js3250!js_NativeGet+0x13b [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsobj.c @ 3561] 0012f74c 6013068e 0131ec70 03815900 03815904 js3250!js_Interpret+0x1565 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 4160] 0012f808 6013889e 0131ec70 00000003 03815904 js3250!js_Invoke+0x37e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1313] 0012f858 601407c6 00000000 00000003 038158d4 js3250!array_extra+0x1be [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsarray.c @ 2736] 0012f86c 60120955 0131ec70 00000001 038158d4 js3250!array_forEach+0x16 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsarray.c @ 2792] 0012f9e4 6013068e 0131ec70 0131ec70 03815020 js3250!js_Interpret+0x1995 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 4834] 0012faa4 601361b9 0131ec70 00000001 03815020 js3250!js_Invoke+0x37e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1313] 0012fae0 605a3512 0131ec70 01822420 024b26a0 js3250!JS_CallFunctionValue+0xb9 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 5054] 0012fb4c 6058e6de 0154fa00 01822420 024b26a0 xul!nsJSContext::CallEventHandler+0x192 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsjsenvironment.cpp @ 1962] 0012fc28 605b6ead 0154fa00 0e84cf40 0cfaf700 xul!nsGlobalWindow::RunTimeout+0x2ae [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 7896] 0012fc40 604df4f3 0cfaf700 0e84cf40 003193b0 xul!nsGlobalWindow::TimerCallback+0x17 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsglobalwindow.cpp @ 8228] 0012fc58 604df5c0 00000000 00000001 60517e48 xul!nsTimerImpl::Fire+0x7c [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 400] 0012fc64 60517e48 1240d790 01316940 0031f2e0 xul!nsTimerEvent::Run+0x1f [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nstimerimpl.cpp @ 492] 0012fc88 6050086a 00000001 00000001 0012fca8 xul!nsThread::ProcessNextEvent+0x218 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nsthread.cpp @ 511] 0012fca0 60644f5f 00000001 80000000 604c1d83 xul!nsBaseAppShell::Run+0x4a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 169] 0012fcac 604c1d83 01313cd0 0031c0b0 00000000 xul!nsAppStartup::Run+0x1e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 182] 0012fcb4 0031c0b0 00000000 0031c0a8 003004a0 xul!XRE_main+0xdba [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\xre\nsapprunner.cpp @ 3174] 0012fcb8 00000000 0031c0a8 003004a0 0032e260 0x31c0b0 FOLLOWUP_IP: js3250!JS_GetReservedSlot+27666 6014d3f6 83c40c add esp,0Ch SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: js3250!JS_GetReservedSlot+27666 FOLLOWUP_NAME: MachineOwner MODULE_NAME: js3250 IMAGE_NAME: js3250.dll DEBUG_FLR_IMAGE_TIMESTAMP: 48303e82 STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_js3250.dll!JS_GetReservedSlot BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_BAD_IP_js3250!JS_GetReservedSlot+27666 Followup: MachineOwner ---------
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ JS_GetReservedSlot - xpc_CloneJSFunction]
You need to log in
before you can comment on or make changes to this bug.
Description
•