Closed Bug 451884 Opened 16 years ago Closed 16 years ago

Crash [@ QuoteString] on the nytimes.com site

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9.1

People

(Reporter: martijn.martijn, Assigned: brendan)

References

()

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Attached file testcase
When I have the jit prefs enabled in the latest trunk build of Firefox (javascript.options.jit.chrome and javascript.options.jit.content), then I crash on the site I pasted in the url.

http://crash-stats.mozilla.com/report/index/7c9f8e1c-7157-11dd-9678-001a4bd43ed6
0  	js3250.dll  	QuoteString  	 js/src/jsopcode.cpp:587
1 	js3250.dll 	Decompile 	js/src/jsopcode.cpp:3796
2 	js3250.dll 	DecompileCode 	js/src/jsopcode.cpp:4698
3 	js3250.dll 	DecompileExpression 	js/src/jsopcode.cpp:5090
4 	js3250.dll 	js_DecompileValueGenerator 	js/src/jsopcode.cpp:4967
5 	js3250.dll 	js_ReportValueErrorFlags 	js/src/jscntxt.cpp:1329
6 	js3250.dll 	js3250.dll@0x58732 	
7 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:4253
8 	js3250.dll 	js_Execute 	js/src/jsinterp.cpp:1549
9 	js3250.dll 	js_obj_eval 	js/src/jsobj.cpp:1341
10 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1308
11 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:4963
12 	js3250.dll 	js_Execute 	js/src/jsinterp.cpp:1549
13 	js3250.dll 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:5054
14 	xul.dll 	nsJSContext::EvaluateString 	dom/src/base/nsJSEnvironment.cpp:1540
15 	xul.dll 	nsScriptLoader::EvaluateScript 	content/base/src/nsScriptLoader.cpp:594
16 	xul.dll 	nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:504
17 	xul.dll 	nsScriptLoader::ProcessScriptElement 	content/base/src/nsScriptLoader.cpp:458
18 	xul.dll 	nsContentUtils::HasNonEmptyTextContent 	content/base/src/nsContentUtils.cpp:3641
19 	xul.dll 	nsScriptElement::MaybeProcessScript 	content/base/src/nsScriptElement.cpp:188
I'm seeing this crash with one of my sessions with both JIT prefs at their default value (false). I can't tell which page in the session triggers the crash, though.
I crash with this stack every time I load Zimbra. :(
Flags: blocking1.9.1?
OS: Windows XP → All
Brendan's offered to take this. Here's a reduced testcase:

(function(k){eval("k.y")})({})
Assignee: general → brendan
Blocks: 452298
Failing reduced testcase:

(function(k){eval("k.y")})()

/be
Status: NEW → ASSIGNED
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1
Attached patch fixSplinter Review
Attachment #335680 - Flags: review?(mrbkap)
Attachment #335680 - Flags: review?(mrbkap) → review+
Fixed on mozilla-central:

http://hg.mozilla.org/mozilla-central/index.cgi/rev/61ee5bbbe005

/be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Blocks: upvar1
No longer blocks: 452298
Keywords: regression
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-451884.js,v  <--  regress-451884.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/3ae03411eae7
Flags: in-testsuite+
Flags: in-litmus-
Flags: blocking1.9.1? → blocking1.9.1+
Verified fix on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1b3pre) Gecko/20090122 Shiretoko/3.1b3pre 
and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090122 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ QuoteString]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: