Closed Bug 466659 Opened 16 years ago Closed 16 years ago

Crash on conquerorgame.com, possibly related to Bug 449118 , exception_access_violation [@ dtoa ]

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows Vista
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: tdowner, Assigned: Waldo)

References

(
URL
)

Details

(Keywords: crash, topcrash)

Crash Data

When going to above site, about 2/3 of the time get crash. Have yet to do more triage, but here are crash ids. bp-c2e69b82-226b-4654-bf0a-ceb320081118 bp-7fa9687a-e123-42d9-b36e-d8cf02081125 In Bug 449118, there is more detail on the crash, along with another confirming crash id.
This is using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081125 Minefield/3.1b2pre.
Keywords: crash
0 js3250.dll dtoa js/src/dtoa.c:3014 1 js3250.dll JS_dtostr js/src/jsdtoa.cpp:164 2 js3250.dll js_NumberToCString js/src/jsnum.cpp:801 3 js3250.dll NumberToStringWithBase js/src/jsnum.cpp:820 4 js3250.dll js_ValueToString js/src/jsstr.cpp:3049 5 js3250.dll js_Stringify js/src/json.cpp:340 6 js3250.dll js_Stringify js/src/json.cpp:337 7 js3250.dll js_json_stringify js/src/json.cpp:155 8 js3250.dll js_Interpret js/src/jsinterp.cpp:5109 9 js3250.dll js_Invoke js/src/jsinterp.cpp:1331 10 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1549 11 xul.dll nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:563 12 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 13 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 14 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:428
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Summary: Crash on conquerorgame.com, possibly related to Bug 449118 , exception_access_violation → Crash on conquerorgame.com, possibly related to Bug 449118 , exception_access_violation [@ dtoa ]
Flags: blocking1.9.1?
Keywords: topcrash
if you disable shockwave, does it crash?
Timeless, I have not been able to repro this for a while. It seems sort of temperamental. I had a crash in Safe Mode, then no crashes since. Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20081220 Minefield/3.2a1pre
well, keep in mind trying to disable shockwave if you do run across this stack :)
I'm also getting this crash on a different site (http://www.habbo.com.au/client) however for me it takes between 5 seconds to 10 minutes until Firefox crashes. 0 js3250.dll dtoa js/src/dtoa.c:3014 1 js3250.dll JS_dtostr js/src/jsdtoa.cpp:164 2 js3250.dll js_NumberToCString js/src/jsnum.cpp:801 3 js3250.dll NumberToStringWithBase js/src/jsnum.cpp:820 4 js3250.dll js_ValueToString js/src/jsstr.cpp:3061 5 js3250.dll js_Interpret js/src/jsinterp.cpp:3782 6 js3250.dll js_Invoke js/src/jsinterp.cpp:1331 7 js3250.dll js_InternalInvoke js/src/jsinterp.cpp:1388 8 js3250.dll JS_CallFunctionValue js/src/jsapi.cpp:5244 9 xul.dll nsJSContext::CallEventHandler dom/src/base/nsJSEnvironment.cpp:1989 10 xul.dll nsGlobalWindow::RunTimeout dom/src/base/nsGlobalWindow.cpp:7667 11 xul.dll nsGlobalWindow::TimerCallback dom/src/base/nsGlobalWindow.cpp:7999 12 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:420 13 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:512 14 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510 15 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170 16 nspr4.dll PR_GetEnv 17 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:87 18 firefox.exe firefox.exe@0x2197 19 kernel32.dll kernel32.dll@0x44910 20 ntdll.dll ntdll.dll@0x3e4b5 21 ntdll.dll ntdll.dll@0x3e488 A slightly different stack...
Regarding my last comment, you need to be a member of the site to access the page with Shockwave that causes the crash.
ok. IME dtoa crashes are caused by random code changing the cpu control _control87 (or an alias)'s floating point precision. msintov: please find someone from shockwave who can confirm/deny the use of this setting.
Assignee: general → msintov
Just FYI, a stack with function args from a debugger (probably crash due to Shockwave plugin): ChildEBP RetAddr 0012f108 0043ba47 js3250!dtoa(union U d = union U, int mode = <Memory access error>, int ndigits = <Memory access error>, int * decpt = <Memory access error>, int * sign = 0x00000034, char ** rve = <Memory access error>)+0x710 [f:\mozilla\tree-hg\src\mozilla\js\src\dtoa.c @ 3014] 0012f148 00461e12 js3250!JS_dtostr(char * buffer = 0x0012f1a0 "???", unsigned int bufferSize = 0x1a, JSDToStrMode mode = DTOSTR_STANDARD (0), int precision = 0, double dinput = 6405919604736)+0x87 [f:\mozilla\tree-hg\src\mozilla\js\src\jsdtoa.cpp @ 164] 0012f16c 00461e74 js3250!js_NumberToCString(struct JSContext * cx = 0x0049ce73, double d = 6405919604736, long base = 4, char * buf = 0x00000034 "", unsigned int bufSize = 0x12f270)+0x72 [f:\mozilla\tree-hg\src\mozilla\js\src\jsnum.cpp @ 801] 0012f1f0 0049ce73 js3250!NumberToStringWithBase(struct JSContext * cx = 0x00000004, double d = 6405919604736, long base = 1241142)+0x34 [f:\mozilla\tree-hg\src\mozilla\js\src\jsnum.cpp @ 820] 0012f270 00456650 js3250!js_ValueToString(struct JSContext * cx = 0x0cdb7a40, long v = 139664682)+0x83 [f:\mozilla\tree-hg\src\mozilla\js\src\jsstr.cpp @ 3068] 0012f35c 0044fede js3250!js_Interpret(struct JSContext * cx = 0x0cdb7a40)+0x5e90 [f:\mozilla\tree-hg\src\mozilla\js\src\jsinterp.cpp @ 3782] 0012f3e4 004279d8 js3250!js_Execute(struct JSContext * cx = 0x0000252c, struct JSObject * chain = <Memory access error>, struct JSScript * script = <Memory access error>, struct JSStackFrame * down = <Memory access error>, unsigned int flags = <Memory access error>, long * result = <Memory access error>)+0x1fe [f:\mozilla\tree-hg\src\mozilla\js\src\jsinterp.cpp @ 1559] 0012f410 01c972d5 js3250!JS_EvaluateUCScriptForPrincipals(struct JSContext * cx = 0x0cdb7a40, struct JSObject * obj = 0x083b0ee0, struct JSPrincipals * principals = 0x00af8104, unsigned short * chars = 0x2060e898, unsigned int length = 0x10f9, char * filename = 0x0ce0a5e0 "http://www.adobe.com/shockwave/welcome/", unsigned int lineno = 0x17c, long * rval = 0x00000000)+0x88 [f:\mozilla\tree-hg\src\mozilla\js\src\jsapi.cpp @ 5189] 0012f484 01bfcdbd gklayout!nsJSContext::EvaluateString(class nsAString_internal * aScript = 0x0012f550, void * aScopeObject = 0x083b0ee0, class nsIPrincipal * aPrincipal = 0x00af8100, char * aURL = 0x0ce0a5e0 "http://www.adobe.com/shockwave/welcome/", unsigned int aLineNo = 0x17c, unsigned int aVersion = 0, class nsAString_internal * aRetValue = 0x00000000, int * aIsUndefined = 0x0012f4b8)+0x194 [f:\mozilla\tree-hg\src\mozilla\dom\src\base\nsjsenvironment.cpp @ 1588]
Assignee: msintov → general
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
bp-41d9b02e-655d-408e-85cf-a2cc82090310 with Firefox 3.1b4pre 20090310050816 whilst testing out the following Plug-In Test site: http://www.at2907.net/embed/index.php. it *could* have been that it happened when checking the shockwave thingy. shockwave plugin ver. is 11.0.3r472.
xtc4uall: please destroy AM30615.dll (send it to some antivirus labs first).
timeless: wrong guess. that dll belongs to AdMuncher (http://www.admuncher.com/beta.pl). you can read how it works here: https://bugzilla.mozilla.org/show_bug.cgi?id=342646#c4 (irony is you also commented to that bug that time :P)
gah, i don't have a full database in my head, and that string wasn't in my gmail (offline database). that said, please disable all your plugins/extensions and see if it still happens. typically these problems are caused by random third party libraries doing something uncool to our process's state.
Assignee: general → jwalden+bmo
Haven't had luck reproducing this yet with a semi-old trunk build, updating my TM tree and trying again; this was with a v11.5 np32dsw.dll, which could matter judging from comment 15.
krishna@adobe.com: ping
I also haven't been able to reproduce with a TM tree with the same plugin install.
Given that I can't reproduce with the most recent plugin install, and given that the crash claims were against earlier versions, I'm going to claim this is WORKSFORME due to a change in the plugin itself. If someone can demonstrate that this is a bug in SpiderMonkey and that it occurs even with the latest version of the plugin, please reopen.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
V
Status: RESOLVED → VERIFIED
Crash Signature: [@ dtoa ]
You need to log in before you can comment on or make changes to this bug.