Closed
Bug 56845
Opened 24 years ago
Closed 23 years ago
crash in js_free_symbol
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
VERIFIED
WORKSFORME
Future
People
(Reporter: Bienvenu, Assigned: rogerl)
References
()
Details
(Keywords: crash, Whiteboard: [rtm need info])
I queried bugsplat for open bugs with js_free_symbol in the summary or description and came up empty. I suspect this might be a regression since I've used mozilla to refill prescriptions before. When refilling a prescription at walgreens online, I've run into a repeatable crash with the stack trace below. sprop has been deleted. This occurs after I've picked the prescription to renew and submitted that form. I can try to paste that page source, if it might help. js_free_symbol(void * 0x07084d00, JSHashEntry * 0x07082ed0, unsigned int 0x00000001) line 115 + 25 bytes JS_HashTableDestroy(JSHashTable * 0x07084cb0) line 150 + 16 bytes js_hash_scope_clear(JSContext * 0x05758e70, JSScope * 0x07083170) line 235 + 9 bytes js_DestroyScope(JSContext * 0x05758e70, JSScope * 0x07083170) line 443 + 17 bytes js_DestroyObjectMap(JSContext * 0x05758e70, JSObjectMap * 0x07083170) line 1405 + 13 bytes js_DropObjectMap(JSContext * 0x05758e70, JSObjectMap * 0x07083170, JSObject * 0x00f16ed8) line 1422 + 17 bytes js_FinalizeObject(JSContext * 0x05758e70, JSObject * 0x00f16ed8) line 1603 + 17 bytes gc_finalize_phase(JSContext * 0x05758e70, unsigned int 0x00000400) line 907 + 11 bytes js_GC(JSContext * 0x05758e70, unsigned int 0x00000000) line 1155 + 13 bytes js_ForceGC(JSContext * 0x05758e70) line 871 + 11 bytes JS_GC(JSContext * 0x05758e70) line 1542 + 9 bytes nsJSContext::GC(nsJSContext * const 0x05757030) line 1287 + 13 bytes GlobalWindowImpl::SetNewDocument(GlobalWindowImpl * const 0x056de070, nsIDOMDocument * 0x069587e4) line 366 DocumentViewerImpl::Init(DocumentViewerImpl * const 0x0695d450, nsIWidget * 0x05753284, nsIDeviceContext * 0x0574b470, const nsRect & {...}) line 537 nsDocShell::SetupNewViewer(nsDocShell * const 0x057539e0, nsIContentViewer * 0x0695d450) line 2850 + 66 bytes nsWebShell::SetupNewViewer(nsWebShell * const 0x057539e0, nsIContentViewer * 0x0695d450) line 350 + 13 bytes nsDocShell::Embed(nsDocShell * const 0x05753a00, nsIContentViewer * 0x0695d450, const char * 0x01c511c4, nsISupports * 0x00000000) line 2484 + 23 bytes nsWebShell::Embed(nsWebShell * const 0x05753a00, nsIContentViewer * 0x0695d450, const char * 0x01c511c4, nsISupports * 0x00000000) line 383 nsDocShell::CreateContentViewer(nsDocShell * const 0x057539e0, const char * 0x0012f920, nsIChannel * 0x0694d830, nsIStreamListener * * 0x0012f974) line 2663 + 32 bytes nsDSURIContentListener::DoContent(nsDSURIContentListener * const 0x05753720, const char * 0x0012f920, int 0x00000000, const char * 0x100a56c8 gCommonEmptyBuffer, nsIChannel * 0x0694d830, nsIStreamListener * * 0x0012f974, int * 0x0012f904) line 103 + 33 bytes nsDocumentOpenInfo::DispatchContent(nsIChannel * 0x0694d830, nsISupports * 0x00000000) line 359 + 109 bytes nsDocumentOpenInfo::OnStartRequest(nsDocumentOpenInfo * const 0x0694d5d0, nsIChannel * 0x0694d830, nsISupports * 0x00000000) line 233 + 16 bytes nsHTTPFinalListener::OnStartRequest(nsHTTPFinalListener * const 0x0694d4b0, nsIChannel * 0x0694d830, nsISupports * 0x00000000) line 1122 InterceptStreamListener::OnStartRequest(InterceptStreamListener * const 0x0695df10, nsIChannel * 0x0694d830, nsISupports * 0x00000000) line 1186 nsHTTPServerListener::FinishedResponseHeaders() line 1047 + 48 bytes nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x06939ee0, nsIChannel * 0x0577e0f4, nsISupports * 0x0694d830, nsIInputStream * 0x0693aef0, unsigned int 0x00000ad7, unsigned int 0x00000000) line 427 + 8 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x0695a1d0) line 400 + 47 bytes nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x0695a9f0) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x0695a9f0) line 580 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00ad6320) line 513 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00a104c0, unsigned int 0x0000c0ca, unsigned int 0x00000000, long 0x00ad6320) line 1049 + 9 bytes USER32! 77e71268() this is preceeded by a couple asserts, as follows: NTDLL! 77f76274() js_DropScopeProperty(JSContext * 0x05758e70, JSScope * 0x07083170, JSScopeProperty * 0x07083120) line 549 + 45 bytes js_DropProperty(JSContext * 0x05758e70, JSObject * 0x00f16ed8, JSProperty * 0x07083120) line 2864 + 19 bytes FunctionDef(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74, int 0x00000000) line 478 + 37 bytes FunctionStmt(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74) line 599 + 19 bytes Statement(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74) line 879 + 17 bytes Statements(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74) line 629 + 17 bytes js_CompileTokenStream(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSTokenStream * 0x05bfe038, JSCodeGenerator * 0x0012ec3c) line 261 + 20 bytes CompileTokenStream(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSTokenStream * 0x05bfe038, void * 0x05758ef0, int * 0x00000000) line 2657 + 21 bytes JS_CompileUCScriptForPrincipals(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSPrincipals * 0x070745b0, const unsigned short * 0x05a61020, unsigned int 0x0000047f, const char * 0x07083230, unsigned int 0x0000003e) line 2736 + 23 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSPrincipals * 0x070745b0, const unsigned short * 0x05a61020, unsigned int 0x0000047f, const char * 0x07083230, unsigned int 0x0000003e, long * 0x0012ee54) line 3143 + 33 bytes nsJSContext::EvaluateString(nsJSContext * const 0x05757030, const basic_nsAReadableString<unsigned short> & {...}, void * 0x03968ed8, nsIPrincipal * 0x070745ac, const char * 0x07083230, unsigned int 0x0000003e, const char * 0x003125f8, basic_nsAWritableString<unsigned short> & {...}, int * 0x0012eeb0) line 583 + 68 bytes HTMLContentSink::EvaluateScript(nsString & {...}, nsIURI * 0x06960900, int 0x0000003e, const char * 0x003125f8) line 4633 HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 4982 HTMLContentSink::AddLeaf(HTMLContentSink * const 0x06976310, const nsIParserNode & {...}) line 3156 + 12 bytes CNavDTD::AddLeaf(const nsIParserNode * 0x024ce440) line 3657 + 22 bytes CNavDTD::AddHeadLeaf(nsIParserNode * 0x024ce440) line 3780 + 17 bytes CNavDTD::HandleStartToken(CToken * 0x05c6f868) line 1596 + 12 bytes CNavDTD::HandleToken(CNavDTD * const 0x0706ee00, CToken * 0x00000000, nsIParser * 0x0696aec0) line 745 + 12 bytes CNavDTD::BuildModel(CNavDTD * const 0x0706ee00, nsIParser * 0x0696aec0, nsITokenizer * 0x070684e0, nsITokenObserver * 0x00000000, nsIContentSink * 0x06976310) line 485 + 20 bytes nsParser::BuildModel() line 2009 + 34 bytes nsParser::ResumeParse(int 0x00000001, int 0x00000000) line 1890 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x0696aec8, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x069653b4, unsigned int 0x00000000, unsigned int 0x00001001) line 2342 + 19 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x067e5f60, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x069653b4, unsigned int 0x00000000, unsigned int 0x00001001) line 251 + 46 bytes nsHTTPFinalListener::OnDataAvailable(nsHTTPFinalListener * const 0x069675c0, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x069653b4, unsigned int 0x00000000, unsigned int 0x00001001) line 1191 + 46 bytes InterceptStreamListener::OnDataAvailable(InterceptStreamListener * const 0x069653b0, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x0697ac90, unsigned int 0x00000000, unsigned int 0x00001001) line 1216 nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x0697a0f0, nsIChannel * 0x0722ad74, nsISupports * 0x069640d0, nsIInputStream * 0x0697ac90, unsigned int 0x00000206, unsigned int 0x00001001) line 554 + 67 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x06fdab80) line 400 + 47 bytes nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x06fde080) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x06fde080) line 580 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00ad6320) line 513 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00a104c0, unsigned int 0x0000c0ca, unsigned int 0x00000000, long 0x00ad6320) line 1049 + 9 bytes USER32! 77e71268() 00ad6320() NTDLL! 77f76274() js_DestroyScopeProperty(JSContext * 0x05758e70, JSScope * 0x07083170, JSScopeProperty * 0x07083120) line 517 + 45 bytes js_DropScopeProperty(JSContext * 0x05758e70, JSScope * 0x07083170, JSScopeProperty * 0x07083120) line 553 + 17 bytes js_DropProperty(JSContext * 0x05758e70, JSObject * 0x00f16ed8, JSProperty * 0x07083120) line 2864 + 19 bytes FunctionDef(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74, int 0x00000000) line 478 + 37 bytes FunctionStmt(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74) line 599 + 19 bytes Statement(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74) line 879 + 17 bytes Statements(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74) line 629 + 17 bytes js_CompileTokenStream(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSTokenStream * 0x05bfe038, JSCodeGenerator * 0x0012ec3c) line 261 + 20 bytes CompileTokenStream(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSTokenStream * 0x05bfe038, void * 0x05758ef0, int * 0x00000000) line 2657 + 21 bytes JS_CompileUCScriptForPrincipals(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSPrincipals * 0x070745b0, const unsigned short * 0x05a61020, unsigned int 0x0000047f, const char * 0x07083230, unsigned int 0x0000003e) line 2736 + 23 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSPrincipals * 0x070745b0, const unsigned short * 0x05a61020, unsigned int 0x0000047f, const char * 0x07083230, unsigned int 0x0000003e, long * 0x0012ee54) line 3143 + 33 bytes nsJSContext::EvaluateString(nsJSContext * const 0x05757030, const basic_nsAReadableString<unsigned short> & {...}, void * 0x03968ed8, nsIPrincipal * 0x070745ac, const char * 0x07083230, unsigned int 0x0000003e, const char * 0x003125f8, basic_nsAWritableString<unsigned short> & {...}, int * 0x0012eeb0) line 583 + 68 bytes HTMLContentSink::EvaluateScript(nsString & {...}, nsIURI * 0x06960900, int 0x0000003e, const char * 0x003125f8) line 4633 HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 4982 HTMLContentSink::AddLeaf(HTMLContentSink * const 0x06976310, const nsIParserNode & {...}) line 3156 + 12 bytes CNavDTD::AddLeaf(const nsIParserNode * 0x024ce440) line 3657 + 22 bytes CNavDTD::AddHeadLeaf(nsIParserNode * 0x024ce440) line 3780 + 17 bytes CNavDTD::HandleStartToken(CToken * 0x05c6f868) line 1596 + 12 bytes CNavDTD::HandleToken(CNavDTD * const 0x0706ee00, CToken * 0x00000000, nsIParser * 0x0696aec0) line 745 + 12 bytes CNavDTD::BuildModel(CNavDTD * const 0x0706ee00, nsIParser * 0x0696aec0, nsITokenizer * 0x070684e0, nsITokenObserver * 0x00000000, nsIContentSink * 0x06976310) line 485 + 20 bytes nsParser::BuildModel() line 2009 + 34 bytes nsParser::ResumeParse(int 0x00000001, int 0x00000000) line 1890 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x0696aec8, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x069653b4, unsigned int 0x00000000, unsigned int 0x00001001) line 2342 + 19 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x067e5f60, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x069653b4, unsigned int 0x00000000, unsigned int 0x00001001) line 251 + 46 bytes nsHTTPFinalListener::OnDataAvailable(nsHTTPFinalListener * const 0x069675c0, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x069653b4, unsigned int 0x00000000, unsigned int 0x00001001) line 1191 + 46 bytes InterceptStreamListener::OnDataAvailable(InterceptStreamListener * const 0x069653b0, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x0697ac90, unsigned int 0x00000000, unsigned int 0x00001001) line 1216 nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x0697a0f0, nsIChannel * 0x0722ad74, nsISupports * 0x069640d0, nsIInputStream * 0x0697ac90, unsigned int 0x00000206, unsigned int 0x00001001) line 554 + 67 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x06fdab80) line 400 + 47 bytes nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x06fde080) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x06fde080) line 580 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00ad6320) line 513 + 9 bytes NTDLL! 77f76274() js_UnlockScope(JSContext * 0x05758e70, JSScope * 0x07083170) line 685 + 38 bytes js_UnlockObj(JSContext * 0x05758e70, JSObject * 0x00f16ed8) line 750 + 15 bytes js_DropProperty(JSContext * 0x05758e70, JSObject * 0x00f16ed8, JSProperty * 0x07083120) line 2865 + 13 bytes FunctionDef(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74, int 0x00000000) line 478 + 37 bytes FunctionStmt(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74) line 599 + 19 bytes Statement(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74) line 879 + 17 bytes Statements(JSContext * 0x05758e70, JSTokenStream * 0x05bfe038, JSTreeContext * 0x0012ec74) line 629 + 17 bytes js_CompileTokenStream(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSTokenStream * 0x05bfe038, JSCodeGenerator * 0x0012ec3c) line 261 + 20 bytes CompileTokenStream(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSTokenStream * 0x05bfe038, void * 0x05758ef0, int * 0x00000000) line 2657 + 21 bytes JS_CompileUCScriptForPrincipals(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSPrincipals * 0x070745b0, const unsigned short * 0x05a61020, unsigned int 0x0000047f, const char * 0x07083230, unsigned int 0x0000003e) line 2736 + 23 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x05758e70, JSObject * 0x03968ed8, JSPrincipals * 0x070745b0, const unsigned short * 0x05a61020, unsigned int 0x0000047f, const char * 0x07083230, unsigned int 0x0000003e, long * 0x0012ee54) line 3143 + 33 bytes nsJSContext::EvaluateString(nsJSContext * const 0x05757030, const basic_nsAReadableString<unsigned short> & {...}, void * 0x03968ed8, nsIPrincipal * 0x070745ac, const char * 0x07083230, unsigned int 0x0000003e, const char * 0x003125f8, basic_nsAWritableString<unsigned short> & {...}, int * 0x0012eeb0) line 583 + 68 bytes HTMLContentSink::EvaluateScript(nsString & {...}, nsIURI * 0x06960900, int 0x0000003e, const char * 0x003125f8) line 4633 HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 4982 HTMLContentSink::AddLeaf(HTMLContentSink * const 0x06976310, const nsIParserNode & {...}) line 3156 + 12 bytes CNavDTD::AddLeaf(const nsIParserNode * 0x024ce440) line 3657 + 22 bytes CNavDTD::AddHeadLeaf(nsIParserNode * 0x024ce440) line 3780 + 17 bytes CNavDTD::HandleStartToken(CToken * 0x05c6f868) line 1596 + 12 bytes CNavDTD::HandleToken(CNavDTD * const 0x0706ee00, CToken * 0x00000000, nsIParser * 0x0696aec0) line 745 + 12 bytes CNavDTD::BuildModel(CNavDTD * const 0x0706ee00, nsIParser * 0x0696aec0, nsITokenizer * 0x070684e0, nsITokenObserver * 0x00000000, nsIContentSink * 0x06976310) line 485 + 20 bytes nsParser::BuildModel() line 2009 + 34 bytes nsParser::ResumeParse(int 0x00000001, int 0x00000000) line 1890 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x0696aec8, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x069653b4, unsigned int 0x00000000, unsigned int 0x00001001) line 2342 + 19 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x067e5f60, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x069653b4, unsigned int 0x00000000, unsigned int 0x00001001) line 251 + 46 bytes nsHTTPFinalListener::OnDataAvailable(nsHTTPFinalListener * const 0x069675c0, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x069653b4, unsigned int 0x00000000, unsigned int 0x00001001) line 1191 + 46 bytes InterceptStreamListener::OnDataAvailable(InterceptStreamListener * const 0x069653b0, nsIChannel * 0x069640d0, nsISupports * 0x00000000, nsIInputStream * 0x0697ac90, unsigned int 0x00000000, unsigned int 0x00001001) line 1216 nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x0697a0f0, nsIChannel * 0x0722ad74, nsISupports * 0x069640d0, nsIInputStream * 0x0697ac90, unsigned int 0x00000206, unsigned int 0x00001001) line 554 + 67 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x06fdab80) line 400 + 47 bytes nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x06fde080) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x06fde080) line 580 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00ad6320) line 513 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00a104c0, unsigned int 0x0000c0ca, unsigned int 0x00000000, long 0x00ad6320) line 1049 + 9 bytes
Reporter | ||
Comment 1•24 years ago
|
||
This was the tip of the b3 branch - I'll try the trunk now. Nominating for rtm, in case this is a recent regression and starts showing up in talkback topcrashes. BTW, if I continue past the crash point, I don't have any problems, so things aren't that messed up.
Comment 2•24 years ago
|
||
I don't buy this being a JS engine regression, at least not a "local" one (i.e. one in the files that are botching assertions). There haven't been changes to FunctionDef in jsparse.c in a long time, certainly not on the branch. Can you run under purify? Clobber build or depend? /be
Comment 3•24 years ago
|
||
Phil, can you work with David to try to reproduce? /be
Comment 4•24 years ago
|
||
OK - I will do that now -
Reporter | ||
Comment 5•24 years ago
|
||
clobber build in js still has same problem. I'll try a purify build to get the stack trace of the free of the object.
Reporter | ||
Comment 6•24 years ago
|
||
Purify was not helpful - I think it's not too happy with the js asserts prior to the crash. I'll try commenting those out and re-running. I've been able to reproduce this by using the back button on the page where you confirm your store location (not useful to anyone without a prescription history at walgreens, I know).
Comment 7•24 years ago
|
||
David ran me through the exact steps to reproduce on WinNT. I couldn't reproduce the crash, however. I was able to use the site without any problems. David Me debug MN6 branch build (current) debug trunk build (2000-10-11) I will do a MN6 debug build from today and try again -
Comment 8•24 years ago
|
||
Using MN6 branch debug build on WinNT, pulled 2000-10-16. Confirming crash at http://www.walgreens.com (One is soon transferred to the secure site https://www.walgreens.com) Note: I crashed the very first time I visited the site after I made the build. HOWEVER - I have not been able to crash again. I am following the steps to reproduce that David explained to me. I crashed when I clicked on the grey "Check Out" button on the "Shopping Cart" page. Here is the last Mozilla function at the top of the stack trace: JSScopeProperty * js_DropScopeProperty(JSContext *cx, JSScope *scope, JSScopeProperty *sprop) { JS_ASSERT(JS_IS_SCOPE_LOCKED(scope)); <<<<<<<<<<<<<<<<<<< STOPPPED HERE if (sprop) { JS_ASSERT(sprop->nrefs > 0); if (--sprop->nrefs == 0) { js_DestroyScopeProperty(cx, scope, sprop); sprop = NULL; } } return sprop; } Here is the stack trace: NTDLL! 77f7629c() js_DropScopeProperty(JSContext * 0x03e28e70, JSScope * 0x04163ce0, JSScopeProperty * 0x04163c90) line 549 + 45 bytes js_DropProperty(JSContext * 0x03e28e70, JSObject * 0x038bd738, JSProperty * 0x04163c90) line 2864 + 19 bytes FunctionDef(JSContext * 0x03e28e70, JSTokenStream * 0x03953b88, JSTreeContext * 0x0012ec74, int 0) line 478 + 37 bytes FunctionStmt(JSContext * 0x03e28e70, JSTokenStream * 0x03953b88, JSTreeContext * 0x0012ec74) line 599 + 19 bytes Statement(JSContext * 0x03e28e70, JSTokenStream * 0x03953b88, JSTreeContext * 0x0012ec74) line 879 + 17 bytes Statements(JSContext * 0x03e28e70, JSTokenStream * 0x03953b88, JSTreeContext * 0x0012ec74) line 629 + 17 bytes js_CompileTokenStream(JSContext * 0x03e28e70, JSObject * 0x038bcf20, JSTokenStream * 0x03953b88, JSCodeGenerator * 0x0012ec3c) line 261 + 20 bytes CompileTokenStream(JSContext * 0x03e28e70, JSObject * 0x038bcf20, JSTokenStream * 0x03953b88, void * 0x03e28ef0, int * 0x00000000) line 2657 + 21 bytes JS_CompileUCScriptForPrincipals(JSContext * 0x03e28e70, JSObject * 0x038bcf20, JSPrincipals * 0x04166990, const unsigned short * 0x00dfb028, unsigned int 1151, const char * 0x04163d60, unsigned int 62) line 2736 + 23 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x03e28e70, JSObject * 0x038bcf20, JSPrincipals * 0x04166990, const unsigned short * 0x00dfb028, unsigned int 1151, const char * 0x04163d60, unsigned int 62, long * 0x0012ee54) line 3143 + 33 bytes nsJSContext::EvaluateString(nsJSContext * const 0x03c43bd0, const basic_nsAReadableString<unsigned short> & {...}, void * 0x038bcf20, nsIPrincipal * 0x0416698c, const char * 0x04163d60, unsigned int 62, const char * 0x003025f8, basic_nsAWritableString<unsigned short> & {...}, int * 0x0012eeb0) line 583 + 68 bytes HTMLContentSink::EvaluateScript(nsString & {...}, nsIURI * 0x04a02120, int 62, const char * 0x003025f8) line 4633 HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 4982 HTMLContentSink::AddLeaf(HTMLContentSink * const 0x04ac9db0, const nsIParserNode & {...}) line 3156 + 12 bytes CNavDTD::AddLeaf(const nsIParserNode * 0x033900c0) line 3657 + 22 bytes CNavDTD::AddHeadLeaf(nsIParserNode * 0x033900c0) line 3780 + 17 bytes CNavDTD::HandleStartToken(CToken * 0x0470d7c0) line 1596 + 12 bytes CNavDTD::HandleToken(CNavDTD * const 0x04166b40, CToken * 0x00000000, nsIParser * 0x04a08a40) line 745 + 12 bytes CNavDTD::BuildModel(CNavDTD * const 0x04166b40, nsIParser * 0x04a08a40, nsITokenizer * 0x04166ab0, nsITokenObserver * 0x00000000, nsIContentSink * 0x04ac9db0) line 485 + 20 bytes nsParser::BuildModel() line 2009 + 34 bytes nsParser::ResumeParse(int 1, int 0) line 1890 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x04a08a48, nsIChannel * 0x04a03170, nsISupports * 0x00000000, nsIInputStream * 0x04a04a94, unsigned int 0, unsigned int 4097) line 2342 + 19 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x04acc250, nsIChannel * 0x04a03170, nsISupports * 0x00000000, nsIInputStream * 0x04a04a94, unsigned int 0, unsigned int 4097) line 251 + 46 bytes nsHTTPFinalListener::OnDataAvailable(nsHTTPFinalListener * const 0x04a00690, nsIChannel * 0x04a03170, nsISupports * 0x00000000, nsIInputStream * 0x04a04a94, unsigned int 0, unsigned int 4097) line 1191 + 46 bytes InterceptStreamListener::OnDataAvailable(InterceptStreamListener * const 0x04a04a90, nsIChannel * 0x04a03170, nsISupports * 0x00000000, nsIInputStream * 0x04a0e0c0, unsigned int 0, unsigned int 4097) line 1216 nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x04a0bd00, nsIChannel * 0x044451f4, nsISupports * 0x04a03170, nsIInputStream * 0x04a0e0c0, unsigned int 3154, unsigned int 4097) line 554 + 67 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x04a93e50) line 400 + 47 bytes nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x04a939c0) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x04a939c0) line 580 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00a7a700) line 513 + 9 bytes _md_EventReceiverProc(HWND__ * 0x031e0150, unsigned int 49372, unsigned int 0, long 10987264) line 1049 + 9 bytes USER32! 77e71820() 00a7a700()
Comment 9•24 years ago
|
||
Damn, who broke the branch? Phil, can you hop on IRC #mozilla and tell me more? /be
Comment 10•24 years ago
|
||
OK - I'm on IRC #mozilla now -
Comment 11•24 years ago
|
||
Can someone pin down when this started and stopped being a reproducible crash bug? It sounds like it may never have been a trunk problem. David, did you ever try a trunk build? /be
Comment 12•24 years ago
|
||
I just called David to get the info - he's going on vacation tomorrow, and is not currently logged onto his machine. He pulled both the trunk and the branch today. He never crashed with the trunk build, and found no problems with it in Purify. He was only able to crash with the branch build -
Comment 13•24 years ago
|
||
my branch profile build crashed when I clicked 'check out' I'm starting it up under Purify to have a go.
Reporter | ||
Comment 14•24 years ago
|
||
A few more comments - my trunk build is a release build, which is much less likely to have problems accessing freed memory, though Purify should have shown something. Also, I needed to stop JS_ASSERT from aborting the app in order to run into this crash. And finally, I suspect that my purifying of the debug build (which didn't show any problems before the crash) was somewhat bogus - I think purify wasn't completely engaged, but I didn't have time to figure out what was wrong. Anyway, I'm glad jband can reproduce this problem.
Comment 15•24 years ago
|
||
FWIW, I didn't get to the point of seeing whether or not the stack I had was this one or not. I hit bug 57096 and vectored off to help figure that out. This also showed us the problem fixed by the patch in bug 57070. Heck, for all I know when those two bugs are fixed this one may be fixed too?
Comment 16•24 years ago
|
||
bug 57070 could fail to mark live GC-things, resulting in their collection "out from under" a future compilation, e.g. So bug 57070 could account for this bug's symptom. David or anyone who can reproduce, please try the patch in 57070 (which I'm about to check into the branch -- it's in the trunk already). /be
Reporter | ||
Comment 17•24 years ago
|
||
I will not be able to try it until Sunday
Reporter | ||
Comment 18•24 years ago
|
||
Still broken (assuming all the fixes for other bugs mentioned in this bug have been checked in). I pulled a tree last night (10/22) and it still crashes with the same stack and the same steps.
Comment 19•24 years ago
|
||
Using MN6 branch debug build 2000-10-23 7PM Pacific Time on WinNT. Unable to reproduce crash; following same procedures as before. I arrive at the "Shopping Cart" page, click on the grey "Check Out" button, and do not crash. I arrive at the address of the drugstore, and click "Back" and do not crash. I click "Forward" and "Back" and do not crash... I deleted my existing mozilla directory before I pulled last night, so everything in it is fresh from CVS... -r Netscape_20000922_BRANCH
Comment 20•24 years ago
|
||
Seems like the summary no longer captures this bug. Is this still being worked on? It looks like this is being worked on, so I updated the whiteboard to [rtm need info].
Whiteboard: [rtm need info]
Reporter | ||
Comment 21•24 years ago
|
||
summary is still correct from my P.O.V. - still crashes in exactly the same place with the same steps. But I got the impression this was not being worked on, so I changed the password back on my account. If anyone does want to work on this, let me know. This doesn't crash in a release build, I assume because a release build doesn't set the deleted block memory to 0xdddd, so I don't think this is crucial to fix for release.
Reporter | ||
Comment 22•24 years ago
|
||
I get the exact same asserts and crash if I do the same steps on my work machine, so it's nothing about my home setup. I'd never visited this site at work before, so it should a clean setup. Brendan, I'm in on Tuesdays and Thursdays if you want to come by and see this in the debugger.
Comment 23•24 years ago
|
||
It's getting pretty late for RTM. JS folks, are you working on this? Or should we mark [rtm-] now?
Comment 24•24 years ago
|
||
JS folks have failed to reproduce this (except for once? pschwartau can say more) and I have failed to get to David's machine while he's around. Maybe I can do it remotely? I'll be in later today, and check this bug for comments on how to reproduce there. /be
Reporter | ||
Comment 25•24 years ago
|
||
Brendan, call me at home (I'm in the netscape phonebook) if you get to my machine at work - I will remotely control it to make it crash, and then release control to you and you can poke around in the debugger. If you call, don't give up if I don't get to the phone right away - I hurt my back and it can take a while to get to the phone.
Comment 26•24 years ago
|
||
For the record: I was only able to crash at this site once, using the same steps as David. I crashed the very first time I tried the site, but never again.
Comment 28•24 years ago
|
||
David, has this happened recently? If it's still reproducing, I'm on the third floor now. /be
Reporter | ||
Comment 29•24 years ago
|
||
I've stopped using this site with debug builds, but I'll try it again when I get home.
Comment 30•23 years ago
|
||
David, does this crash still occur? Thanks -
Reporter | ||
Comment 31•23 years ago
|
||
Sorry, I think this has stopped happening - probably because it was fixed, but possibly because they changed their site around a little. But I'll mark it worksforme.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•