Closed Bug 603525 Opened 14 years ago Closed 14 years ago

Reproducable 4.0b6 Crash [@ small_free_list_remove_ptr | small_malloc_from_free_list | szone_malloc ]

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 600974

People

(Reporter: chofmann, Unassigned)

Details

(Keywords: compat, crash, Whiteboard: [sg:dupe 600974])

Crash Data

I ran across this reproducable crash while looking at crash urls

someone on working on css2.1 testing crashed

http://crash-stats.mozilla.com/report/index/0f786218-81ac-448e-a139-0086f2101001	201010011529	201010011529	10662	Firefox	4.0b6

on my first visit to the crash url 

http://test.csswg.org/suites/css2.1/20100917/html4/first-letter-punct-before-035.htm

resulted in hang that required force quit, but then subsequent visits crashed several times in a row.

http://crash-stats.mozilla.com/report/index/99f688a5-a6cb-4a82-b141-7aac02101011

Frame  	Module  	Signature [Expand]  	Source
0 	libSystem.B.dylib 	small_free_list_remove_ptr 	
1 	libSystem.B.dylib 	small_malloc_from_free_list 	
2 	libSystem.B.dylib 	szone_malloc 	
3 	libSystem.B.dylib 	malloc_zone_malloc 	
4 	libSystem.B.dylib 	malloc 	
5 	libmozalloc.dylib 	moz_xmalloc 	memory/mozalloc/mozalloc.cpp:98
6 	XUL 	nsHtml5UTF16Buffer::nsHtml5UTF16Buffer 	loc.h:238
7 	XUL 	nsHtml5StreamParser::WriteStreamBytes 	parser/html/nsHtml5StreamParser.cpp:535
8 	XUL 	nsHtml5StreamParser::DoDataAvailable 	parser/html/nsHtml5StreamParser.cpp:680
9 	XUL 	nsHtml5DataAvailable::Run 	parser/html/nsHtml5StreamParser.cpp:720
10 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:547
11 	XUL 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
12 	XUL 	nsThread::ThreadFunc 	xpcom/threads/nsThread.cpp:263
13 	libnspr4.dylib 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c:228
14 	libSystem.B.dylib 	_pthread_start 	
15 	libSystem.B.dylib 	thread_star

using Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:2.0b6) Gecko/20100101 Firefox/4.0b6
2 of 3 stacks look like comment 0

one of the other stacks I got while testing this is different.  could have been something else going on with loading other pages in session restore.

http://crash-stats.mozilla.com/report/index/bp-f20bdeda-56e1-445f-86c6-5b39b2101011

Frame  	Module  	Signature [Expand]  	Source
0 	libSystem.B.dylib 	small_free_list_remove_ptr 	
1 	libSystem.B.dylib 	szone_free 	
2 	libSystem.B.dylib 	free 	
3 	XUL 	nanojit::Allocator::reset 	js/src/nanojit/Allocator.cpp:62
4 	XUL 	js::TraceRecorder::~TraceRecorder 	js/src/jstracer.cpp:2442
5 	XUL 	js::TraceRecorder::closeLoop 	js/src/jstracer.cpp:2445
6 	XUL 	js::TraceRecorder::closeLoop 	js/src/jstracer.cpp:4867
7 	XUL 	js::TraceRecorder::checkTraceEnd 	js/src/jstracer.cpp:4859
8 	XUL 	js::TraceRecorder::relational 	js/src/jstracer.cpp:9241
9 	XUL 	js::TraceRecorder::monitorRecording 	js/src/jstracer.cpp:10816
10 	XUL 	js::Interpret 	js/src/jsinterp.cpp:2456
11 	XUL 	js::InvokeCommon<JSBool > 	js/src/jsinterp.cpp:577
12 	XUL 	js::Invoke 	js/src/jsinterp.cpp:696
13 	XUL 	js::InternalInvoke 	js/src/jsinterp.cpp:736
14 	XUL 	JS_CallFunctionValue 	js/src/jsinterp.h:651
15 	XUL 	nsXPCWrappedJSClass::CallMethod
blocking2.0: --- → ?
safari 5.0.2 (5533.18.5) and chrome 6.0.472.63 seem to handle the test case ok
Keywords: compat, crash
Group: core-security
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
blocking2.0: ? → ---
Crash Signature: [@ small_free_list_remove_ptr | small_malloc_from_free_list | szone_malloc ]
Group: core-security
Whiteboard: [sg:dupe 600974]
You need to log in before you can comment on or make changes to this bug.