Closed Bug 625191 Opened 15 years ago Closed 15 years ago

Crash [@ js::PropertyTable::capacity]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b10
Tracking Flags:
Tracking Status
blocking2.0 --- final+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gwagner, Assigned: Waldo)

References

Details

(Whiteboard: [sg:critical?][fixed-in-tracemonkey][hardblocker])

A TM trunk debug build of the browser with gczeal enabled crashes during startup: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff6650131 in js::PropertyTable::capacity (this=0xdadadadadadadada) at /home/mozilla/gwagner/zeal/js/src/jsscope.h:249 249 uint32 capacity() const { return JS_BIT(JS_DHASH_BITS - hashShift); } (gdb) bt #0 0x00007ffff6650131 in js::PropertyTable::capacity (this=0xdadadadadadadada) at /home/mozilla/gwagner/zeal/js/src/jsscope.h:249 #1 0x00007ffff6650166 in js::PropertyTable::needsToGrow (this=0xdadadadadadadada) at /home/mozilla/gwagner/zeal/js/src/jsscope.h:253 #2 0x00007ffff664c891 in js::Shape::getChild (this=0x7fffdd59dbc0, cx=0x7fffdd6d1000, child=..., listp=0x7fffffffbfc0) at /home/mozilla/gwagner/zeal/js/src/jsscope.cpp:474 #3 0x00007ffff66523fa in js::Bindings::add (this=0x7fffffffbfc0, cx=0x7fffdd6d1000, name=0x7fffdd243400, kind=js::ARGUMENT) at /home/mozilla/gwagner/zeal/js/src/jsscript.cpp:158 #4 0x00007ffff6519fa9 in js::Bindings::addArgument (this=0x7fffffffbfc0, cx=0x7fffdd6d1000, name=0x7fffdd243400, slotp=0x7fffffffc01e) at /home/mozilla/gwagner/zeal/js/src/jsscript.h:247 #5 0x00007ffff6512c71 in JS_CompileUCFunctionForPrincipals (cx=0x7fffdd6d1000, obj=0x0, principals=0x7fffe6a65d38, name=0x7fffffffc320 "openPopup", nargs=7, argnames=0x7fffdd8c18c0, chars=0x7fffdd8b9400, length=295, filename=0x7fffffffc2c0 "chrome://global/content/bindings/popup.xml", lineno=41) at /home/mozilla/gwagner/zeal/js/src/jsapi.cpp:4747 #6 0x00007ffff65129be in JS_CompileUCFunctionForPrincipalsVersion (cx=0x7fffdd6d1000, obj=0x0, principals=0x7fffe6a65d38, name=0x7fffffffc320 "openPopup", nargs=7, argnames=0x7fffdd8c18c0, chars=0x7fffdd8b9400, length=295, filename=0x7fffffffc2c0 "chrome://global/content/bindings/popup.xml", lineno=41, version=JSVERSION_ECMA_5) at /home/mozilla/gwagner/zeal/js/src/jsapi.cpp:4703 #7 0x00007ffff5458b80 in nsJSContext::CompileFunction (this=0x7fffdd598e60, aTarget=0x7fffdd240630, aName=..., aArgCount=7, aArgArray=0x7fffdd8c18c0, aBody=..., aURL=0x7fffffffc2c0 "chrome://global/content/bindings/popup.xml", aLineNo=41, aVersion=185, aShared=1, aFunctionObject=0x7fffffffc268) at /home/mozilla/gwagner/zeal/dom/base/nsJSEnvironment.cpp:2094 #8 0x00007ffff53f8fb2 in nsXBLProtoImplMethod::CompileMember (this=0x7fffdd6baa00, aContext=0x7fffdd598e60, aClassStr=..., aClassObject=0x7fffdd240630) at /home/mozilla/gwagner/zeal/content/xbl/src/nsXBLProtoImplMethod.cpp:247 #9 0x00007ffff53fa98b in nsXBLProtoImpl::CompilePrototypeMembers (this=0x7fffdd5a19c0, aBinding=0x7fffdd7fca00) at /home/mozilla/gwagner/zeal/content/xbl/src/nsXBLProtoImpl.cpp:190 #10 0x00007ffff53fa563 in nsXBLProtoImpl::InitTargetObjects (this=0x7fffdd5a19c0, aBinding=0x7fffdd7fca00, aContext=0x7fffe3218b80, aBoundElement=0x7fffdd7fc800, aScriptObjectHolder=0x7fffffffc530, aTargetClassObject=0x7fffffffc528) at /home/mozilla/gwagner/zeal/content/xbl/src/nsXBLProtoImpl.cpp:111 #11 0x00007ffff53fa345 in nsXBLProtoImpl::InstallImplementation (this=0x7fffdd5a19c0, aBinding=0x7fffdd7fca00, aBoundElement=0x7fffdd7fc800) at /home/mozilla/gwagner/zeal/content/xbl/src/nsXBLProtoImpl.cpp:79 #12 0x00007ffff53e9db2 in nsXBLPrototypeBinding::InstallImplementation (this=0x7fffdd7fca00, aBoundElement=0x7fffdd7fc800) at /home/mozilla/gwagner/zeal/content/xbl/src/nsXBLPrototypeBinding.cpp:539 #13 0x00007ffff53e51ad in nsXBLBinding::InstallImplementation (this=0x7fffdd8c1640) at /home/mozilla/gwagner/zeal/content/xbl/src/nsXBLBinding.cpp:940 #14 0x00007ffff53e510a in nsXBLBinding::InstallImplementation (this=0x7fffdd8c1680) at /home/mozilla/gwagner/zeal/content/xbl/src/nsXBLBinding.cpp:934 #15 0x00007ffff540506a in nsXBLService::LoadBindings (this=0x7fffe3449be0, aContent=0x7fffdd7fc800, aURL=0x7fffe4d8b400, aOriginPrincipal=0x7fffe6a65d30, aAugmentFlag=0, aBinding=0x7fffdd5a5b50, aResolveStyle=0x7fffffffc96c) at /home/mozilla/gwagner/zeal/content/xbl/src/nsXBLService.cpp:647 #16 0x00007ffff4d51cb5 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal (this=0x7fffdff27400, aState=...,
This is me.
Assignee: general → jwalden+bmo
http://hg.mozilla.org/tracemonkey/rev/6ef4c13f0941 I suppose technically this is security-sensitive, but it's only from a fix around January 1, so I'll keep it closed until b10, I guess.
Group: core-security
Status: NEW → ASSIGNED
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [sg:critical?][fixed-in-tracemonkey]
Target Milestone: --- → mozilla2.0b10
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
blocking2.0: --- → final+
Whiteboard: [sg:critical?][fixed-in-tracemonkey] → [sg:critical?][fixed-in-tracemonkey][hardblocker]
Summary: Crash at PropertyTable::capacity → Crash at js::PropertyTable::capacity
http://hg.mozilla.org/mozilla-central/rev/6ef4c13f0941
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Summary: Crash at js::PropertyTable::capacity → Crash [@ js::PropertyTable::capacity]
Group: core-security
You need to log in before you can comment on or make changes to this bug.