The default bug view has changed. See this FAQ.

SEGV in [@ JS_GetFunctionObject] on submission from Bugzilla Helper. & M08 [@ JS_GetPrivate]

VERIFIED DUPLICATE of bug 31847

Status

()

Core
Security
--
critical
VERIFIED DUPLICATE of bug 31847
16 years ago
6 years ago

People

(Reporter: Deven Corzine, Assigned: brendan)

Tracking

({crash, dataloss, topcrash})

Trunk
mozilla0.9
crash, dataloss, topcrash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

16 years ago
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17 i686)
BuildID:    2001022705/2001022711

[I had to fall back to Netscape 4.76 to submit this bug report!]

Several times in a row now, I've attempted to submit new bug reports using the
Bugzilla Helper page, and each time, the browser has crashed with a SEGV after
clicking on the "Open Bugzilla Entry Form" button.

Reproducible: Always
Steps to Reproduce:
1. Fill out a bug report in Bugzilla Helper.
2. Attempt to open the Bugzilla Entry form to submit the bug report.


Actual Results:  The browser crashes with a SEGV.

Expected Results:  The entry form should come up.

On the most recent occasion, I ran under "./mozilla -g" to capture a backtrace
of the crash, which follows:

Program received signal SIGSEGV, Segmentation fault.
0x4010fd0a in JS_GetFunctionObject () from
/home/deven/mozilla-2001022705/libmozjs.so
(gdb) bt
#0  0x4010fd0a in JS_GetFunctionObject () from
/home/deven/mozilla-2001022705/libmozjs.so
#1  0x40d906fb in NSGetModule () from
/home/deven/mozilla-2001022705/components/libcaps.so
#2  0x40d8f84b in NSGetModule () from
/home/deven/mozilla-2001022705/components/libcaps.so
#3  0x403a4ecc in nsJSContext::CallEventHandler () from
/home/deven/mozilla-2001022705/libjsdom.so
#4  0x403da636 in nsJSDOMEventListener::HandleEvent () from
/home/deven/mozilla-2001022705/libjsdom.so
#5  0x4099abd0 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#6  0x4099bdcc in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#7  0x403b2e89 in GlobalWindowImpl::HandleDOMEvent () from
/home/deven/mozilla-2001022705/libjsdom.so
#8  0x40add70c in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#9  0x408ee010 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libdocshell.so
#10 0x408f57f6 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libdocshell.so
#11 0x408ede33 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libdocshell.so
#12 0x408f5731 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libdocshell.so
#13 0x4091045b in NSGetModule () from
/home/deven/mozilla-2001022705/components/liburiloader.so
#14 0x4090f83a in NSGetModule () from
/home/deven/mozilla-2001022705/components/liburiloader.so
#15 0x4090f712 in NSGetModule () from
/home/deven/mozilla-2001022705/components/liburiloader.so
#16 0x4090f733 in NSGetModule () from
/home/deven/mozilla-2001022705/components/liburiloader.so
#17 0x4090f573 in NSGetModule () from
/home/deven/mozilla-2001022705/components/liburiloader.so
#18 0x4082e8f7 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libnecko.so
#19 0x4082fcc1 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libnecko.so
#20 0x40825838 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libnecko.so
#21 0x4082568c in NSGetModule () from
/home/deven/mozilla-2001022705/components/libnecko.so
#22 0x400bd633 in PL_HandleEvent () from
/home/deven/mozilla-2001022705/libxpcom.so
#23 0x400bd556 in PL_ProcessPendingEvents () from
/home/deven/mozilla-2001022705/libxpcom.so
#24 0x400be319 in nsEventQueueImpl::ProcessPendingEvents () from
/home/deven/mozilla-2001022705/libxpcom.so
#25 0x40480dcf in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#26 0x40480b8d in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#27 0x40628bf0 in g_io_add_watch () from /usr/lib/libglib-1.2.so.0
#28 0x4062a2b9 in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#29 0x4062a8c3 in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#30 0x4062a975 in g_main_iteration () from /usr/lib/libglib-1.2.so.0
#31 0x4048132c in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#32 0x4035998f in inflate_mask () from
/home/deven/mozilla-2001022705/components/libnsappshell.so
#33 0x4035916a in inflate_mask () from
/home/deven/mozilla-2001022705/components/libnsappshell.so
#34 0x4035506c in inflate_mask () from
/home/deven/mozilla-2001022705/components/libnsappshell.so
#35 0x407e7ee3 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libembedcomponents.so
#36 0x403ba688 in GlobalWindowImpl::OpenInternal () from
/home/deven/mozilla-2001022705/libjsdom.so
#37 0x403b80d5 in GlobalWindowImpl::Open () from
/home/deven/mozilla-2001022705/libjsdom.so
#38 0x403ad450 in NS_CreateScriptContext () from
/home/deven/mozilla-2001022705/libjsdom.so
#39 0x4012b9e5 in js_Invoke () from /home/deven/mozilla-2001022705/libmozjs.so
#40 0x40132dd5 in js_Interpret () from
/home/deven/mozilla-2001022705/libmozjs.so
#41 0x4012ba30 in js_Invoke () from /home/deven/mozilla-2001022705/libmozjs.so
#42 0x4012bc2c in js_InternalInvoke () from
/home/deven/mozilla-2001022705/libmozjs.so
#43 0x40110a7f in JS_CallFunctionValue () from
/home/deven/mozilla-2001022705/libmozjs.so
#44 0x403a4ef0 in nsJSContext::CallEventHandler () from
/home/deven/mozilla-2001022705/libjsdom.so
#45 0x403da2a6 in nsJSEventListener::HandleEvent () from
/home/deven/mozilla-2001022705/libjsdom.so
#46 0x4099abd0 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#47 0x4099b19c in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#48 0x40aedcd5 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#49 0x409d886f in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#50 0x40e2821f in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgklayout.so
#51 0x40e28160 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgklayout.so
#52 0x409a1c63 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#53 0x409a0507 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#54 0x40e282f7 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgklayout.so
#55 0x40e280e2 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgklayout.so
#56 0x40f46969 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkview.so
#57 0x40f4690e in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkview.so
#58 0x40f4690e in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkview.so
#59 0x40f5593e in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkview.so
#60 0x40f4634d in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkview.so
#61 0x4048e03a in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#62 0x4048df65 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#63 0x4048e0c0 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#64 0x4048ed0f in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#65 0x404926ff in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#66 0x40488f67 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#67 0x40488d5e in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#68 0x405fd027 in gdk_wm_protocols_filter () from /usr/lib/libgdk-1.2.so.0
#69 0x4062a2b9 in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#70 0x4062a8c3 in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#71 0x4062aa5c in g_main_run () from /usr/lib/libglib-1.2.so.0
#72 0x4054f457 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#73 0x404812bc in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#74 0x4035b57a in inflate_mask () from
/home/deven/mozilla-2001022705/components/libnsappshell.so
#75 0x804dfe5 in JS_PushArguments ()
#76 0x804e845 in JS_PushArguments ()
#77 0x40244a42 in __libc_start_main () from /lib/libc.so.6
(gdb)
(Reporter)

Comment 1

16 years ago
This may not always be reproducible.  I just tried a minimal bug report (just
enough to pass the pre-submission tests) and the entry form DID come up without
crashing.  I had 2-3 crashes in a row that were real bug reports, which have now
been lost.  (I'll have to attempt to file those lost reports again with NN4.)
(Reporter)

Updated

16 years ago
Keywords: crash, dataloss

Comment 2

16 years ago
I'm guessing at a common theme here: Security is checking to see if a page 
calling a function has the right to do so. This can be triggered by an
event, as we see in the call stack reported above. Note that the stack
frames pass through libcaps.so just before we crash - 


I took a quick look through TalkBack reports with JS_GetFunctionObject 
as the signature. For example, here is one for NN6.5 from 2001-02-27:

http://cyclone/reports/incidenttemplate.CFM?reportID=124&style=0&tc=92&cp=1&ck1=
SStack+crawl+signature&cd1=%25JS%5FGetFunctionObject%25&co1=like&bbid=27029787

Incident ID: 27029787
Trigger Type: Program Crash 
Trigger Reason: Access violation 
Call Stack: (Signature = JS_GetFunctionObject f98b67ef) 


JS_GetFunctionObject   [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3450]
nsScriptSecurityManager::GetFunctionObjectPrincipal   
[d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 906]
nsScriptSecurityManager::CheckFunctionAccess 
[d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 614]
nsJSContext::CallEventHandler  
[d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 936]
nsJSDOMEventListener::HandleEvent   
[d:\builds\seamonkey\mozilla\dom\src\events\nsJSDOMEventListener.cpp, line 92]
nsEventListenerManager::HandleEventSubType   
[d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 
839]
nsEventListenerManager::HandleEvent  
[d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 
1422]
GlobalWindowImpl::HandleDOMEvent  
[d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 575]
DocumentViewerImpl::LoadComplete   
[d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp, line 717]
nsDocShell::EndPageLoad     
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2656]
nsWebShell::EndPageLoad    
[d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 992]
nsDocShell::OnStateChange   
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2574]
nsWebShell::OnStateChange   
[d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 954]
nsDocLoaderImpl::FireOnStateChange   
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 1309]
nsDocLoaderImpl::doStopDocumentLoad   
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 736]     
nsDocLoaderImpl::DocLoaderIsEmpty  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 632]
nsDocLoaderImpl::OnStopRequest  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 564]

                     etc. 
                     etc. 
Assignee: rogerl → mstoltz
Status: UNCONFIRMED → NEW
Component: Javascript Engine → Security: General
Ever confirmed: true
QA Contact: pschwartau → ckritzer

Comment 3

16 years ago
Mitch explained this possibility to me, and he will take a look at it. 
Also cc'ing Brendan, in case he feels a JS Engine issue may be involved - 

Comment 4

16 years ago
Just found out from jpatel that this is currently our #1 topcrasher:


Crash Analysis from Seamonkey Trunk builds since 2001021800

Look here for bugs ready filed on these crashes:
  http://bugzilla.mozilla.org/buglist.cgi?keywords=topcrash&order=bugs.bug_id

Look here for Details crash data as web page
 http://www.mozilla.org/projects/seamonkey/reports/ns6analysis.html


 Total blackboxes in this sample:     1010
 Total unique users:      352
 MTBF For these builds is estimated at 2.983113 hours,
 based on 974 reports and 2905.552222 hours of user testing
 from testers that have crashed and reported problems.
  (dev. builds tend to have low MTBF)


 Top crashes 
 Count - Area
  68 JS_GetFunctionObject
  48 nsCacheManager::NoteDormant
  40 libmozjs.so
  32 JS_GetPrivate
  31 nsNNTPProtocol::SendFirstNNTPCommand
  29 nsTableFrame::GetFrameAtOrBefore
  28 MSVCRT.DLL
  25 xpcom.dll
  24 free
  23 js_EmitTree
  21 nsVoidArray::RemoveElement
  19 msgcompo.dll
  17 nsQueryInterface::operator
  15 libxpcom.so
  15 il_flush_image_data
  15 gkhtml.dll
  14 nsCOMPtr_base::assign_with_AddRef
  13 0x00000000
  12 nsHTTPChannel::GetSecurityInfo
  11 morkRowObject::CloseRowObject
  10 ImageConsumer::OnDataAvailable
  10 0xbc0c306f
   9 nsCachedNetData::Release
   9 nsCacheManager::LimitDiskCacheSize
   9 libnecko.so
   9 libc.so.6
   9 GKLAYOUT.DLL
   8 nsHeaderEntry::nsHeaderEntry
   8 FindConstructor
   7 ntdll.dll
   7 nsGenericElement::GetBindingParent
   7 nsCOMPtr_base::~nsCOMPtr_base
   7 libpthread.so.0
   7 libgklayout.so
   7 js_MarkGCThing
   7 js_AllocGCThing
   7 gc_find_flags
   6 nsMsgKeySet::AddRange
   6 nsCSSFrameConstructor::CantRenderReplacedElement
   6 libmsgnews.so
(Assignee)

Comment 5

16 years ago
Could this be a dup of joki's bug 31847?  What's the source that adds the event
listener or sets the event handler that's firing?

/be

Comment 6

16 years ago
Doubt it's a dup of 31847. Looks more like recent regression.
On linux 2001022721 i crash each time i double-click a link in sidebar history.

Comment 7

16 years ago
Created attachment 26417 [details]
backtrace from trunk SEA 2001022721
(Assignee)

Comment 8

16 years ago
I mean by dup of 31847 that this bug is another manifestation of the underlying
failure to root the event handler.  It may be a new symptom; it may be exposed
due to some more recent change that acted as an "agent cause", but the root
cause is likely to be the same as the one reported in bug 31847.

/be

Comment 9

16 years ago
Seeing this on Windows 98/2000 as well Heres the info:

Steps to reproduce:
1) Close and restart Mozilla (important wont work otherwise)
2) go to www.tweakers.net
3) Click a link under the "Tech Forums" section

JS_GetFunctionObject   [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3450]
nsScriptSecurityManager::GetFunctionObjectPrincipal
[d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 906]   
     nsScriptSecurityManager::CheckFunctionAccess  
[d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 614]   
     nsJSContext::CallEventHandler  
[d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 936]       
 nsJSDOMEventListener::HandleEvent  
[d:\builds\seamonkey\mozilla\dom\src\events\nsJSDOMEventListener.cpp, line 92] 
       nsEventListenerManager::HandleEventSubType  
[d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line
839]         nsEventListenerManager::HandleEvent  
[d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line
1422]         GlobalWindowImpl::HandleDOMEvent  
[d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 575]        
DocumentViewerImpl::LoadComplete  
[d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp, line 717]  
      nsDocShell::EndPageLoad  
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2655]        
nsWebShell::EndPageLoad  
[d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 992]        
nsDocShell::OnStateChange  
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2573]        
nsWebShell::OnStateChange  
[d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 954]        
nsDocLoaderImpl::FireOnStateChange  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 1309]        
nsDocLoaderImpl::doStopDocumentLoad  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 736]        
0x01409010             nsDocLoaderImpl::DocLoaderIsEmpty  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 637]        
nsDocLoaderImpl::OnStopRequest  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 564]        
nsLoadGroup::RemoveRequest  
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsLoadGroup.cpp, line 525]       
 nsStreamIOChannel::OnStopRequest  
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsInputStreamChannel.cpp, line
476]         nsOnStopRequestEvent::HandleEvent  
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamObserverProxy.cpp, line
179]         nsStreamObserverEvent::HandlePLEvent  
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamObserverProxy.cpp, line
79]         PL_HandleEvent  
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 577]        
_md_EventReceiverProc   [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c,
line 1055]         0x778b0c24    
Keywords: topcrash
OS: Linux → All
Hardware: PC → All

Comment 10

16 years ago
*** Bug 70527 has been marked as a duplicate of this bug. ***
*** Bug 70781 has been marked as a duplicate of this bug. ***
Brendan, could I get your help in debugging this? Seems to be happening a lot,
but most often through caps. Is there a bad call in caps that's causing this, or
do you think it's a problem in the engine?
(Assignee)

Comment 13

16 years ago
I keep pointing to bug 31847, and I mean it.  This is not an engine bug.  It's
not a bug in mstoltz's code on the stack just below JS_GetFunctionObject, I bet.
It very likely arose due to a source code change in the XUL/JS that define and
add the handler, which would be implicated deeper on the stack.

The latest stack shows an onload handler being fired, I think.  What is the URI
of the document loaded in that docshell?  What is its onload handler or load
event listener?

/be
Despite the fact that this is out top crasher, I can't seem to reproduce it on
either Windows or Linux in this morning's build. Any clue as to what I'm
missing? Does it only happen in optimized builds, or only with certain skins?
Let's try to narrow down the conditions under which this crash occurs.
Status: NEW → ASSIGNED

Comment 15

16 years ago
I can repro this consistently with the steps at bug 71092 (if that's a
duplicate).  Just hit Ctrl N about 5 times pretty quickly and it should crash
for you
*** Bug 71092 has been marked as a duplicate of this bug. ***

Comment 17

16 years ago
This is also a topcrash for milestone .8.  Adding M08 and [@
JS_GetFunctionObject] [@ JS_GetPrivate] in summary for tracking. This is
currently the #3 crasher on the Trunk.  Here are some user comments and urls to
help find a reproducible test case:

26879486)
Comments: opened a new window and at the same time as window loaded I tried to
click the throbber icon (to go to mozilla.org)
     (26879498)	Comments: Opened a new window while closing another window
     (26880232)	Comments: clicked in history panel to open a new window
     (26919013)	URL: http://www.bonsai.com/ (26919013)	Comments: When I applied a new them (Blue to
Modern) I tried to open a new window because the current one doesn't work. File
Menu didn't work so I went  to about: and right clicked on Open In A New Window
when on the Mozilla 0.9 link. Somehow triggered a crash onceJS_GetFunctionObject
d0eadcdc
     (26934710)	URL: www.openoffice.org (26934981)	URL: www.boursorama.com (26934981)	Comments: Opening many new
links in new windows.
     (26949424)	Comments: i opened a lot of windows
     (26960863)	Comments: right-clicked on a link and picked "Open Link in new Window" then
I crashed upon opening of the new window.
     (26967127)	URL: www.donationjunction.com/www.ecologyfund.com/{some other site}
     (26987043)	URL: http://www.radonlabs.de (26987043)	Comments: Clicked on a thumbnail image.
     (26989949)	URL: http://www.mozillazine.org/build_comments/ (26990002)	URL:
http://www.mozillazine.org/build_comments/ (26990011)	URL:
http://www.mozillazine.org/build_comments/ (27009385)	Comments: After NS6 shutdown I got an
illegal operation crash.  Restart gives the same dialog.
     (27015731)	URL: http://www.slashdot.org (27015731)	Comments: Launching a link in a new window from
a Slashdot post
     (27043708)	URL: http://slahshdot.org/ (27043708)	Comments: Tried to open my profile on another
window. There was a ftp download from going on in the background.
     (27050591)	URL: http://astrology.yahoo.com/us/astrology/today/capricorntechscope.html (27065802)
URL: http://www.slashdot.org (27065802)	Comments: Launching a new browser window using Ctrl-N
     (27072376)	Comments: mail + web sites
     (27077741)	URL: http://www.anandtech.com (27077741)	Comments: Clicking a link to open a new window
     (27085520)	URL: http://www.afterforever.com (27085520)	Comments: Checking out the photogallery on
afterforever.com
     (27085932)	Comments: Opened a new browser window while checking email
     (27119609)	Comments: Tried to open a new Browser Window
     (27128818)	Comments: open new browser window from mail compose
     (27130285)	Comments: i was searching on google
     (27144729)	Comments: Opening the cygnus build tools for windows in a new window.  Also
downloading the source code for mozilla
     (27154579)	URL: www.flashpoint1985.com (27156159)	URL: http://www.brw.com.au/stories/20010223/8932.asp
(27157533)	URL: www.kurier.at (27157533)	Comments: when clicking on the "Printausgabe" link mozilla crashed
     (27157998)	URL: http://www.mozilla.org/quality/help/bugzilla-helper.html (27171277)	URL:
www.python.org/...
     (27171277)	Comments: start up
     (27176879)	Comments: Attempting to open a blank web page from the toolbar at the bottom
of the mail window.  No web page was open.
     (27185372)	URL: http://www.google.com (27191898)	URL: http://www.google.com (27197635)	URL:
http://commerce.us.dell.com/dellstore/config.asp?customer_id=04&keycode=6W473&order_code=891224u
(27210180)
Comments: Opening a few links in a new window without waiting for them to really
open.
     (27214553)	URL: http://bugzilla.mozilla.org/show_bug.cgi?id=70572 (27224964)	Comments: Programming
the chrome. I was loading a new navigator window with xul cache off.
     (27251227)	URL: www.thelandminesite.com (27255091)	URL: www.cyberpresse.ca (27255091)	Comments: Opening a link
in a new window; about four windows were already opened. Link was to same site.
     (27256756)	URL: www.cyberpresse.ca (27267059)	Comments: Crash on program exit
Summary: SEGV in JS_GetFunctionObject() on submission from Bugzilla Helper. → SEGV in [@ JS_GetFunctionObject] on submission from Bugzilla Helper. & M08 [@ JS_GetPrivate]

Comment 18

16 years ago
*** Bug 71254 has been marked as a duplicate of this bug. ***
Brendan, this doesn't look like a dup of 31877 to me. 31847 is crashing in
js_LockScope1, and this one's crashing in js_GetFunctionObject. Do you still
think they have the same cause?
(Assignee)

Comment 20

16 years ago
Never judge a crash by the victim frame at the top of the stack.

Yes, I still think this is a dup of 31847, which can crash the JS engine in many
places, by passing in a dead (garbage-collected, possibly even recycled as
another JS gc-thing, or even via the malloc heap) function object.

/be
Created attachment 27216 [details] [diff] [review]
Brendan's patch - stops the crash but may leak
Giving the JSDOMEventListener a strong (rooted) reference to the event handler
function object stops the crash from happening, but it might leak.
Reassigning to Brendan.
Assignee: mstoltz → brendan
Status: ASSIGNED → NEW
Setting milestone to Moz0.9.
Target Milestone: --- → mozilla0.9
(Assignee)

Comment 25

16 years ago
So this is a dup of 31847.  I'll attach a revised patch there and leave it to
joki to bless it and check it in.

/be

*** This bug has been marked as a duplicate of 31847 ***
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE

Comment 26

16 years ago
Verified Duplicate - 
Status: RESOLVED → VERIFIED

Comment 27

16 years ago
*** Bug 71502 has been marked as a duplicate of this bug. ***
Crash Signature: [@ JS_GetFunctionObject] [@ JS_GetPrivate]
You need to log in before you can comment on or make changes to this bug.