Last Comment Bug 70361 - SEGV in [@ JS_GetFunctionObject] on submission from Bugzilla Helper. & M08 [@ JS_GetPrivate]
: SEGV in [@ JS_GetFunctionObject] on submission from Bugzilla Helper. & M08 [@...
Status: VERIFIED DUPLICATE of bug 31847
: crash, dataloss, topcrash
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla0.9
Assigned To: Brendan Eich [:brendan]
: ckritzer (gone)
: David Keeler [:keeler] (use needinfo?)
Mentors:
http://www.mozilla.org/quality/help/b...
: 70527 70781 71092 71254 71502 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2001-02-27 13:28 PST by Deven Corzine
Modified: 2011-08-05 21:32 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
backtrace from trunk SEA 2001022721 (3.52 KB, text/plain)
2001-02-28 11:21 PST, R.K.Aa.
no flags Details
Brendan's patch - stops the crash but may leak (764 bytes, patch)
2001-03-08 17:57 PST, Mitchell Stoltz (not reading bugmail)
no flags Details | Diff | Splinter Review

Description Deven Corzine 2001-02-27 13:28:38 PST
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17 i686)
BuildID:    2001022705/2001022711

[I had to fall back to Netscape 4.76 to submit this bug report!]

Several times in a row now, I've attempted to submit new bug reports using the
Bugzilla Helper page, and each time, the browser has crashed with a SEGV after
clicking on the "Open Bugzilla Entry Form" button.

Reproducible: Always
Steps to Reproduce:
1. Fill out a bug report in Bugzilla Helper.
2. Attempt to open the Bugzilla Entry form to submit the bug report.


Actual Results:  The browser crashes with a SEGV.

Expected Results:  The entry form should come up.

On the most recent occasion, I ran under "./mozilla -g" to capture a backtrace
of the crash, which follows:

Program received signal SIGSEGV, Segmentation fault.
0x4010fd0a in JS_GetFunctionObject () from
/home/deven/mozilla-2001022705/libmozjs.so
(gdb) bt
#0  0x4010fd0a in JS_GetFunctionObject () from
/home/deven/mozilla-2001022705/libmozjs.so
#1  0x40d906fb in NSGetModule () from
/home/deven/mozilla-2001022705/components/libcaps.so
#2  0x40d8f84b in NSGetModule () from
/home/deven/mozilla-2001022705/components/libcaps.so
#3  0x403a4ecc in nsJSContext::CallEventHandler () from
/home/deven/mozilla-2001022705/libjsdom.so
#4  0x403da636 in nsJSDOMEventListener::HandleEvent () from
/home/deven/mozilla-2001022705/libjsdom.so
#5  0x4099abd0 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#6  0x4099bdcc in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#7  0x403b2e89 in GlobalWindowImpl::HandleDOMEvent () from
/home/deven/mozilla-2001022705/libjsdom.so
#8  0x40add70c in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#9  0x408ee010 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libdocshell.so
#10 0x408f57f6 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libdocshell.so
#11 0x408ede33 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libdocshell.so
#12 0x408f5731 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libdocshell.so
#13 0x4091045b in NSGetModule () from
/home/deven/mozilla-2001022705/components/liburiloader.so
#14 0x4090f83a in NSGetModule () from
/home/deven/mozilla-2001022705/components/liburiloader.so
#15 0x4090f712 in NSGetModule () from
/home/deven/mozilla-2001022705/components/liburiloader.so
#16 0x4090f733 in NSGetModule () from
/home/deven/mozilla-2001022705/components/liburiloader.so
#17 0x4090f573 in NSGetModule () from
/home/deven/mozilla-2001022705/components/liburiloader.so
#18 0x4082e8f7 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libnecko.so
#19 0x4082fcc1 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libnecko.so
#20 0x40825838 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libnecko.so
#21 0x4082568c in NSGetModule () from
/home/deven/mozilla-2001022705/components/libnecko.so
#22 0x400bd633 in PL_HandleEvent () from
/home/deven/mozilla-2001022705/libxpcom.so
#23 0x400bd556 in PL_ProcessPendingEvents () from
/home/deven/mozilla-2001022705/libxpcom.so
#24 0x400be319 in nsEventQueueImpl::ProcessPendingEvents () from
/home/deven/mozilla-2001022705/libxpcom.so
#25 0x40480dcf in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#26 0x40480b8d in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#27 0x40628bf0 in g_io_add_watch () from /usr/lib/libglib-1.2.so.0
#28 0x4062a2b9 in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#29 0x4062a8c3 in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#30 0x4062a975 in g_main_iteration () from /usr/lib/libglib-1.2.so.0
#31 0x4048132c in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#32 0x4035998f in inflate_mask () from
/home/deven/mozilla-2001022705/components/libnsappshell.so
#33 0x4035916a in inflate_mask () from
/home/deven/mozilla-2001022705/components/libnsappshell.so
#34 0x4035506c in inflate_mask () from
/home/deven/mozilla-2001022705/components/libnsappshell.so
#35 0x407e7ee3 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libembedcomponents.so
#36 0x403ba688 in GlobalWindowImpl::OpenInternal () from
/home/deven/mozilla-2001022705/libjsdom.so
#37 0x403b80d5 in GlobalWindowImpl::Open () from
/home/deven/mozilla-2001022705/libjsdom.so
#38 0x403ad450 in NS_CreateScriptContext () from
/home/deven/mozilla-2001022705/libjsdom.so
#39 0x4012b9e5 in js_Invoke () from /home/deven/mozilla-2001022705/libmozjs.so
#40 0x40132dd5 in js_Interpret () from
/home/deven/mozilla-2001022705/libmozjs.so
#41 0x4012ba30 in js_Invoke () from /home/deven/mozilla-2001022705/libmozjs.so
#42 0x4012bc2c in js_InternalInvoke () from
/home/deven/mozilla-2001022705/libmozjs.so
#43 0x40110a7f in JS_CallFunctionValue () from
/home/deven/mozilla-2001022705/libmozjs.so
#44 0x403a4ef0 in nsJSContext::CallEventHandler () from
/home/deven/mozilla-2001022705/libjsdom.so
#45 0x403da2a6 in nsJSEventListener::HandleEvent () from
/home/deven/mozilla-2001022705/libjsdom.so
#46 0x4099abd0 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#47 0x4099b19c in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#48 0x40aedcd5 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#49 0x409d886f in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#50 0x40e2821f in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgklayout.so
#51 0x40e28160 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgklayout.so
#52 0x409a1c63 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#53 0x409a0507 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkcontent.so
#54 0x40e282f7 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgklayout.so
#55 0x40e280e2 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgklayout.so
#56 0x40f46969 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkview.so
#57 0x40f4690e in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkview.so
#58 0x40f4690e in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkview.so
#59 0x40f5593e in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkview.so
#60 0x40f4634d in NSGetModule () from
/home/deven/mozilla-2001022705/components/libgkview.so
#61 0x4048e03a in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#62 0x4048df65 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#63 0x4048e0c0 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#64 0x4048ed0f in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#65 0x404926ff in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#66 0x40488f67 in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#67 0x40488d5e in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#68 0x405fd027 in gdk_wm_protocols_filter () from /usr/lib/libgdk-1.2.so.0
#69 0x4062a2b9 in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#70 0x4062a8c3 in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#71 0x4062aa5c in g_main_run () from /usr/lib/libglib-1.2.so.0
#72 0x4054f457 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#73 0x404812bc in NSGetModule () from
/home/deven/mozilla-2001022705/components/libwidget_gtk.so
#74 0x4035b57a in inflate_mask () from
/home/deven/mozilla-2001022705/components/libnsappshell.so
#75 0x804dfe5 in JS_PushArguments ()
#76 0x804e845 in JS_PushArguments ()
#77 0x40244a42 in __libc_start_main () from /lib/libc.so.6
(gdb)
Comment 1 Deven Corzine 2001-02-27 13:33:17 PST
This may not always be reproducible.  I just tried a minimal bug report (just
enough to pass the pre-submission tests) and the entry form DID come up without
crashing.  I had 2-3 crashes in a row that were real bug reports, which have now
been lost.  (I'll have to attempt to file those lost reports again with NN4.)
Comment 2 Phil Schwartau 2001-02-27 17:46:01 PST
I'm guessing at a common theme here: Security is checking to see if a page 
calling a function has the right to do so. This can be triggered by an
event, as we see in the call stack reported above. Note that the stack
frames pass through libcaps.so just before we crash - 


I took a quick look through TalkBack reports with JS_GetFunctionObject 
as the signature. For example, here is one for NN6.5 from 2001-02-27:

http://cyclone/reports/incidenttemplate.CFM?reportID=124&style=0&tc=92&cp=1&ck1=
SStack+crawl+signature&cd1=%25JS%5FGetFunctionObject%25&co1=like&bbid=27029787

Incident ID: 27029787
Trigger Type: Program Crash 
Trigger Reason: Access violation 
Call Stack: (Signature = JS_GetFunctionObject f98b67ef) 


JS_GetFunctionObject   [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3450]
nsScriptSecurityManager::GetFunctionObjectPrincipal   
[d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 906]
nsScriptSecurityManager::CheckFunctionAccess 
[d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 614]
nsJSContext::CallEventHandler  
[d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 936]
nsJSDOMEventListener::HandleEvent   
[d:\builds\seamonkey\mozilla\dom\src\events\nsJSDOMEventListener.cpp, line 92]
nsEventListenerManager::HandleEventSubType   
[d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 
839]
nsEventListenerManager::HandleEvent  
[d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 
1422]
GlobalWindowImpl::HandleDOMEvent  
[d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 575]
DocumentViewerImpl::LoadComplete   
[d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp, line 717]
nsDocShell::EndPageLoad     
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2656]
nsWebShell::EndPageLoad    
[d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 992]
nsDocShell::OnStateChange   
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2574]
nsWebShell::OnStateChange   
[d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 954]
nsDocLoaderImpl::FireOnStateChange   
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 1309]
nsDocLoaderImpl::doStopDocumentLoad   
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 736]     
nsDocLoaderImpl::DocLoaderIsEmpty  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 632]
nsDocLoaderImpl::OnStopRequest  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 564]

                     etc. 
                     etc. 
Comment 3 Phil Schwartau 2001-02-27 17:48:07 PST
Mitch explained this possibility to me, and he will take a look at it. 
Also cc'ing Brendan, in case he feels a JS Engine issue may be involved - 
Comment 4 Phil Schwartau 2001-02-27 18:02:30 PST
Just found out from jpatel that this is currently our #1 topcrasher:


Crash Analysis from Seamonkey Trunk builds since 2001021800

Look here for bugs ready filed on these crashes:
  http://bugzilla.mozilla.org/buglist.cgi?keywords=topcrash&order=bugs.bug_id

Look here for Details crash data as web page
 http://www.mozilla.org/projects/seamonkey/reports/ns6analysis.html


 Total blackboxes in this sample:     1010
 Total unique users:      352
 MTBF For these builds is estimated at 2.983113 hours,
 based on 974 reports and 2905.552222 hours of user testing
 from testers that have crashed and reported problems.
  (dev. builds tend to have low MTBF)


 Top crashes 
 Count - Area
  68 JS_GetFunctionObject
  48 nsCacheManager::NoteDormant
  40 libmozjs.so
  32 JS_GetPrivate
  31 nsNNTPProtocol::SendFirstNNTPCommand
  29 nsTableFrame::GetFrameAtOrBefore
  28 MSVCRT.DLL
  25 xpcom.dll
  24 free
  23 js_EmitTree
  21 nsVoidArray::RemoveElement
  19 msgcompo.dll
  17 nsQueryInterface::operator
  15 libxpcom.so
  15 il_flush_image_data
  15 gkhtml.dll
  14 nsCOMPtr_base::assign_with_AddRef
  13 0x00000000
  12 nsHTTPChannel::GetSecurityInfo
  11 morkRowObject::CloseRowObject
  10 ImageConsumer::OnDataAvailable
  10 0xbc0c306f
   9 nsCachedNetData::Release
   9 nsCacheManager::LimitDiskCacheSize
   9 libnecko.so
   9 libc.so.6
   9 GKLAYOUT.DLL
   8 nsHeaderEntry::nsHeaderEntry
   8 FindConstructor
   7 ntdll.dll
   7 nsGenericElement::GetBindingParent
   7 nsCOMPtr_base::~nsCOMPtr_base
   7 libpthread.so.0
   7 libgklayout.so
   7 js_MarkGCThing
   7 js_AllocGCThing
   7 gc_find_flags
   6 nsMsgKeySet::AddRange
   6 nsCSSFrameConstructor::CantRenderReplacedElement
   6 libmsgnews.so
Comment 5 Brendan Eich [:brendan] 2001-02-27 18:17:03 PST
Could this be a dup of joki's bug 31847?  What's the source that adds the event
listener or sets the event handler that's firing?

/be
Comment 6 R.K.Aa. 2001-02-28 11:20:45 PST
Doubt it's a dup of 31847. Looks more like recent regression.
On linux 2001022721 i crash each time i double-click a link in sidebar history.
Comment 7 R.K.Aa. 2001-02-28 11:21:47 PST
Created attachment 26417 [details]
backtrace from trunk SEA 2001022721
Comment 8 Brendan Eich [:brendan] 2001-02-28 15:33:29 PST
I mean by dup of 31847 that this bug is another manifestation of the underlying
failure to root the event handler.  It may be a new symptom; it may be exposed
due to some more recent change that acted as an "agent cause", but the root
cause is likely to be the same as the one reported in bug 31847.

/be
Comment 9 Keyser Sose 2001-02-28 17:23:07 PST
Seeing this on Windows 98/2000 as well Heres the info:

Steps to reproduce:
1) Close and restart Mozilla (important wont work otherwise)
2) go to www.tweakers.net
3) Click a link under the "Tech Forums" section

JS_GetFunctionObject   [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3450]
nsScriptSecurityManager::GetFunctionObjectPrincipal
[d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 906]   
     nsScriptSecurityManager::CheckFunctionAccess  
[d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 614]   
     nsJSContext::CallEventHandler  
[d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 936]       
 nsJSDOMEventListener::HandleEvent  
[d:\builds\seamonkey\mozilla\dom\src\events\nsJSDOMEventListener.cpp, line 92] 
       nsEventListenerManager::HandleEventSubType  
[d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line
839]         nsEventListenerManager::HandleEvent  
[d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line
1422]         GlobalWindowImpl::HandleDOMEvent  
[d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 575]        
DocumentViewerImpl::LoadComplete  
[d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp, line 717]  
      nsDocShell::EndPageLoad  
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2655]        
nsWebShell::EndPageLoad  
[d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 992]        
nsDocShell::OnStateChange  
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2573]        
nsWebShell::OnStateChange  
[d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 954]        
nsDocLoaderImpl::FireOnStateChange  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 1309]        
nsDocLoaderImpl::doStopDocumentLoad  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 736]        
0x01409010             nsDocLoaderImpl::DocLoaderIsEmpty  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 637]        
nsDocLoaderImpl::OnStopRequest  
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 564]        
nsLoadGroup::RemoveRequest  
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsLoadGroup.cpp, line 525]       
 nsStreamIOChannel::OnStopRequest  
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsInputStreamChannel.cpp, line
476]         nsOnStopRequestEvent::HandleEvent  
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamObserverProxy.cpp, line
179]         nsStreamObserverEvent::HandlePLEvent  
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamObserverProxy.cpp, line
79]         PL_HandleEvent  
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 577]        
_md_EventReceiverProc   [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c,
line 1055]         0x778b0c24    
Comment 10 Keyser Sose 2001-02-28 17:23:24 PST
*** Bug 70527 has been marked as a duplicate of this bug. ***
Comment 11 Mitchell Stoltz (not reading bugmail) 2001-03-05 12:21:24 PST
*** Bug 70781 has been marked as a duplicate of this bug. ***
Comment 12 Mitchell Stoltz (not reading bugmail) 2001-03-06 12:17:16 PST
Brendan, could I get your help in debugging this? Seems to be happening a lot,
but most often through caps. Is there a bad call in caps that's causing this, or
do you think it's a problem in the engine?
Comment 13 Brendan Eich [:brendan] 2001-03-06 15:21:01 PST
I keep pointing to bug 31847, and I mean it.  This is not an engine bug.  It's
not a bug in mstoltz's code on the stack just below JS_GetFunctionObject, I bet.
It very likely arose due to a source code change in the XUL/JS that define and
add the handler, which would be implicated deeper on the stack.

The latest stack shows an onload handler being fired, I think.  What is the URI
of the document loaded in that docshell?  What is its onload handler or load
event listener?

/be
Comment 14 Mitchell Stoltz (not reading bugmail) 2001-03-06 18:37:37 PST
Despite the fact that this is out top crasher, I can't seem to reproduce it on
either Windows or Linux in this morning's build. Any clue as to what I'm
missing? Does it only happen in optimized builds, or only with certain skins?
Let's try to narrow down the conditions under which this crash occurs.
Comment 15 Asa Dotzler [:asa] 2001-03-06 19:12:47 PST
I can repro this consistently with the steps at bug 71092 (if that's a
duplicate).  Just hit Ctrl N about 5 times pretty quickly and it should crash
for you
Comment 16 Mitchell Stoltz (not reading bugmail) 2001-03-06 19:14:23 PST
*** Bug 71092 has been marked as a duplicate of this bug. ***
Comment 17 Jay Patel [:jay] 2001-03-08 14:13:13 PST
This is also a topcrash for milestone .8.  Adding M08 and [@
JS_GetFunctionObject] [@ JS_GetPrivate] in summary for tracking. This is
currently the #3 crasher on the Trunk.  Here are some user comments and urls to
help find a reproducible test case:

26879486)
Comments: opened a new window and at the same time as window loaded I tried to
click the throbber icon (to go to mozilla.org)
     (26879498)	Comments: Opened a new window while closing another window
     (26880232)	Comments: clicked in history panel to open a new window
     (26919013)	URL: http://www.bonsai.com/ (26919013)	Comments: When I applied a new them (Blue to
Modern) I tried to open a new window because the current one doesn't work. File
Menu didn't work so I went  to about: and right clicked on Open In A New Window
when on the Mozilla 0.9 link. Somehow triggered a crash onceJS_GetFunctionObject
d0eadcdc
     (26934710)	URL: www.openoffice.org (26934981)	URL: www.boursorama.com (26934981)	Comments: Opening many new
links in new windows.
     (26949424)	Comments: i opened a lot of windows
     (26960863)	Comments: right-clicked on a link and picked "Open Link in new Window" then
I crashed upon opening of the new window.
     (26967127)	URL: www.donationjunction.com/www.ecologyfund.com/{some other site}
     (26987043)	URL: http://www.radonlabs.de (26987043)	Comments: Clicked on a thumbnail image.
     (26989949)	URL: http://www.mozillazine.org/build_comments/ (26990002)	URL:
http://www.mozillazine.org/build_comments/ (26990011)	URL:
http://www.mozillazine.org/build_comments/ (27009385)	Comments: After NS6 shutdown I got an
illegal operation crash.  Restart gives the same dialog.
     (27015731)	URL: http://www.slashdot.org (27015731)	Comments: Launching a link in a new window from
a Slashdot post
     (27043708)	URL: http://slahshdot.org/ (27043708)	Comments: Tried to open my profile on another
window. There was a ftp download from going on in the background.
     (27050591)	URL: http://astrology.yahoo.com/us/astrology/today/capricorntechscope.html (27065802)
URL: http://www.slashdot.org (27065802)	Comments: Launching a new browser window using Ctrl-N
     (27072376)	Comments: mail + web sites
     (27077741)	URL: http://www.anandtech.com (27077741)	Comments: Clicking a link to open a new window
     (27085520)	URL: http://www.afterforever.com (27085520)	Comments: Checking out the photogallery on
afterforever.com
     (27085932)	Comments: Opened a new browser window while checking email
     (27119609)	Comments: Tried to open a new Browser Window
     (27128818)	Comments: open new browser window from mail compose
     (27130285)	Comments: i was searching on google
     (27144729)	Comments: Opening the cygnus build tools for windows in a new window.  Also
downloading the source code for mozilla
     (27154579)	URL: www.flashpoint1985.com (27156159)	URL: http://www.brw.com.au/stories/20010223/8932.asp
(27157533)	URL: www.kurier.at (27157533)	Comments: when clicking on the "Printausgabe" link mozilla crashed
     (27157998)	URL: http://www.mozilla.org/quality/help/bugzilla-helper.html (27171277)	URL:
www.python.org/...
     (27171277)	Comments: start up
     (27176879)	Comments: Attempting to open a blank web page from the toolbar at the bottom
of the mail window.  No web page was open.
     (27185372)	URL: http://www.google.com (27191898)	URL: http://www.google.com (27197635)	URL:
http://commerce.us.dell.com/dellstore/config.asp?customer_id=04&keycode=6W473&order_code=891224u
(27210180)
Comments: Opening a few links in a new window without waiting for them to really
open.
     (27214553)	URL: http://bugzilla.mozilla.org/show_bug.cgi?id=70572 (27224964)	Comments: Programming
the chrome. I was loading a new navigator window with xul cache off.
     (27251227)	URL: www.thelandminesite.com (27255091)	URL: www.cyberpresse.ca (27255091)	Comments: Opening a link
in a new window; about four windows were already opened. Link was to same site.
     (27256756)	URL: www.cyberpresse.ca (27267059)	Comments: Crash on program exit
Comment 18 Asa Dotzler [:asa] 2001-03-08 16:31:24 PST
*** Bug 71254 has been marked as a duplicate of this bug. ***
Comment 19 Mitchell Stoltz (not reading bugmail) 2001-03-08 17:19:15 PST
Brendan, this doesn't look like a dup of 31877 to me. 31847 is crashing in
js_LockScope1, and this one's crashing in js_GetFunctionObject. Do you still
think they have the same cause?
Comment 20 Brendan Eich [:brendan] 2001-03-08 17:22:24 PST
Never judge a crash by the victim frame at the top of the stack.

Yes, I still think this is a dup of 31847, which can crash the JS engine in many
places, by passing in a dead (garbage-collected, possibly even recycled as
another JS gc-thing, or even via the malloc heap) function object.

/be
Comment 21 Mitchell Stoltz (not reading bugmail) 2001-03-08 17:57:35 PST
Created attachment 27216 [details] [diff] [review]
Brendan's patch - stops the crash but may leak
Comment 22 Mitchell Stoltz (not reading bugmail) 2001-03-08 17:59:03 PST
Giving the JSDOMEventListener a strong (rooted) reference to the event handler
function object stops the crash from happening, but it might leak.
Comment 23 Mitchell Stoltz (not reading bugmail) 2001-03-08 18:43:35 PST
Reassigning to Brendan.
Comment 24 Mitchell Stoltz (not reading bugmail) 2001-03-08 18:48:26 PST
Setting milestone to Moz0.9.
Comment 25 Brendan Eich [:brendan] 2001-03-08 21:54:38 PST
So this is a dup of 31847.  I'll attach a revised patch there and leave it to
joki to bless it and check it in.

/be

*** This bug has been marked as a duplicate of 31847 ***
Comment 26 Phil Schwartau 2001-03-08 22:47:54 PST
Verified Duplicate - 
Comment 27 Asa Dotzler [:asa] 2001-03-14 16:34:35 PST
*** Bug 71502 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.