Closed Bug 70361 Opened 24 years ago Closed 24 years ago

SEGV in [@ JS_GetFunctionObject] on submission from Bugzilla Helper. & M08 [@ JS_GetPrivate]

Categories

(Core :: Security, defect)

defect
Not set
critical

Tracking

()

VERIFIED DUPLICATE of bug 31847
mozilla0.9

People

(Reporter: deven, Assigned: brendan)

References

()

Details

(Keywords: crash, dataloss, topcrash)

Crash Data

Attachments

(2 files)

From Bugzilla Helper: User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17 i686) BuildID: 2001022705/2001022711 [I had to fall back to Netscape 4.76 to submit this bug report!] Several times in a row now, I've attempted to submit new bug reports using the Bugzilla Helper page, and each time, the browser has crashed with a SEGV after clicking on the "Open Bugzilla Entry Form" button. Reproducible: Always Steps to Reproduce: 1. Fill out a bug report in Bugzilla Helper. 2. Attempt to open the Bugzilla Entry form to submit the bug report. Actual Results: The browser crashes with a SEGV. Expected Results: The entry form should come up. On the most recent occasion, I ran under "./mozilla -g" to capture a backtrace of the crash, which follows: Program received signal SIGSEGV, Segmentation fault. 0x4010fd0a in JS_GetFunctionObject () from /home/deven/mozilla-2001022705/libmozjs.so (gdb) bt #0 0x4010fd0a in JS_GetFunctionObject () from /home/deven/mozilla-2001022705/libmozjs.so #1 0x40d906fb in NSGetModule () from /home/deven/mozilla-2001022705/components/libcaps.so #2 0x40d8f84b in NSGetModule () from /home/deven/mozilla-2001022705/components/libcaps.so #3 0x403a4ecc in nsJSContext::CallEventHandler () from /home/deven/mozilla-2001022705/libjsdom.so #4 0x403da636 in nsJSDOMEventListener::HandleEvent () from /home/deven/mozilla-2001022705/libjsdom.so #5 0x4099abd0 in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkcontent.so #6 0x4099bdcc in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkcontent.so #7 0x403b2e89 in GlobalWindowImpl::HandleDOMEvent () from /home/deven/mozilla-2001022705/libjsdom.so #8 0x40add70c in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkcontent.so #9 0x408ee010 in NSGetModule () from /home/deven/mozilla-2001022705/components/libdocshell.so #10 0x408f57f6 in NSGetModule () from /home/deven/mozilla-2001022705/components/libdocshell.so #11 0x408ede33 in NSGetModule () from /home/deven/mozilla-2001022705/components/libdocshell.so #12 0x408f5731 in NSGetModule () from /home/deven/mozilla-2001022705/components/libdocshell.so #13 0x4091045b in NSGetModule () from /home/deven/mozilla-2001022705/components/liburiloader.so #14 0x4090f83a in NSGetModule () from /home/deven/mozilla-2001022705/components/liburiloader.so #15 0x4090f712 in NSGetModule () from /home/deven/mozilla-2001022705/components/liburiloader.so #16 0x4090f733 in NSGetModule () from /home/deven/mozilla-2001022705/components/liburiloader.so #17 0x4090f573 in NSGetModule () from /home/deven/mozilla-2001022705/components/liburiloader.so #18 0x4082e8f7 in NSGetModule () from /home/deven/mozilla-2001022705/components/libnecko.so #19 0x4082fcc1 in NSGetModule () from /home/deven/mozilla-2001022705/components/libnecko.so #20 0x40825838 in NSGetModule () from /home/deven/mozilla-2001022705/components/libnecko.so #21 0x4082568c in NSGetModule () from /home/deven/mozilla-2001022705/components/libnecko.so #22 0x400bd633 in PL_HandleEvent () from /home/deven/mozilla-2001022705/libxpcom.so #23 0x400bd556 in PL_ProcessPendingEvents () from /home/deven/mozilla-2001022705/libxpcom.so #24 0x400be319 in nsEventQueueImpl::ProcessPendingEvents () from /home/deven/mozilla-2001022705/libxpcom.so #25 0x40480dcf in NSGetModule () from /home/deven/mozilla-2001022705/components/libwidget_gtk.so #26 0x40480b8d in NSGetModule () from /home/deven/mozilla-2001022705/components/libwidget_gtk.so #27 0x40628bf0 in g_io_add_watch () from /usr/lib/libglib-1.2.so.0 #28 0x4062a2b9 in g_get_current_time () from /usr/lib/libglib-1.2.so.0 #29 0x4062a8c3 in g_get_current_time () from /usr/lib/libglib-1.2.so.0 #30 0x4062a975 in g_main_iteration () from /usr/lib/libglib-1.2.so.0 #31 0x4048132c in NSGetModule () from /home/deven/mozilla-2001022705/components/libwidget_gtk.so #32 0x4035998f in inflate_mask () from /home/deven/mozilla-2001022705/components/libnsappshell.so #33 0x4035916a in inflate_mask () from /home/deven/mozilla-2001022705/components/libnsappshell.so #34 0x4035506c in inflate_mask () from /home/deven/mozilla-2001022705/components/libnsappshell.so #35 0x407e7ee3 in NSGetModule () from /home/deven/mozilla-2001022705/components/libembedcomponents.so #36 0x403ba688 in GlobalWindowImpl::OpenInternal () from /home/deven/mozilla-2001022705/libjsdom.so #37 0x403b80d5 in GlobalWindowImpl::Open () from /home/deven/mozilla-2001022705/libjsdom.so #38 0x403ad450 in NS_CreateScriptContext () from /home/deven/mozilla-2001022705/libjsdom.so #39 0x4012b9e5 in js_Invoke () from /home/deven/mozilla-2001022705/libmozjs.so #40 0x40132dd5 in js_Interpret () from /home/deven/mozilla-2001022705/libmozjs.so #41 0x4012ba30 in js_Invoke () from /home/deven/mozilla-2001022705/libmozjs.so #42 0x4012bc2c in js_InternalInvoke () from /home/deven/mozilla-2001022705/libmozjs.so #43 0x40110a7f in JS_CallFunctionValue () from /home/deven/mozilla-2001022705/libmozjs.so #44 0x403a4ef0 in nsJSContext::CallEventHandler () from /home/deven/mozilla-2001022705/libjsdom.so #45 0x403da2a6 in nsJSEventListener::HandleEvent () from /home/deven/mozilla-2001022705/libjsdom.so #46 0x4099abd0 in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkcontent.so #47 0x4099b19c in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkcontent.so #48 0x40aedcd5 in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkcontent.so #49 0x409d886f in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkcontent.so #50 0x40e2821f in NSGetModule () from /home/deven/mozilla-2001022705/components/libgklayout.so #51 0x40e28160 in NSGetModule () from /home/deven/mozilla-2001022705/components/libgklayout.so #52 0x409a1c63 in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkcontent.so #53 0x409a0507 in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkcontent.so #54 0x40e282f7 in NSGetModule () from /home/deven/mozilla-2001022705/components/libgklayout.so #55 0x40e280e2 in NSGetModule () from /home/deven/mozilla-2001022705/components/libgklayout.so #56 0x40f46969 in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkview.so #57 0x40f4690e in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkview.so #58 0x40f4690e in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkview.so #59 0x40f5593e in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkview.so #60 0x40f4634d in NSGetModule () from /home/deven/mozilla-2001022705/components/libgkview.so #61 0x4048e03a in NSGetModule () from /home/deven/mozilla-2001022705/components/libwidget_gtk.so #62 0x4048df65 in NSGetModule () from /home/deven/mozilla-2001022705/components/libwidget_gtk.so #63 0x4048e0c0 in NSGetModule () from /home/deven/mozilla-2001022705/components/libwidget_gtk.so #64 0x4048ed0f in NSGetModule () from /home/deven/mozilla-2001022705/components/libwidget_gtk.so #65 0x404926ff in NSGetModule () from /home/deven/mozilla-2001022705/components/libwidget_gtk.so #66 0x40488f67 in NSGetModule () from /home/deven/mozilla-2001022705/components/libwidget_gtk.so #67 0x40488d5e in NSGetModule () from /home/deven/mozilla-2001022705/components/libwidget_gtk.so #68 0x405fd027 in gdk_wm_protocols_filter () from /usr/lib/libgdk-1.2.so.0 #69 0x4062a2b9 in g_get_current_time () from /usr/lib/libglib-1.2.so.0 #70 0x4062a8c3 in g_get_current_time () from /usr/lib/libglib-1.2.so.0 #71 0x4062aa5c in g_main_run () from /usr/lib/libglib-1.2.so.0 #72 0x4054f457 in gtk_main () from /usr/lib/libgtk-1.2.so.0 #73 0x404812bc in NSGetModule () from /home/deven/mozilla-2001022705/components/libwidget_gtk.so #74 0x4035b57a in inflate_mask () from /home/deven/mozilla-2001022705/components/libnsappshell.so #75 0x804dfe5 in JS_PushArguments () #76 0x804e845 in JS_PushArguments () #77 0x40244a42 in __libc_start_main () from /lib/libc.so.6 (gdb)
This may not always be reproducible. I just tried a minimal bug report (just enough to pass the pre-submission tests) and the entry form DID come up without crashing. I had 2-3 crashes in a row that were real bug reports, which have now been lost. (I'll have to attempt to file those lost reports again with NN4.)
Keywords: crash, dataloss
I'm guessing at a common theme here: Security is checking to see if a page calling a function has the right to do so. This can be triggered by an event, as we see in the call stack reported above. Note that the stack frames pass through libcaps.so just before we crash - I took a quick look through TalkBack reports with JS_GetFunctionObject as the signature. For example, here is one for NN6.5 from 2001-02-27: http://cyclone/reports/incidenttemplate.CFM?reportID=124&style=0&tc=92&cp=1&ck1= SStack+crawl+signature&cd1=%25JS%5FGetFunctionObject%25&co1=like&bbid=27029787 Incident ID: 27029787 Trigger Type: Program Crash Trigger Reason: Access violation Call Stack: (Signature = JS_GetFunctionObject f98b67ef) JS_GetFunctionObject [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3450] nsScriptSecurityManager::GetFunctionObjectPrincipal [d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 906] nsScriptSecurityManager::CheckFunctionAccess [d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 614] nsJSContext::CallEventHandler [d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 936] nsJSDOMEventListener::HandleEvent [d:\builds\seamonkey\mozilla\dom\src\events\nsJSDOMEventListener.cpp, line 92] nsEventListenerManager::HandleEventSubType [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 839] nsEventListenerManager::HandleEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 1422] GlobalWindowImpl::HandleDOMEvent [d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 575] DocumentViewerImpl::LoadComplete [d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp, line 717] nsDocShell::EndPageLoad [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2656] nsWebShell::EndPageLoad [d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 992] nsDocShell::OnStateChange [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2574] nsWebShell::OnStateChange [d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 954] nsDocLoaderImpl::FireOnStateChange [d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 1309] nsDocLoaderImpl::doStopDocumentLoad [d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 736] nsDocLoaderImpl::DocLoaderIsEmpty [d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 632] nsDocLoaderImpl::OnStopRequest [d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 564] etc. etc.
Assignee: rogerl → mstoltz
Status: UNCONFIRMED → NEW
Component: Javascript Engine → Security: General
Ever confirmed: true
QA Contact: pschwartau → ckritzer
Mitch explained this possibility to me, and he will take a look at it. Also cc'ing Brendan, in case he feels a JS Engine issue may be involved -
Just found out from jpatel that this is currently our #1 topcrasher: Crash Analysis from Seamonkey Trunk builds since 2001021800 Look here for bugs ready filed on these crashes: http://bugzilla.mozilla.org/buglist.cgi?keywords=topcrash&order=bugs.bug_id Look here for Details crash data as web page http://www.mozilla.org/projects/seamonkey/reports/ns6analysis.html Total blackboxes in this sample: 1010 Total unique users: 352 MTBF For these builds is estimated at 2.983113 hours, based on 974 reports and 2905.552222 hours of user testing from testers that have crashed and reported problems. (dev. builds tend to have low MTBF) Top crashes Count - Area 68 JS_GetFunctionObject 48 nsCacheManager::NoteDormant 40 libmozjs.so 32 JS_GetPrivate 31 nsNNTPProtocol::SendFirstNNTPCommand 29 nsTableFrame::GetFrameAtOrBefore 28 MSVCRT.DLL 25 xpcom.dll 24 free 23 js_EmitTree 21 nsVoidArray::RemoveElement 19 msgcompo.dll 17 nsQueryInterface::operator 15 libxpcom.so 15 il_flush_image_data 15 gkhtml.dll 14 nsCOMPtr_base::assign_with_AddRef 13 0x00000000 12 nsHTTPChannel::GetSecurityInfo 11 morkRowObject::CloseRowObject 10 ImageConsumer::OnDataAvailable 10 0xbc0c306f 9 nsCachedNetData::Release 9 nsCacheManager::LimitDiskCacheSize 9 libnecko.so 9 libc.so.6 9 GKLAYOUT.DLL 8 nsHeaderEntry::nsHeaderEntry 8 FindConstructor 7 ntdll.dll 7 nsGenericElement::GetBindingParent 7 nsCOMPtr_base::~nsCOMPtr_base 7 libpthread.so.0 7 libgklayout.so 7 js_MarkGCThing 7 js_AllocGCThing 7 gc_find_flags 6 nsMsgKeySet::AddRange 6 nsCSSFrameConstructor::CantRenderReplacedElement 6 libmsgnews.so
Could this be a dup of joki's bug 31847? What's the source that adds the event listener or sets the event handler that's firing? /be
Doubt it's a dup of 31847. Looks more like recent regression. On linux 2001022721 i crash each time i double-click a link in sidebar history.
I mean by dup of 31847 that this bug is another manifestation of the underlying failure to root the event handler. It may be a new symptom; it may be exposed due to some more recent change that acted as an "agent cause", but the root cause is likely to be the same as the one reported in bug 31847. /be
Seeing this on Windows 98/2000 as well Heres the info: Steps to reproduce: 1) Close and restart Mozilla (important wont work otherwise) 2) go to www.tweakers.net 3) Click a link under the "Tech Forums" section JS_GetFunctionObject [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3450] nsScriptSecurityManager::GetFunctionObjectPrincipal [d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 906] nsScriptSecurityManager::CheckFunctionAccess [d:\builds\seamonkey\mozilla\caps\src\nsScriptSecurityManager.cpp, line 614] nsJSContext::CallEventHandler [d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 936] nsJSDOMEventListener::HandleEvent [d:\builds\seamonkey\mozilla\dom\src\events\nsJSDOMEventListener.cpp, line 92] nsEventListenerManager::HandleEventSubType [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 839] nsEventListenerManager::HandleEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 1422] GlobalWindowImpl::HandleDOMEvent [d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 575] DocumentViewerImpl::LoadComplete [d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp, line 717] nsDocShell::EndPageLoad [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2655] nsWebShell::EndPageLoad [d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 992] nsDocShell::OnStateChange [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2573] nsWebShell::OnStateChange [d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 954] nsDocLoaderImpl::FireOnStateChange [d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 1309] nsDocLoaderImpl::doStopDocumentLoad [d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 736] 0x01409010 nsDocLoaderImpl::DocLoaderIsEmpty [d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 637] nsDocLoaderImpl::OnStopRequest [d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 564] nsLoadGroup::RemoveRequest [d:\builds\seamonkey\mozilla\netwerk\base\src\nsLoadGroup.cpp, line 525] nsStreamIOChannel::OnStopRequest [d:\builds\seamonkey\mozilla\netwerk\base\src\nsInputStreamChannel.cpp, line 476] nsOnStopRequestEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamObserverProxy.cpp, line 179] nsStreamObserverEvent::HandlePLEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamObserverProxy.cpp, line 79] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 577] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 1055] 0x778b0c24
Keywords: topcrash
OS: Linux → All
Hardware: PC → All
*** Bug 70527 has been marked as a duplicate of this bug. ***
*** Bug 70781 has been marked as a duplicate of this bug. ***
Brendan, could I get your help in debugging this? Seems to be happening a lot, but most often through caps. Is there a bad call in caps that's causing this, or do you think it's a problem in the engine?
I keep pointing to bug 31847, and I mean it. This is not an engine bug. It's not a bug in mstoltz's code on the stack just below JS_GetFunctionObject, I bet. It very likely arose due to a source code change in the XUL/JS that define and add the handler, which would be implicated deeper on the stack. The latest stack shows an onload handler being fired, I think. What is the URI of the document loaded in that docshell? What is its onload handler or load event listener? /be
Despite the fact that this is out top crasher, I can't seem to reproduce it on either Windows or Linux in this morning's build. Any clue as to what I'm missing? Does it only happen in optimized builds, or only with certain skins? Let's try to narrow down the conditions under which this crash occurs.
Status: NEW → ASSIGNED
I can repro this consistently with the steps at bug 71092 (if that's a duplicate). Just hit Ctrl N about 5 times pretty quickly and it should crash for you
*** Bug 71092 has been marked as a duplicate of this bug. ***
This is also a topcrash for milestone .8. Adding M08 and [@ JS_GetFunctionObject] [@ JS_GetPrivate] in summary for tracking. This is currently the #3 crasher on the Trunk. Here are some user comments and urls to help find a reproducible test case: 26879486) Comments: opened a new window and at the same time as window loaded I tried to click the throbber icon (to go to mozilla.org) (26879498) Comments: Opened a new window while closing another window (26880232) Comments: clicked in history panel to open a new window (26919013) URL: http://www.bonsai.com/ (26919013) Comments: When I applied a new them (Blue to Modern) I tried to open a new window because the current one doesn't work. File Menu didn't work so I went to about: and right clicked on Open In A New Window when on the Mozilla 0.9 link. Somehow triggered a crash onceJS_GetFunctionObject d0eadcdc (26934710) URL: www.openoffice.org (26934981) URL: www.boursorama.com (26934981) Comments: Opening many new links in new windows. (26949424) Comments: i opened a lot of windows (26960863) Comments: right-clicked on a link and picked "Open Link in new Window" then I crashed upon opening of the new window. (26967127) URL: www.donationjunction.com/www.ecologyfund.com/{some other site} (26987043) URL: http://www.radonlabs.de (26987043) Comments: Clicked on a thumbnail image. (26989949) URL: http://www.mozillazine.org/build_comments/ (26990002) URL: http://www.mozillazine.org/build_comments/ (26990011) URL: http://www.mozillazine.org/build_comments/ (27009385) Comments: After NS6 shutdown I got an illegal operation crash. Restart gives the same dialog. (27015731) URL: http://www.slashdot.org (27015731) Comments: Launching a link in a new window from a Slashdot post (27043708) URL: http://slahshdot.org/ (27043708) Comments: Tried to open my profile on another window. There was a ftp download from going on in the background. (27050591) URL: http://astrology.yahoo.com/us/astrology/today/capricorntechscope.html (27065802) URL: http://www.slashdot.org (27065802) Comments: Launching a new browser window using Ctrl-N (27072376) Comments: mail + web sites (27077741) URL: http://www.anandtech.com (27077741) Comments: Clicking a link to open a new window (27085520) URL: http://www.afterforever.com (27085520) Comments: Checking out the photogallery on afterforever.com (27085932) Comments: Opened a new browser window while checking email (27119609) Comments: Tried to open a new Browser Window (27128818) Comments: open new browser window from mail compose (27130285) Comments: i was searching on google (27144729) Comments: Opening the cygnus build tools for windows in a new window. Also downloading the source code for mozilla (27154579) URL: www.flashpoint1985.com (27156159) URL: http://www.brw.com.au/stories/20010223/8932.asp (27157533) URL: www.kurier.at (27157533) Comments: when clicking on the "Printausgabe" link mozilla crashed (27157998) URL: http://www.mozilla.org/quality/help/bugzilla-helper.html (27171277) URL: www.python.org/... (27171277) Comments: start up (27176879) Comments: Attempting to open a blank web page from the toolbar at the bottom of the mail window. No web page was open. (27185372) URL: http://www.google.com (27191898) URL: http://www.google.com (27197635) URL: http://commerce.us.dell.com/dellstore/config.asp?customer_id=04&keycode=6W473&order_code=891224u (27210180) Comments: Opening a few links in a new window without waiting for them to really open. (27214553) URL: http://bugzilla.mozilla.org/show_bug.cgi?id=70572 (27224964) Comments: Programming the chrome. I was loading a new navigator window with xul cache off. (27251227) URL: www.thelandminesite.com (27255091) URL: www.cyberpresse.ca (27255091) Comments: Opening a link in a new window; about four windows were already opened. Link was to same site. (27256756) URL: www.cyberpresse.ca (27267059) Comments: Crash on program exit
Summary: SEGV in JS_GetFunctionObject() on submission from Bugzilla Helper. → SEGV in [@ JS_GetFunctionObject] on submission from Bugzilla Helper. & M08 [@ JS_GetPrivate]
*** Bug 71254 has been marked as a duplicate of this bug. ***
Brendan, this doesn't look like a dup of 31877 to me. 31847 is crashing in js_LockScope1, and this one's crashing in js_GetFunctionObject. Do you still think they have the same cause?
Never judge a crash by the victim frame at the top of the stack. Yes, I still think this is a dup of 31847, which can crash the JS engine in many places, by passing in a dead (garbage-collected, possibly even recycled as another JS gc-thing, or even via the malloc heap) function object. /be
Giving the JSDOMEventListener a strong (rooted) reference to the event handler function object stops the crash from happening, but it might leak.
Reassigning to Brendan.
Assignee: mstoltz → brendan
Status: ASSIGNED → NEW
Setting milestone to Moz0.9.
Target Milestone: --- → mozilla0.9
So this is a dup of 31847. I'll attach a revised patch there and leave it to joki to bless it and check it in. /be *** This bug has been marked as a duplicate of 31847 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
Verified Duplicate -
Status: RESOLVED → VERIFIED
*** Bug 71502 has been marked as a duplicate of this bug. ***
Crash Signature: [@ JS_GetFunctionObject] [@ JS_GetPrivate]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: