Closed Bug 81033 Opened 24 years ago Closed 24 years ago

calling eval("encodeURL('someURIstring')") twice crashes the xpcshell and the browser

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 95
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 82306

People

(Reporter: martin.honnen, Assigned: rogerl)

Details

(Keywords: crash)

Attachments

(4 files)

bug demo (load it into xpcshell and it crashes [at least on Win95])
132 bytes, application/x-javascript
Details
bug demo (load/reload and it crashes)
272 bytes, text/html
Details
WinNT stack trace
6.01 KB, text/plain
Details
I think this is more likely related to Javascript. Here's my stack crawl of the crash on a Mac. I tried this a couple of times and got the same stack trace each time.
2.55 KB, text/plain
Details
When loading var s = "file:///D:/Home/docs/JavaScriptDictionary/16list03.htm?myData.value='Hello'"; eval("encodeURI(s)"); eval("encodeURI(s)"); into the xpcshell it crashes. The same happens with the browser with a html page including the code (sometimes on the first load sometimes on reload)
Martin, can you attach a stack trace? Thanks -
Keywords: crash
This is what the Windows crash dialog shows: XPCSHELL caused an invalid page fault in module MSVCRT.DLL at 0137:7800d053. Registers: EAX=00650078 CS=0137 EIP=7800d053 EFLGS=00010246 EBX=0080e560 SS=013f ESP=0063e6a0 EBP=0063e6bc ECX=006c0064 DS=013f ESI=0080e72c FS=6e97 EDX=000ae730 ES=013f EDI=00000015 GS=0000 Bytes at CS:EIP: 8b 14 31 8d 1c 31 89 55 f4 8b 56 fc 89 55 f8 8b Stack dump: 007fdcc0 0080e730 0080e560 00652c10 7803704c 78001075 006c0064 0063e700 7800cc1c 0075000c 0080e730 007fdcc0 0080e570 0080e560 007fdcc0 0063e7d8 More I cannot provide.
Attached file WinNT stack trace
Based on stack trace, reassigning to Layout for further triage. Definitely not a JS Engine issue -
Assignee: rogerl → karnaze
Component: Javascript Engine → Layout
QA Contact: pschwartau → petersen
testcase working for me on Win2K - I'll test on Win95...
Here is the stack trace I got under Windows ME: Call Stack: (Signature = 0x1d00036d 9b416e10) 0x1d00036d nsCacheMetaData::CalculateSize [d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheMetaData.cpp, line 279] PL_DHashTableEnumerate [d:\builds\seamonkey\mozilla\xpcom\ds\pldhash.c, line 456] 0xedededec 0x01eb42cc
Tested under May 22 build (2001052204).
After some more investigation, I think that this may be a JS-engine issue after all. I can get it to crash, actually, but I have to reload the testcase page from 3-10 times. I got these stacks (on Win2K): 1) _free_dbg_lk(void * 0x04fa6ba0, int 1) line 1062 + 11 bytes _free_dbg(void * 0x04fa6ba0, int 1) line 970 + 13 bytes free(void * 0x04fa6ba0) line 926 + 11 bytes JS_free(JSContext * 0x03a0fc50, void * 0x04fa6ba0) line 1415 + 10 bytes js_DestroyScript(JSContext * 0x03a0fc50, JSScript * 0x04fa6c10) line 796 + 16 bytes JS_DestroyScript(JSContext * 0x03a0fc50, JSScript * 0x04fa6c10) line 2964 + 13 bytes obj_eval(JSContext * 0x03a0fc50, JSObject * 0x02813690, unsigned int 1, long * 0x0292136c, long * 0x0012e754) line 1019 + 13 bytes js_Invoke(JSContext * 0x03a0fc50, unsigned int 1, unsigned int 0) line 807 + 23 bytes js_Interpret(JSContext * 0x03a0fc50, long * 0x0012f56c) line 2702 + 15 bytes js_Execute(JSContext * 0x03a0fc50, JSObject * 0x02813690, JSScript * 0x05000980, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f56c) line 986 + 13 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x03a0fc50, JSObject * 0x02813690, JSPrincipals * 0x043b6740, const unsigned short * 0x05002270, unsigned int 132, const char * 0x050040b0, unsigned int 1, long * 0x0012f56c) line 3260 + 25 bytes nsJSContext::EvaluateString(nsJSContext * const 0x03a0c7c0, const nsAString & {...}, void * 0x02813690, nsIPrincipal * 0x043b673c, const char * 0x050040b0, unsigned int 1, const char * 0x00ec85f0, nsAString & {...}, int * 0x0012f5d8) line 603 + 85 bytes nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x04ffd060, const nsAFlatString & {...}) line 569 nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x04ffd060) line 481 + 22 bytes nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x04fac1e4, nsIStreamLoader * 0x04ffec70, nsISupports * 0x04ffd060, unsigned int 0, unsigned int 132, const char * 0x050069d0) line 760 nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x04ffec74, nsIRequest * 0x04ffed90, nsISupports * 0x00000000, unsigned int 0) line 120 + 81 bytes nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x050034c0, nsIRequest * 0x04ffed90, nsISupports * 0x00000000, unsigned int 0) line 25 nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x04ffed94, nsIRequest * 0x04fff630, nsISupports * 0x00000000, unsigned int 0) line 2038 nsOnStopRequestEvent::HandleEvent() line 159 nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x05000914) line 64 PL_HandleEvent(PLEvent * 0x05000914) line 590 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x005768d0) line 520 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00210292, unsigned int 49404, unsigned int 0, long 5728464) line 1071 + 9 bytes USER32! 77e13eb0() USER32! 77e1401a() USER32! 77e192da() nsAppShellService::Run(nsAppShellService * const 0x010b1be0) line 418 main1(int 1, char * * 0x00484480, nsISupports * 0x00000000) line 1093 + 32 bytes main(int 1, char * * 0x00484480) line 1391 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87903() 2) _free_dbg_lk(void * 0x04f98130, int 1) line 1062 + 11 bytes _free_dbg(void * 0x04f98130, int 1) line 970 + 13 bytes free(void * 0x04f98130) line 926 + 11 bytes JS_free(JSContext * 0x03fb7d40, void * 0x04f98130) line 1415 + 10 bytes js_FreeAtomMap(JSContext * 0x03fb7d40, JSAtomMap * 0x04f98400) line 869 + 15 bytes js_DestroyScript(JSContext * 0x03fb7d40, JSScript * 0x04f983f0) line 795 + 16 bytes JS_DestroyScript(JSContext * 0x03fb7d40, JSScript * 0x04f983f0) line 2964 + 13 bytes obj_eval(JSContext * 0x03fb7d40, JSObject * 0x0285ee68, unsigned int 1, long * 0x028eefec, long * 0x0012e754) line 1019 + 13 bytes js_Invoke(JSContext * 0x03fb7d40, unsigned int 1, unsigned int 0) line 807 + 23 bytes js_Interpret(JSContext * 0x03fb7d40, long * 0x0012f56c) line 2702 + 15 bytes js_Execute(JSContext * 0x03fb7d40, JSObject * 0x0285ee68, JSScript * 0x04f948c0, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f56c) line 986 + 13 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x03fb7d40, JSObject * 0x0285ee68, JSPrincipals * 0x04f78550, const unsigned short * 0x04f91710, unsigned int 132, const char * 0x04f933e0, unsigned int 1, long * 0x0012f56c) line 3260 + 25 bytes nsJSContext::EvaluateString(nsJSContext * const 0x03fb7610, const nsAString & {...}, void * 0x0285ee68, nsIPrincipal * 0x04f7854c, const char * 0x04f933e0, unsigned int 1, const char * 0x00ec85f0, nsAString & {...}, int * 0x0012f5d8) line 603 + 85 bytes nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x04f8fb70, const nsAFlatString & {...}) line 569 nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x04f8fb70) line 481 + 22 bytes nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x04f6f1d4, nsIStreamLoader * 0x04f8f880, nsISupports * 0x04f8fb70, unsigned int 0, unsigned int 132, const char * 0x04f93aa0) line 760 nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x04f8f884, nsIRequest * 0x04f8f9a0, nsISupports * 0x00000000, unsigned int 0) line 120 + 81 bytes nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x04f907e0, nsIRequest * 0x04f8f9a0, nsISupports * 0x00000000, unsigned int 0) line 25 nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x04f8f9a4, nsIRequest * 0x04f90c60, nsISupports * 0x00000000, unsigned int 0) line 2038 nsOnStopRequestEvent::HandleEvent() line 159 nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x04f90834) line 64 PL_HandleEvent(PLEvent * 0x04f90834) line 590 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x005786a0) line 520 + 9 bytes _md_EventReceiverProc(HWND__ * 0x0022027e, unsigned int 49404, unsigned int 0, long 5736096) line 1071 + 9 bytes USER32! 77e13eb0() USER32! 77e1401a() USER32! 77e192da() nsAppShellService::Run(nsAppShellService * const 0x010b1cd0) line 418 main1(int 1, char * * 0x00484480, nsISupports * 0x00000000) line 1093 + 32 bytes main(int 1, char * * 0x00484480) line 1391 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87903() 3) _free_dbg_lk(void * 0x0497c650, int 1) line 1062 + 11 bytes _free_dbg(void * 0x0497c650, int 1) line 970 + 13 bytes operator delete(void * 0x0497c650) line 49 + 16 bytes nsCString::`scalar deleting destructor'(unsigned int 1) + 35 bytes nsCacheEntry::~nsCacheEntry() line 77 + 33 bytes nsCacheEntry::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsMemoryCacheDevice::DeactivateEntry(nsCacheEntry * 0x0497c490) line 197 + 28 bytes nsCacheService::DeactivateEntry(nsCacheEntry * 0x0497c490) line 982 + 15 bytes nsCacheService::CloseDescriptor(nsCacheEntryDescriptor * 0x0497c440) line 944 nsCacheEntryDescriptor::Close(nsCacheEntryDescriptor * const 0x0497c440) line 341 nsCacheEntryDescriptor::~nsCacheEntryDescriptor() line 49 nsCacheEntryDescriptor::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsCacheEntryDescriptor::Release(nsCacheEntryDescriptor * const 0x0497c440) line 32 + 129 bytes nsCOMPtr<nsICacheEntryDescriptor>::assign_assuming_AddRef(nsICacheEntryDescripto r * 0x00000000) line 472 nsCOMPtr<nsICacheEntryDescriptor>::assign_with_AddRef(nsISupports * 0x00000000) line 964 nsCOMPtr<nsICacheEntryDescriptor>::operator=(nsICacheEntryDescriptor * 0x00000000) line 584 imgRequest::RemoveProxy(imgRequestProxy * 0x0497dfc0, unsigned int 2147500037) line 202 imgRequestProxy::Cancel(imgRequestProxy * const 0x0497dfc0, unsigned int 2147500037) line 161 nsImageBoxFrame::Destroy(nsImageBoxFrame * const 0x02874c94, nsIPresContext * 0x03e74a60) line 174 nsFrameList::DestroyFrames(nsIPresContext * 0x03e74a60) line 116 nsContainerFrame::Destroy(nsContainerFrame * const 0x02874c04, nsIPresContext * 0x03e74a60) line 119 nsBoxFrame::Destroy(nsBoxFrame * const 0x02874c04, nsIPresContext * 0x03e74a60) line 1008 + 13 bytes nsFrameList::DestroyFrames(nsIPresContext * 0x03e74a60) line 116 nsContainerFrame::Destroy(nsContainerFrame * const 0x02874b70, nsIPresContext * 0x03e74a60) line 119 nsBoxFrame::Destroy(nsBoxFrame * const 0x02874b70, nsIPresContext * 0x03e74a60) line 1008 + 13 bytes nsScrollbarButtonFrame::Destroy(nsScrollbarButtonFrame * const 0x02874b70, nsIPresContext * 0x03e74a60) line 263 nsFrameList::DestroyFrames(nsIPresContext * 0x03e74a60) line 116 nsContainerFrame::Destroy(nsContainerFrame * const 0x02874958, nsIPresContext * 0x03e74a60) line 119 nsBoxFrame::Destroy(nsBoxFrame * const 0x02874958, nsIPresContext * 0x03e74a60) line 1008 + 13 bytes nsFrameList::DestroyFrames(nsIPresContext * 0x03e74a60) line 116 nsContainerFrame::Destroy(nsContainerFrame * const 0x02873e34, nsIPresContext * 0x03e74a60) line 119 nsBoxFrame::Destroy(nsBoxFrame * const 0x02873e34, nsIPresContext * 0x03e74a60) line 1008 + 13 bytes nsGfxScrollFrame::Destroy(nsGfxScrollFrame * const 0x02873e34, nsIPresContext * 0x03e74a60) line 446 nsFrameList::DestroyFrames(nsIPresContext * 0x03e74a60) line 116 nsContainerFrame::Destroy(nsContainerFrame * const 0x02873dc0, nsIPresContext * 0x03e74a60) line 119 ViewportFrame::Destroy(ViewportFrame * const 0x02873dc0, nsIPresContext * 0x03e74a60) line 142 FrameManager::Destroy(FrameManager * const 0x03e95fc0) line 422 PresShell::~PresShell() line 1491 PresShell::`scalar deleting destructor'() + 15 bytes PresShell::Release(PresShell * const 0x03e97040) line 1374 + 158 bytes nsCOMPtr<nsIPresShell>::~nsCOMPtr<nsIPresShell>() line 490 DocumentViewerImpl::~DocumentViewerImpl() line 861 + 97 bytes DocumentViewerImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes DocumentViewerImpl::Release(DocumentViewerImpl * const 0x03e1f660) line 828 + 154 bytes nsCOMPtr<nsIContentViewer>::assign_assuming_AddRef(nsIContentViewer * 0x00000000) line 472 nsCOMPtr<nsIContentViewer>::assign_with_AddRef(nsISupports * 0x00000000) line 964 nsCOMPtr<nsIContentViewer>::operator=(nsIContentViewer * 0x00000000) line 584 DocumentViewerImpl::SetPreviousViewer(DocumentViewerImpl * const 0x04988580, nsIContentViewer * 0x00000000) line 1317 PresShell::UnsuppressAndInvalidate() line 4481 PresShell::UnsuppressPainting(PresShell * const 0x04409430) line 4510 DocumentViewerImpl::LoadComplete(DocumentViewerImpl * const 0x04988580, unsigned int 0) line 1100 nsDocShell::EndPageLoad(nsIWebProgress * 0x03a68784, nsIChannel * 0x04992080, unsigned int 0) line 3273 nsWebShell::EndPageLoad(nsIWebProgress * 0x03a68784, nsIChannel * 0x04992080, unsigned int 0) line 902 nsDocShell::OnStateChange(nsDocShell * const 0x03a65374, nsIWebProgress * 0x03a68784, nsIRequest * 0x04992080, int 131088, unsigned int 0) line 3194 nsDocLoaderImpl::FireOnStateChange(nsIWebProgress * 0x03a68784, nsIRequest * 0x04992080, int 131088, unsigned int 0) line 1094 nsDocLoaderImpl::doStopDocumentLoad(nsIRequest * 0x04992080, unsigned int 0) line 733 nsDocLoaderImpl::DocLoaderIsEmpty() line 631 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x03a68774, nsIRequest * 0x049a21f0, nsISupports * 0x00000000, unsigned int 0) line 562 nsLoadGroup::RemoveRequest(nsLoadGroup * const 0x03a68700, nsIRequest * 0x049a21f0, nsISupports * 0x00000000, unsigned int 0) line 512 + 44 bytes PresShell::RemoveDummyLayoutRequest() line 6048 + 42 bytes PresShell::DoneRemovingReflowCommands() line 6004 PresShell::ProcessReflowCommands(int 1) line 5779 ReflowEvent::HandleEvent() line 5625 HandlePLEvent(ReflowEvent * 0x049a3ba0) line 5639 PL_HandleEvent(PLEvent * 0x049a3ba0) line 590 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x005768d0) line 520 + 9 bytes _md_EventReceiverProc(HWND__ * 0x003b0242, unsigned int 49404, unsigned int 0, long 5728464) line 1071 + 9 bytes USER32! 77e13eb0() USER32! 77e1401a() USER32! 77e192da() nsAppShellService::Run(nsAppShellService * const 0x00fa1be0) line 418 main1(int 1, char * * 0x00484480, nsISupports * 0x00000000) line 1093 + 32 bytes main(int 1, char * * 0x00484480) line 1391 + 37 bytes mainCRTStartup() line 338 + 17 bytes A little random, but two of the three stacks had no layout in them, and they all have JS engine stuff. I think there is a memory corruption somewhere...
Based on the last set of stack traces, I think that this may be cache related. Then again, it might be jsut random corruption. Peterson's stack and stack [3] from my previous comment indicate some cache structures, so reassigning to necko for further investigation.
Assignee: karnaze → gordon
Component: Layout → Networking: Cache
QA Contact: petersen → tever
Gagan, who's triaging Javascript bugs until Patrick gets back?
Assignee: gordon → gagan
Component: Networking: Cache → Javascript Engine
Gordon: I don't know and in future it is best to leave the bugs with the component owner-- whoever is responsible for it will take it from there. So assigning to owner.
Assignee: gagan → rogerl
QA Contact: tever → pschwartau
Is this a dupe of the bug that Vidur is working on now. JPatel - Is there any talkback data on this one?
cc'ing Brendan, jband for their opinion of all these stack traces -
Does it happen in today's (5/23) builds? I think this is a dup of bug 82306. /be *** This bug has been marked as a duplicate of 82306 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
Brendan is right - no crash with debug builds 2001-05-23 on WinNT, Linux. Marking Verified -
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: