Closed Bug 83619 Opened 24 years ago Closed 24 years ago

QuickSearch always crashes Netscape 4.76 & 4.77 on Unix

Categories

(Bugzilla :: Bugzilla-General, defect, P1)

Product:
Bugzilla
Component:
Bugzilla-General
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.14

People

(Reporter: afranke, Assigned: afranke)

References

Details

(Keywords: crash, Whiteboard: code)

Attachments

(2 files)

testcase.html -- the problem here is recursion depth
145 bytes, text/html
Details
fix: use an iterative implementation for function `member'
539 bytes, patch
Details | Diff | Splinter Review
Thanks to Gerv for the report. 0. Lauch Netscape 4.76 or 4.77 on Unix 1. Go to http://bugzilla.mozilla.org 2. Type `foo' in the QuickSearch text box 3. Press return. Result: Boom. #0 0x08780296 in js_Atomize () #1 0x087998e3 in js_NewObject () #2 0x0879b3b8 in js_GetClassPrototype () #3 0x0879978a in js_NewObject () #4 0x0877f7a3 in js_NewArrayObject () #5 0x0877f479 in js_qsort () #6 0x0878b9db in js_Invoke () #7 0x0879146b in js_Interpret () #8 0x0878ba21 in js_Invoke () #9 0x0879146b in js_Interpret () #10 0x0878ba21 in js_Invoke () #11 0x0879146b in js_Interpret () ... #147 0x0879146b in js_Interpret () #148 0x0878ba21 in js_Invoke () #149 0x0878bbad in js_CallFunctionValue () #150 0x0877d7ea in JS_CallFunctionValue () #151 0x087bcee4 in lm_HandleEvent () #152 0x087bcc07 in lm_FindEventHandler () #153 0x087bcb34 in lm_SendEvent () #154 0x087b94be in form_submit () #155 0x087b9522 in lm_SendOnSubmit () #156 0x087b0cba in PR_ArenaFinish () #157 0x08932b56 in PR_HandleEvent () #158 0x087b2e2d in et_SubEventLoop () #159 0x087b2ecb in lm_wait_for_events () #160 0x0893d38c in HopToad () #161 0x0893d3cb in HopToadNoArgs () #162 0x0893d434 in PR_Start () We should add a browser sniffer and disable the QuickSearch functionality for these Netscape versions. Or, if someone knows how to work around this, let me know. This is not a problem in mozilla, AFAIK. Also, Netscape 4.61 doesn't have this problem.
Unable to reproduce on Netscape 4.77 Mac. Must be a UNIX thing.
CCing brendan, in case he can take one look at that stack trace and say: "Ah, that's a known problem. Avoid doing foo at the same time as bar." Gerv
Reproduced.
Target Milestone: --- → Bugzilla 2.14
Are you kidding? Ask chouck@knobproductions.com, he's hacking on 4.7x again (back in b20!). /be
chouck@knobproductions.com - any idea what's going on here? Gerv
Ah, that's a known problem. Avoid doing JAVASCRIPT at the same time as BROWSING. How's that? This worked for me with 4.78-beta on windows. I've asked the 4.78 QA guys to take a quick look to see if its still around in the latest unix builds. -Chris
yep
chouck: Is there any possibility at all you'll be able to look at this problem and, if not fix it, tell us what to avoid doing so we can work around it? Or are you swamped? Gerv
I think I should be able to take a quick look at this early next week. I don't have access to unix here so I can't do much right now. -Chris
Here's what purify (on windows) has to say about this test case. Since stuff starts to go downhill in the regexp code, I would say if you simply want to avoid the problem try eliminating or changing your regexp usage. However, if you do look for a workaround please leave this test case somewhere so that we can debug this for 4.78. -Chris [I] Starting Purify'd netscape.exe at 06/04/01 12:58:44 [W] UMR: Uninitialized memory read in EmitRegExp {1 occurrence} Reading 2 bytes from 0x089feaee (2 bytes at 0x089feaee uninitialized) Address 0x089feaee is 886 bytes into a 1047 byte block at 0x089fe778 Address 0x089feaee points to a malloc'd block in heap 0x06ef0000 Thread ID: 0xa5 Error location EmitRegExp [jsregexp.c:1838] EmitRegExp [jsregexp.c:1651] js_NewRegExp [jsregexp.c:1981] js_NewRegExpObject [jsregexp.c:3281] js_GetToken [jsscan.c:1001] js_MatchToken [jsscan.c:1102] ArgumentList [jsparse.c:2098] MemberExpr [jsparse.c:2195] UnaryExpr [jsparse.c:2068] MulExpr [jsparse.c:1932] Allocation location malloc [dbgheap.c:129] PR_ArenaAllocate [prarena.c:86] NewParseNode [jsparse.c:123] MemberExpr [jsparse.c:2189] UnaryExpr [jsparse.c:2068] MulExpr [jsparse.c:1932] AddExpr [jsparse.c:1914] ShiftExpr [jsparse.c:1899] RelExpr [jsparse.c:1876] EqExpr [jsparse.c:1861] [E] FMW: Free memory write in js_Emit3 {5 occurrences} Writing 1 byte to 0x08a6d080 (1 byte at 0x08a6d080 illegal) Address 0x08a6d080 is 16 bytes into a 1040 byte block at 0x08a6d070 Address 0x08a6d080 points to a malloc'd block in heap 0x06ef0000 Thread ID: 0xa5 Error location js_Emit3 [jsemit.c:156] EmitAtomOp [jsemit.c:351] js_EmitTree [jsemit.c:1794] js_EmitTree [jsemit.c:653] js_EmitTree [jsemit.c:1228] js_EmitTree [jsemit.c:969] js_EmitTree [jsemit.c:1228] js_EmitFunctionBody [jsemit.c:434] js_EmitTree [jsemit.c:495] js_Parse [jsparse.c:251] Allocation location malloc [dbgheap.c:129] PR_ArenaAllocate [prarena.c:86] js_InitCodeGenerator [jsemit.c:54] js_EmitTree [jsemit.c:645] js_EmitTree [jsemit.c:1228] js_EmitTree [jsemit.c:969] js_EmitTree [jsemit.c:1228] js_EmitFunctionBody [jsemit.c:434] js_EmitTree [jsemit.c:495] js_Parse [jsparse.c:251] Free location free [dbgheap.c:925] PR_FreeArenaList [prarena.c:141] PR_ArenaRelease [prarena.c:170] js_ResetCodeGenerator [jsemit.c:71] js_EmitTree [jsemit.c:649] js_EmitTree [jsemit.c:1228] js_EmitTree [jsemit.c:969] js_EmitTree [jsemit.c:1228] js_EmitFunctionBody [jsemit.c:434] js_EmitTree [jsemit.c:495] [E] FMW: Free memory write in js_Emit3 {5 occurrences} [E] FMW: Free memory write in js_Emit3 {5 occurrences} [E] FMR: Free memory read in UpdateDepth {5 occurrences} [E] FMW: Free memory write in js_Emit1 {5 occurrences} [E] FMR: Free memory read in UpdateDepth {5 occurrences} [E] FMR: Free memory read in memcpy {5 occurrences}
okay correct me if i'm wrong but this is a browser bug. i'm closing it out as invalid. my buglist is big enough as it is. someone who can feel free to "move" it internally or whatever, but i don't think i can do anything else useful with this bug as netscape 4.x bugs aren't public.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
Yeah, its a browser bug but given that I've received no love from the JS folks on this its unlikely to get fixed in the client anytime soon. If this is hitting a lot of people you might want to have someone look at changing the JS code on your page to avoid or cut down on the usage of regular expressions. -Chris
Reopening...
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
... and reassigning to afranke to see if he can track down which JS command in the Quicksearch tool is causing this. Gerv
Assignee: tara → afranke
Status: REOPENED → NEW
Whiteboard: code
Status: NEW → ASSIGNED
Looking for review & checkin of attachment 38598 [details] [diff] [review]. Gerv? Jake? Dave?
Keywords: patch, review
Priority: -- → P1
I don't know JavaScript really well, but this does seem to make sence. It's checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
Keywords: crash
*** Bug 90000 has been marked as a duplicate of this bug. ***
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: Bugzilla 2.13 → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: