crasher on javascript menu [@JS_GetPrivate]

VERIFIED FIXED in mozilla0.9.4

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
17 years ago
6 years ago

People

(Reporter: jeremy.m, Assigned: John Bandhauer)

Tracking

({crash, js1.5})

Trunk
mozilla0.9.4
x86
All
crash, js1.5
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [the URL loads in NN4.7 or Moz; HTML testcase only in Moz], crash signature, URL)

Attachments

(5 attachments)

(Reporter)

Description

17 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3+)
Gecko/20010827
BuildID:    2001082703

javascript menu crashes mozilla

Reproducible: Always
Steps to Reproduce:
go to www.alamy.com, mouse over an image, roll the mouse over the javascript
menu that appears.
witness mozilla crash & burn.

Actual Results:  crash

Comment 1

17 years ago
Crashed For Me with Gecko/2001080110 on NT4

TB34671248H

Comment 2

17 years ago
Confirmed on a linux cvs build from 20010827.

I see this on console just before receiving SIGABRT:

Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE, at
jsapi.c:1885

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
OS: Windows 2000 → All

Comment 3

17 years ago
Created attachment 47484 [details] [diff] [review]
stack trace

Updated

17 years ago
Summary: crasher on javascript menu → crasher on javascript menu [@JS_GetPrivate]

Comment 4

17 years ago
Created attachment 47506 [details]
Reduced HTML testcase

Comment 5

17 years ago
Steps to reproduce: 

1. Load the reduced testcase in Mozilla (won't work in NN4.7, IE4.7)
2. Mouseover the Mozilla image : a menu appears below it
3. Mouseover the menu
4. CRASH!

Comment 6

17 years ago
Created attachment 47513 [details]
WinNT stack trace

Comment 7

17 years ago
The site uses a Macromedia "Fireworks" JS menu template for rollovers.
I will attach the JS file below. Note it contains two copyright warnings,
one for Macromedia and also one for Netscape.

For further info on Macromedia Fireworks, see:

http://www.macromedia.com/support/fireworks/ts/documents/preloads_explained.htm
and                    /support/dreamweaver/ts/documents/fireworks_graphics.htm

Comment 8

17 years ago
Created attachment 47518 [details]
fw_menu.js

Comment 9

17 years ago
Note: my WinNT stack trace is from a debug WinNT build 2001-08-24.
However, looks exactly the same as the trace tingley got -

cc'ing Brendan and jband: does this look like JS Engine?
Assignee: rogerl → khanson

Updated

17 years ago
Whiteboard: [the URL loads in NN4.7 or Moz; HTML testcase only in Moz]
This could be JS engine, or maybe XPConnect.  We need to get this in a debugger
and I'll poke around.  Phil, can you set it up and mail me, and I'll stop by
tomorrow?  Thanks.

/be
(Assignee)

Comment 11

16 years ago
Brendan: I just looked at this bit in the debugger. The problem is that the code  
down in js_Call in preparation for the call to js_ReportIsNotFunction swaps in a 
different fp->fun when fp->fun was previously null. But fp->argv[-2] is not a 
function object. So the code in JS_GetFrameFunctionObject is returning a plain 
JSObject which the caller (in this case GetFramePrincipal) reasonably assumes is 
a (possibly cloned) function object.

I'm thinking that maybe that code should be swapping the whole frame rather than 
just fp->fun. I wrote a patch that makes it not crash. I'll attach it for 
comment. If this *is* the right fix then we ought to determine if there are 
other similar cases to be fixed too.
(Assignee)

Comment 12

16 years ago
Created attachment 48094 [details] [diff] [review]
potential fix
I like it, r/sr=brendan@mozilla.org.  I don't know of other cases than the one
my XXXbe comment cited, which you fixed.  The two other js_ReportIsNotFunction
calls come from places that haven't pushed a doomed frame.

I think we should try to get this fixed in 0.9.4.

/be
Keywords: js1.5, mozilla0.9.4

Comment 14

16 years ago
bug 98207 is another crash at JS_GetPrivate -- might be interesting to see if
the patch fixes that one too.
(Assignee)

Comment 15

16 years ago
I'll take this bug.
Assignee: khanson → jband
tingley: bug 98207 is more likely a dup of bug 97293.

jband, you need r=, eh?  How about it, cc: list?  I'll send mail.  I'd like to
get your fix in 0.9.4.

/be
Comment on attachment 48094 [details] [diff] [review]
potential fix

sr=brendan@mozilla.org, for sure.

/be
Attachment #48094 - Flags: superreview+
(Assignee)

Comment 18

16 years ago
Setting target milestone for 0.9.4.
Target Milestone: --- → mozilla0.9.4

Comment 19

16 years ago
I know this tune. r=rogerl
Comment on attachment 48094 [details] [diff] [review]
potential fix

r=shaver
Attachment #48094 - Flags: review+
(Assignee)

Comment 21

16 years ago
Fix checked into trunk. I emailed drivers for branch checkin approval. Thanks.
Status: NEW → ASSIGNED

Comment 22

16 years ago
Comment on attachment 48094 [details] [diff] [review]
potential fix

a=asa for checkin to the 0.9.4 branch.
Attachment #48094 - Flags: approval+
(Assignee)

Comment 23

16 years ago
checked in to branch too. Thanks.
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED

Comment 24

16 years ago
VERIFIED FIXED on trunk and 0.9.4 branch using binaries dated 20010909xx,
200100910xx on WinNT, Linux, and Mac. Tried both the given URL and the 
reduced HTML testcase. I did not crash on any mouseovers, no matter how
many times I moused over the drop-down menu -
Status: RESOLVED → VERIFIED

Updated

13 years ago
Flags: testcase?

Comment 25

12 years ago
too old.
Flags: testcase? → testcase-
Crash Signature: [@JS_GetPrivate]
You need to log in before you can comment on or make changes to this bug.