Closed
Bug 97444
Opened 23 years ago
Closed 23 years ago
crasher on javascript menu [@JS_GetPrivate]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla0.9.4
People
(Reporter: jeremy.m, Assigned: jband_mozilla)
References
()
Details
(Keywords: crash, js1.5, Whiteboard: [the URL loads in NN4.7 or Moz; HTML testcase only in Moz])
Crash Data
Attachments
(5 files)
5.07 KB,
patch
|
Details | Diff | Splinter Review | |
10.18 KB,
text/html
|
Details | |
9.43 KB,
text/plain
|
Details | |
34.27 KB,
text/plain
|
Details | |
2.33 KB,
patch
|
shaver
:
review+
brendan
:
superreview+
asa
:
approval+
|
Details | Diff | Splinter Review |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3+) Gecko/20010827 BuildID: 2001082703 javascript menu crashes mozilla Reproducible: Always Steps to Reproduce: go to www.alamy.com, mouse over an image, roll the mouse over the javascript menu that appears. witness mozilla crash & burn. Actual Results: crash
Comment 1•23 years ago
|
||
Crashed For Me with Gecko/2001080110 on NT4 TB34671248H
Comment 2•23 years ago
|
||
Confirmed on a linux cvs build from 20010827. I see this on console just before receiving SIGABRT: Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE, at jsapi.c:1885
Comment 3•23 years ago
|
||
Updated•23 years ago
|
Summary: crasher on javascript menu → crasher on javascript menu [@JS_GetPrivate]
Comment 4•23 years ago
|
||
Comment 5•23 years ago
|
||
Steps to reproduce: 1. Load the reduced testcase in Mozilla (won't work in NN4.7, IE4.7) 2. Mouseover the Mozilla image : a menu appears below it 3. Mouseover the menu 4. CRASH!
Comment 6•23 years ago
|
||
Comment 7•23 years ago
|
||
The site uses a Macromedia "Fireworks" JS menu template for rollovers. I will attach the JS file below. Note it contains two copyright warnings, one for Macromedia and also one for Netscape. For further info on Macromedia Fireworks, see: http://www.macromedia.com/support/fireworks/ts/documents/preloads_explained.htm and /support/dreamweaver/ts/documents/fireworks_graphics.htm
Comment 8•23 years ago
|
||
Comment 9•23 years ago
|
||
Note: my WinNT stack trace is from a debug WinNT build 2001-08-24. However, looks exactly the same as the trace tingley got - cc'ing Brendan and jband: does this look like JS Engine?
Assignee: rogerl → khanson
Updated•23 years ago
|
Whiteboard: [the URL loads in NN4.7 or Moz; HTML testcase only in Moz]
Comment 10•23 years ago
|
||
This could be JS engine, or maybe XPConnect. We need to get this in a debugger and I'll poke around. Phil, can you set it up and mail me, and I'll stop by tomorrow? Thanks. /be
Assignee | ||
Comment 11•23 years ago
|
||
Brendan: I just looked at this bit in the debugger. The problem is that the code down in js_Call in preparation for the call to js_ReportIsNotFunction swaps in a different fp->fun when fp->fun was previously null. But fp->argv[-2] is not a function object. So the code in JS_GetFrameFunctionObject is returning a plain JSObject which the caller (in this case GetFramePrincipal) reasonably assumes is a (possibly cloned) function object. I'm thinking that maybe that code should be swapping the whole frame rather than just fp->fun. I wrote a patch that makes it not crash. I'll attach it for comment. If this *is* the right fix then we ought to determine if there are other similar cases to be fixed too.
Assignee | ||
Comment 12•23 years ago
|
||
Comment 13•23 years ago
|
||
I like it, r/sr=brendan@mozilla.org. I don't know of other cases than the one my XXXbe comment cited, which you fixed. The two other js_ReportIsNotFunction calls come from places that haven't pushed a doomed frame. I think we should try to get this fixed in 0.9.4. /be
Keywords: js1.5,
mozilla0.9.4
Comment 14•23 years ago
|
||
bug 98207 is another crash at JS_GetPrivate -- might be interesting to see if the patch fixes that one too.
Comment 16•23 years ago
|
||
tingley: bug 98207 is more likely a dup of bug 97293. jband, you need r=, eh? How about it, cc: list? I'll send mail. I'd like to get your fix in 0.9.4. /be
Comment 17•23 years ago
|
||
Comment on attachment 48094 [details] [diff] [review] potential fix sr=brendan@mozilla.org, for sure. /be
Attachment #48094 -
Flags: superreview+
Assignee | ||
Comment 18•23 years ago
|
||
Setting target milestone for 0.9.4.
Target Milestone: --- → mozilla0.9.4
Comment 19•23 years ago
|
||
I know this tune. r=rogerl
Comment on attachment 48094 [details] [diff] [review] potential fix r=shaver
Attachment #48094 -
Flags: review+
Assignee | ||
Comment 21•23 years ago
|
||
Fix checked into trunk. I emailed drivers for branch checkin approval. Thanks.
Status: NEW → ASSIGNED
Comment 22•23 years ago
|
||
Comment on attachment 48094 [details] [diff] [review] potential fix a=asa for checkin to the 0.9.4 branch.
Attachment #48094 -
Flags: approval+
Assignee | ||
Comment 23•23 years ago
|
||
checked in to branch too. Thanks.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 24•23 years ago
|
||
VERIFIED FIXED on trunk and 0.9.4 branch using binaries dated 20010909xx, 200100910xx on WinNT, Linux, and Mac. Tried both the given URL and the reduced HTML testcase. I did not crash on any mouseovers, no matter how many times I moused over the drop-down menu -
Status: RESOLVED → VERIFIED
Updated•19 years ago
|
Flags: testcase?
Updated•13 years ago
|
Crash Signature: [@JS_GetPrivate]
You need to log in
before you can comment on or make changes to this bug.
Description
•