about:config crashes the second time - Trunk [@ js_Interpret]

VERIFIED FIXED in mozilla0.9.4

Status

()

Core
XUL
P1
critical
VERIFIED FIXED
16 years ago
7 years ago

People

(Reporter: Brian Nesse (gone), Assigned: brendan)

Tracking

({crash, topcrash})

Trunk
mozilla0.9.4
crash, topcrash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

16 years ago
From bug 37592...
------- Additional Comments From Matti (Matthias Versen) 2001-09-01 17:45 -------

This is crashing for me if I use about:config the second time.
1. Type about:config
2. Load another page
3. type about:config again -> crash

win2k build 20010901.. (CVS opt)
(Reporter)

Comment 1

16 years ago
When I leave the about:config page the first time, I see a bunch of debug spew
in the console window... almost like it's trying to re-draw the about:config
page after deleting it or something...

************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "'[JavaScript Error: "arr is not defined" {file:
"chrome://global/content/config.js" line: 27}]' when calling method:
[nsIOutlinerView::getCellText]"  nsresult: "0x80570021
(NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)"  location: "<unknown>"  data: yes]
************************************************************

When you try and return to about:config it crashes in JS. Stack coming.
Keywords: crash
(Reporter)

Comment 2

16 years ago
Created attachment 48172 [details]
Stack crawl of crash

Comment 3

16 years ago
Segmentation fault on linux - debugging problem
Status: NEW → ASSIGNED

Comment 4

16 years ago
bug 97444 is also a crash at JS_GetPrivate; may be a dup but I'm not quite ready
to pull the trigger yet.
(Assignee)

Comment 5

16 years ago
Actually, this looks like another skidmark from the same bug that's causing bug
97293.  This bug may be more reproducible, so I'm not marking it dup.  dbaron,
is this the smoking gun?  I'll try to debug later today, but someone feel free
to beat me to it.

(The JS_GetPrivate crash is not the interesting part that links this bug's
backtrace to bug 97293 rather than to the also-in-JS_GetPrivate bug 97444 --
rather, the nsXULDocument::ExecuteScript that passes a bad, probably-GC'd script
object into JS_ExecuteScript, is the key.)

/be

Comment 6

16 years ago
I just gave this a whirl and got the same results as Brendan - the 
aScriptObject is garbage. FWIW, on NT my debug build goes off into the weeds 
without leaving me a usable stack. My release-with-symbols build yields the same 
stack as already posted to this bug.

Updated

16 years ago
Severity: major → critical
(Assignee)

Comment 7

16 years ago
jband: I still haven't tried to debug this, but I will tonight.  Did you divine
whether a XUL precompiled script object reference was unrooted?

/be

Comment 8

16 years ago
brendan: I didn't dig that deep. The 'bad' JSObject is the one called 
'aScriptProto->mJSObject' in nsXULDocument::LoadScript. aScriptProto looks like 
a nice object. But the JSObject is smelly.

Comment 9

16 years ago
Adding topcrash as per Bug 97293. P1, 0.9.5, component JavaScript Engine
(belongs to khanson@netscape.com as well?)
Component: Preferences → Javascript Engine
Keywords: topcrash
Priority: -- → P1
Target Milestone: --- → mozilla0.9.5
(Assignee)

Comment 10

16 years ago
jpatel: I'm betting this will end up a XUL bug, but you can assign it to me or
to jband.  The other bug, bug 97293, might better be forward-duped against this
one, because this bug has reproducible instructions.  But bug 97293 has some
nice dbaron disassembly analysis, so I've been hesitant to dup it.  Yeah, I'm
just shy.

/be
(Assignee)

Comment 11

16 years ago
*** Bug 97293 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 12

16 years ago
jussi, sorry -- I saw a leading "j" in your name, saw "topcrash", and my brain
went off like a plastic trap.

/be

Comment 13

16 years ago
Adding Trunk [@ js_Interpret] for tracking, since bug 97293 was just marked a dup.  

Summary: about:config crashes the second time → about:config crashes the second time - Trunk [@ js_Interpret]
(Assignee)

Comment 14

16 years ago
This is a XUL bug, and I caused it with my FastLoad hacking (sob).  The
about:config URL loads but does not enter its XUL prototype nodes, including
prototype scripts that contain rooted JSObject pointers, into the XUL prototype
cache -- because the URL scheme is not chrome.

But, code in nsXULDocument.cpp nsXULDocument::LoadScript, needed by FastLoad for
"exactly-once" script loading, does enter the
chrome:/navigator/content/config.js script into the XUL script cache -- becaus
ethe URL scheme *is* chrome.  That XUL script cache entry holds an unrooted
JSObject* -- it counts on there being a companion XUL prototype cache entry
holding a root.  Blammo.

Patch soon.

/be
Assignee: chipc → brendan
Status: ASSIGNED → NEW
Keywords: mozilla0.9.4
Target Milestone: mozilla0.9.5 → mozilla0.9.4
(Assignee)

Comment 15

16 years ago
Created attachment 48374 [details] [diff] [review]
proposed fix (one-line change, excluding comments)

Comment 16

16 years ago
Comment on attachment 48374 [details] [diff] [review]
proposed fix (one-line change, excluding comments)

r/sr=waterson
Attachment #48374 - Flags: review+

Comment 17

16 years ago
Comment on attachment 48374 [details] [diff] [review]
proposed fix (one-line change, excluding comments)

sr=jband
Attachment #48374 - Flags: superreview+

Comment 18

16 years ago
Comment on attachment 48374 [details] [diff] [review]
proposed fix (one-line change, excluding comments)

a=asa for checkin to 0.9.4 branch.
Attachment #48374 - Flags: approval+
QA Contact: sairuh → pschwartau
(Assignee)

Comment 19

16 years ago
(Fixing component and QA contact...)

Fix checked into trunk and branch.

/be
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Component: Javascript Engine → XP Toolkit/Widgets: XUL
QA Contact: pschwartau → jrgm
Resolution: --- → FIXED

Comment 20

16 years ago
verified fixed -- does not crash on second use of about:config and config.js is 
not serialized into the fastload file (or placed in xul cache) -- 
mac/linux/win32 2001-09-06-08 builds. 

[Note: needed a slight workaround to test about:config on Linux -- bug 98667].
Status: RESOLVED → VERIFIED

Comment 21

16 years ago
*** Bug 98823 has been marked as a duplicate of this bug. ***

Updated

9 years ago
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: jrgmorrison → xptoolkit.widgets
Crash Signature: [@ js_Interpret]
You need to log in before you can comment on or make changes to this bug.