Closed
Bug 363988
Opened 18 years ago
Closed 18 years ago
huge javascript crashes firefox [@ JS_GetPrivate()]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
People
(Reporter: hroehrig, Assigned: sync2d)
References
()
Details
(Keywords: crash, verified1.8.0.10, verified1.8.1.2)
Crash Data
Attachments
(3 files)
831 bytes,
patch
|
brendan
:
review+
dveditz
:
approval1.8.1.2+
dveditz
:
approval1.8.0.10+
|
Details | Diff | Splinter Review |
279.61 KB,
application/octet-stream
|
Details | |
303 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 loading the page above crashes Firefox 1.5.x and 2.x on Windows and Linux. Reproducible: Always Steps to Reproduce: 1. navigate to http://www.xnchina.net/bbs/listduty.asp?parent1=32 Actual Results: crash Expected Results: a page with a table filled with Chinese characters
Reporter | ||
Comment 1•18 years ago
|
||
talkback incident TB27375918K (I also created one with Firefox 1.5 on windows but haven't been able to figure out the incident id of that one)
Comment 2•18 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061215 Minefield/3.0a1 Yeah, crashes trunk too: TB27376571Z
Comment 3•18 years ago
|
||
Incident ID: 27375918 Stack Signature JS_GetPrivate() 8193a9f6 Product ID Firefox2 Build ID 2006101022 Trigger Time 2006-12-15 12:45:20.0 Platform LinuxIntel Operating System Linux 2.6.18-gg4 Module libmozjs.so + (0001751f) URL visited http://www.xnchina.net/bbs/listduty.asp?parent1=32 User Comments Since Last Crash 250 sec Total Uptime 250 sec Trigger Reason SIGSEGV: Segmentation Fault: (signal 11) Source File, Line No. /builds/tinderbox/Fx-Mozilla1.8-release/Linux_2.4.21-27.0.4.EL_Depend/mozilla/js/src/jsapi.c, line 2359 Stack Trace JS_GetPrivate() [mozilla/js/src/jsapi.c, line 2359] js_Interpret() [mozilla/js/src/jsinterp.c, line 4980] js_Execute() [mozilla/js/src/jsinterp.c, line 1622] JS_EvaluateUCScriptForPrincipals() [mozilla/js/src/jsapi.c, line 4365] nsJSContext::EvaluateString() [mozilla/dom/src/base/nsJSEnvironment.cpp, line 146] nsScriptLoader::EvaluateScript() [mozilla/content/base/src/nsScriptLoader.cpp, line 848] nsScriptLoader::ProcessRequest() [mozilla/content/base/src/nsScriptLoader.cpp, line 674] nsScriptLoader::OnStreamComplete() [mozilla/content/base/src/nsScriptLoader.cpp, line 1040] nsStreamLoader::OnStopRequest() [mozilla/netwerk/base/src/nsStreamLoader.cpp, line 712] nsStreamListenerTee::OnStopRequest() [mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 66] nsHttpChannel::OnStopRequest() [mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 1149] nsInputStreamPump::OnStateStop() [mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 1149] nsInputStreamPump::OnInputStreamReady() [mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 400] nsInputStreamReadyEvent::EventHandler() PL_HandleEvent() [mozilla/xpcom/threads/plevent.c, line 689] PL_ProcessPendingEvents() [mozilla/xpcom/threads/plevent.c, line 623] nsEventQueueImpl::ProcessPendingEvents() [mozilla/xpcom/threads/nsEventQueue.cpp, line 421] event_processor_callback() [mozilla/widget/src/gtk2/nsAppShell.cpp, line 67] libglib-2.0.so.0 + 0x4a52c (0x4d74852c) libglib-2.0.so.0 + 0x238d6 (0x4d7218d6) libglib-2.0.so.0 + 0x26996 (0x4d724996) libglib-2.0.so.0 + 0x26cb8 (0x4d724cb8) libgtk-x11-2.0.so.0 + 0x11e765 (0x4db67765) nsAppShell::Run() [mozilla/widget/src/gtk2/nsAppShell.cpp, line 141] nsAppStartup::Run() [mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152] XRE_main() [mozilla/toolkit/xre/nsAppRunner.cpp, line 2440] main() [mozilla/browser/app/nsBrowserApp.cpp, line 62] libc.so.6 + 0x14ea2 (0x4d3a3ea2) Regression range 1.8b2_2005042206 - 1.8b2_2005042306: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2005-04-22+05%3A00&maxdate=2005-04-23+07%3A00
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Hardware: PC → All
Summary: huge javascript crashes firefox → huge javascript crashes firefox [@ JS_GetPrivate()]
Version: unspecified → Trunk
Updated•18 years ago
|
Severity: normal → critical
JSOP_DEFFUN should rely on the BEGIN_LITOPX_CASE's atom index magic.
Attachment #248807 -
Flags: review?
Updated•18 years ago
|
Comment 5•18 years ago
|
||
crashed with TB27394748G Attaching copy of the crashing page just in case they change something before we try to verify the patch. Doesn't crash with JavaScript turned off, there's something it doesn't like in the 2Mb place.js file. (sorry for the proprietary 7-zip format, tar-bz2 didn't get it small enough to attach)
Updated•18 years ago
|
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10+
Comment 6•18 years ago
|
||
A little bit smaller and crashes just as nicely ;-)
Comment 7•18 years ago
|
||
Thanks! I didn't have time to reduce it last night and wanted to make sure it got captured in case it disappeared. The two testcases crash with different stacks for me, but the patch fixes both.
Assignee: general → shutdown
Updated•18 years ago
|
Attachment #248807 -
Flags: review? → review?(brendan)
Comment 8•18 years ago
|
||
Comment on attachment 248807 [details] [diff] [review] fix Ugh, I thought this was fixed already. Thanks for fixing. Please get it into the trunk ASAP. Nominating for branches. /be
Attachment #248807 -
Flags: review?(brendan)
Attachment #248807 -
Flags: review+
Attachment #248807 -
Flags: approval1.8.1.2?
Attachment #248807 -
Flags: approval1.8.0.10?
Comment 9•18 years ago
|
||
Fix landed on trunk: Checking in jsinterp.c; /cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c new revision: 3.308; previous revision: 3.307 done Thanks, shutdown. /be
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 10•18 years ago
|
||
Comment on attachment 248807 [details] [diff] [review] fix approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #248807 -
Flags: approval1.8.1.2?
Attachment #248807 -
Flags: approval1.8.1.2+
Attachment #248807 -
Flags: approval1.8.0.10?
Attachment #248807 -
Flags: approval1.8.0.10+
Comment 11•18 years ago
|
||
1.8: new revision: 3.181.2.78; previous revision: 3.181.2.77 1.8.0: new revision: 3.181.2.17.2.23; previous revision: 3.181.2.17.2.22 /be
Blocks: js1.7src
Keywords: fixed1.8.0.10,
fixed1.8.1.2
Comment 12•18 years ago
|
||
Verified fixed for 1.8.1.2 and 1.8.0.10 with Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.10pre) Gecko/20070104 Firefox/1.5.0.10pre and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.2pre) Gecko/2007010303 BonEcho/2.0.0.2pre on Windows XP x64 and Fedora FC6
Status: RESOLVED → VERIFIED
Comment 13•18 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-363988.js,v <-- regress-363988.js initial revision: 1.1
Flags: in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ JS_GetPrivate()]
You need to log in
before you can comment on or make changes to this bug.
Description
•