Hein Roehrig Reporter
	Description • 18 years ago

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0

loading the page above crashes Firefox 1.5.x and 2.x on Windows and Linux.


Reproducible: Always

Steps to Reproduce:
1. navigate to http://www.xnchina.net/bbs/listduty.asp?parent1=32


Actual Results:  
crash

Expected Results:  
a page with a table filled with Chinese characters

	Hein Roehrig Reporter
	Comment 1 • 18 years ago

talkback incident TB27375918K (I also created one with Firefox 1.5 on windows but haven't been able to figure out the incident id of that one)

	Ria Klaassen (not reading all bugmail)
	Comment 2 • 18 years ago

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061215 Minefield/3.0a1
Yeah, crashes trunk too: TB27376571Z

	Ria Klaassen (not reading all bugmail)
	Comment 3 • 18 years ago

Incident ID: 27375918
Stack Signature	JS_GetPrivate() 8193a9f6
Product ID	Firefox2
Build ID	2006101022
Trigger Time	2006-12-15 12:45:20.0
Platform	LinuxIntel
Operating System	Linux 2.6.18-gg4
Module	libmozjs.so + (0001751f)
URL visited	http://www.xnchina.net/bbs/listduty.asp?parent1=32
User Comments	
Since Last Crash	250 sec
Total Uptime	250 sec
Trigger Reason	SIGSEGV: Segmentation Fault: (signal 11)
Source File, Line No.	/builds/tinderbox/Fx-Mozilla1.8-release/Linux_2.4.21-27.0.4.EL_Depend/mozilla/js/src/jsapi.c, line 2359
Stack Trace 	
JS_GetPrivate()  [mozilla/js/src/jsapi.c, line 2359]
js_Interpret()  [mozilla/js/src/jsinterp.c, line 4980]
js_Execute()  [mozilla/js/src/jsinterp.c, line 1622]
JS_EvaluateUCScriptForPrincipals()  [mozilla/js/src/jsapi.c, line 4365]
nsJSContext::EvaluateString()  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 146]
nsScriptLoader::EvaluateScript()  [mozilla/content/base/src/nsScriptLoader.cpp, line 848]
nsScriptLoader::ProcessRequest()  [mozilla/content/base/src/nsScriptLoader.cpp, line 674]
nsScriptLoader::OnStreamComplete()  [mozilla/content/base/src/nsScriptLoader.cpp, line 1040]
nsStreamLoader::OnStopRequest()  [mozilla/netwerk/base/src/nsStreamLoader.cpp, line 712]
nsStreamListenerTee::OnStopRequest()  [mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 66]
nsHttpChannel::OnStopRequest()  [mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 1149]
nsInputStreamPump::OnStateStop()  [mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 1149]
nsInputStreamPump::OnInputStreamReady()  [mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 400]
nsInputStreamReadyEvent::EventHandler()
PL_HandleEvent()  [mozilla/xpcom/threads/plevent.c, line 689]
PL_ProcessPendingEvents()  [mozilla/xpcom/threads/plevent.c, line 623]
nsEventQueueImpl::ProcessPendingEvents()  [mozilla/xpcom/threads/nsEventQueue.cpp, line 421]
event_processor_callback()  [mozilla/widget/src/gtk2/nsAppShell.cpp, line 67]
libglib-2.0.so.0 + 0x4a52c (0x4d74852c)
libglib-2.0.so.0 + 0x238d6 (0x4d7218d6)
libglib-2.0.so.0 + 0x26996 (0x4d724996)
libglib-2.0.so.0 + 0x26cb8 (0x4d724cb8)
libgtk-x11-2.0.so.0 + 0x11e765 (0x4db67765)
nsAppShell::Run()  [mozilla/widget/src/gtk2/nsAppShell.cpp, line 141]
nsAppStartup::Run()  [mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152]
XRE_main()  [mozilla/toolkit/xre/nsAppRunner.cpp, line 2440]
main()  [mozilla/browser/app/nsBrowserApp.cpp, line 62]
libc.so.6 + 0x14ea2 (0x4d3a3ea2)

Regression range 1.8b2_2005042206 - 1.8b2_2005042306:
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2005-04-22+05%3A00&maxdate=2005-04-23+07%3A00

	shutdown Assignee
	Comment 4 • 18 years ago

JSOP_DEFFUN should rely on the BEGIN_LITOPX_CASE's atom index magic.

	Daniel Veditz [:dveditz]
	Comment 5 • 18 years ago

crashed with TB27394748G

Attaching copy of the crashing page just in case they change something before we try to verify the patch. Doesn't crash with JavaScript turned off, there's something it doesn't like in the 2Mb place.js file.

(sorry for the proprietary 7-zip format, tar-bz2 didn't get it small enough to attach)

	Erik Fabert
	Comment 6 • 18 years ago

A little bit smaller and crashes just as nicely ;-)

	Daniel Veditz [:dveditz]
	Comment 7 • 18 years ago

Thanks! I didn't have time to reduce it last night and wanted to make sure it got captured in case it disappeared.

The two testcases crash with different stacks for me, but the patch fixes both.

	Brendan Eich [:brendan]
	Comment 8 • 18 years ago

Comment on attachment 248807 [details] [diff] [review]
fix

Ugh, I thought this was fixed already. Thanks for fixing. Please get it into the trunk ASAP. Nominating for branches.

/be

	Brendan Eich [:brendan]
	Comment 9 • 18 years ago

Fix landed on trunk:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.308; previous revision: 3.307
done

Thanks, shutdown.

/be

	Daniel Veditz [:dveditz]
	Comment 10 • 18 years ago

Comment on attachment 248807 [details] [diff] [review]
fix

approved for 1.8/1.8.0 branches, a=dveditz for drivers

	Brendan Eich [:brendan]
	Comment 11 • 18 years ago

1.8:   new revision: 3.181.2.78; previous revision: 3.181.2.77
1.8.0: new revision: 3.181.2.17.2.23; previous revision: 3.181.2.17.2.22

/be

	Carsten Book [:Tomcat]
	Comment 12 • 18 years ago

Verified fixed for 1.8.1.2 and 1.8.0.10
with Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.10pre) Gecko/20070104 Firefox/1.5.0.10pre and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.2pre) Gecko/2007010303 BonEcho/2.0.0.2pre on Windows XP x64 and Fedora FC6

	Bob Clary [:bc] (inactive)
	Comment 13 • 18 years ago

/cvsroot/mozilla/js/tests/js1_5/Regress/regress-363988.js,v  <--  regress-363988.js
initial revision: 1.1