Ubuntu
firefox-3.0 package

MASTER firefox crashed [@ XPC_WN_Helper_NewResolve] [@ js_LookupPropertyWithFlags]

Bug #73857 reported by g_f
52
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Invalid
Critical
firefox-3.0 (Ubuntu)
Invalid
High
Unassigned
firefox-3.5 (Ubuntu)
Invalid
High
Unassigned

Bug Description

Binary package hint: firefox

I don't know only I was trying to access to http://localhost/phpmyadmin/
and I was copy and past the error message when Firefox crasched

Extract from retraced stacktrace:
...
#3 <signal handler called>
#4 XPC_WN_Helper_NewResolve (cx=0x8d78f98, obj=0x89d70b0,
#5 js_LookupPropertyWithFlags (cx=0x8d78f98, obj=0x89d70b0,
#6 js_LookupProperty (cx=0x8d78f98, obj=0x89d70b0,
#7 js_GetProperty (cx=0x8d78f98, obj=0x89d70b0,
#8 js_Interpret (cx=0x8d78f98,
...

See original description
Revision history for this message
In , Martijn-martijn (martijn-martijn) wrote :
Download full text (5.2 KiB)

From talkback ID:
URL visited file://localhost/C:/Documents%20and%20Settings/Tony/Mijn%20documenten/pub/chroniq/noms/noms_b.htm#B
User Comments Clicking "View source" N.B. An earlier version of the same file exists online at http://users.skynet.be/antoine.mechelynck/chroniq/noms/noms_b.htm

js_LookupPropertyWithFlags [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2653]
js_LookupProperty [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2580]
js_GetProperty [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2865]
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 243]
nsXPCWrappedJSClass::DelegatedQueryInterface [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 591]
nsXPCWrappedJS::QueryInterface [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 97]
nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1779]
nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2153]
nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2132]
nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2132]
nsXULElement::HandleChromeEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2833]
nsGlobalWindow::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1533]
nsDocument::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 3999]
nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2123]
nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2117]
nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2117]
nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2117]
nsGenericHTMLElement::HandleDOMEventForAnchors [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 1491]
nsHTMLAnchorElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLAnchorElement.cpp, line 295]
nsEventStateManager::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2628]
nsEventStateManager::NotifyMouseOver [c:/builds/tinderbox/Fx-...

Read more...

Revision history for this message
In , Antoine-mechelynck-gmail (antoine-mechelynck-gmail) wrote :

(In reply to comment #1)
[...]
> So you mean this only happened when you have the HTML Validator extension
> installed?

No, I mean that HTML Validator was installed at the time of the crash, and that that might have an impact on what exactly "View Source" did, since that extension (among other things) installs its 3-pane GUI in the "View Source" window. I have not tried uninstalling that extension, which I find very useful.

Revision history for this message
In , Zug-treno (zug-treno) wrote :

Related to bug 314260?

Revision history for this message
In , Martijn-martijn (martijn-martijn) wrote :

*** Bug 314260 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Jruderman (jruderman) wrote :

Brendan asked me to find a bug about a crash [@ js_LookupPropertyWithFlags] and CC bz on it. This is the #29 crash signature for Firefox 1.5 RC3 with 0.64% of all crashes (147 of 22930). See http://talkback-public.mozilla.org/reports/firefox/FF15rc3/FF15rc3-topcrashers.html.

All of the Talkback reports I looked at had nsXULElement::HandleDOMEvent on the stack, and some XPCWrappedJSClass function above it.

Talkback IDs:

  through nsXPCWrappedJSClass::DelegatedQueryInterface:
    12356210, 12352320, 12331758, 12298940

  through nsXPCWrappedJSClass::CallMethod:
    12324412

Revision history for this message
In , Frenchfrog (frenchfrog) wrote :

ok, the test case in bug 326411 give me a crash stack very similar to this bug (TB17420666).

testcase crashing FF: https://bugzilla.mozilla.org/attachment.cgi?id=211943

Revision history for this message
In , Twalker (twalker) wrote :

I was able to reproduce this on FFx 1.5.0.4rc2 and Bon Echo from 2006-05-09 using the testcase given in comment #6

This is showing up more regularly in topcrash reports of late.

list of incedents: http://talkback-public.mozilla.org/search/start.jsp?search=1&searchby=stacksig&match=contains&searchfor=js_LookupPropertyWithFlags%0D%0A&vendor=MozillaOrg&product=Firefox2&platform=All&buildid=2006&sdate=&stime=&edate=&etime=&sortby=bbid&rlimit=500

Revision history for this message
In , Dveditz (dveditz) wrote :

> This is showing up more regularly in topcrash reports of late.

For Firefox 2, jumped to #8 based on 6 crashes out of 250 (~2.4%)--at least it appears to have jumped, but hard to tell given the low numbers. The old frequency would have been 1 or 2 crashes, but those extra 4 could have been someone trying the testcase in the bug.

In Firefox 1.5.0.3 it's still a #26 crash with 0.57% frequency (366 out of 63723). We haven't done anything to make this worse, I can't see how it would block 1.5.0.4 anything. (if a patch shows up it could go into 1.5.0.5 or later, but get the patch first.)

Might as well confirm the bug, though. It's obviously a real crash.

Revision history for this message
In , Frenchfrog (frenchfrog) wrote :

comment #6 test case now crash [@ nsComboboxControlFrame::CreateAnonymousContent] and no more at [@js_LookupPropertyWithFlags].

Revision history for this message
In , Timeless-bemail (timeless-bemail) wrote :

this should either be a dom, xul, or xpconnect bug. so i'm randomly bouncing it for kicks.

Revision history for this message
In , Adam Guthrie (ispiked) wrote :

François Gagné, the crash you mentioned is bug 318254. Although the testcase in comment 6 previously yielded the crash in this bug, it's not anymore (at least for me).

Revision history for this message
In , Bzbarsky (bzbarsky) wrote :

So is there a semi-reliable way to reproduce? Maybe with TOO_MUCH_GC?

Revision history for this message
In , Darin-moz (darin-moz) wrote :

No method to reproduce, so not going to block FF 2 beta1 for this. Though it would be nice to get a fix for FF2!

Revision history for this message
In , L. David Baron (dbaron) wrote :

Has anyone investigated whether there's a reliable way to reproduce this bug, perhaps with the HTML Validator extension, and perhaps with WAY_TOO_MUCH_GC ?

Revision history for this message
In , Frenchfrog (frenchfrog) wrote :

Perhaps a new way to reproduce, from TB24753078, TB24752946 .

Stack Signature js_LookupPropertyWithFlags a33ed43c
URL visited http://www.samsfactory.be/ateliers
User Comments edit css from webdeveloper while a quicktime was playing

I tryed the user comment and I did crash (but my talkbalk are junk so I'm not sure I do crash on js_LookupPropertyWithFlags)

Step I did :
1) Open http://www.samsfactory.be/ateliers
2) Click on a movie and wait for it to play
3) Use "Edit CSS" from the web developer extension
4) Edit the color of some link 'a'
5) Apply the change
6) Repeat step 4) and 5)
7) Do a "Reset all" (the icon similar to reload)

CRASH!

Could someone test this?

Revision history for this message
In , Frenchfrog (frenchfrog) wrote :
Download full text (4.5 KiB)

Follow up on comment 15, I crash at @GetFrameFromLine (see TB25365069G, TB25362702E) not on @js_LookupPropertyWithFlags.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061101 BonEcho/2.0 ID:2006110104

Stack:

GetFrameFromLine [mozilla/layout/generic/nsBlockFrame.cpp, line 6877]
nsBlockFrame::GetFrameForPointUsing [mozilla/layout/generic/nsBlockFrame.cpp, line 6952]
nsBlockFrame::GetFrameForPoint [mozilla/layout/generic/nsBlockFrame.cpp, line 6988]
PresShell::HandleEvent [mozilla/layout/base/nsPresShell.cpp, line 6205]
nsViewManager::HandleEvent [mozilla/view/src/nsViewManager.cpp, line 2514]
nsViewManager::DispatchEvent [mozilla/view/src/nsViewManager.cpp, line 2246]
HandleEvent [mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent [mozilla/widget/src/windows/nsWindow.cpp, line 1377]
nsWindow::DispatchFocus [mozilla/widget/src/windows/nsWindow.cpp, line 6522]
nsWindow::ProcessMessage [mozilla/widget/src/windows/nsWindow.cpp, line 5090]
nsWindow::WindowProc [mozilla/widget/src/windows/nsWindow.cpp, line 1565]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xb4c0 (0x77d4b4c0)
USER32.dll + 0xb50c (0x77d4b50c)
ntdll.dll + 0xeae3 (0x7c90eae3)
nsView::~nsView [mozilla/view/src/nsView.cpp, line 267]
nsSplittableFrame::Destroy [mozilla/layout/generic/nsSplittableFrame.cpp, line 71]
nsObjectFrame::Destroy [mozilla/layout/generic/nsObjectFrame.cpp, line 775]
nsFrameList::DestroyFrames [mozilla/layout/generic/nsFrameList.cpp, line 138]
nsLineBox::DeleteLineList [mozilla/layout/generic/nsLineBox.cpp, line 325]
nsLineBox::DeleteLineList [mozilla/layout/generic/nsLineBox.cpp, line 325]
nsLineBox::DeleteLineList [mozilla/layout/generic/nsLineBox.cpp, line 325]
nsLineBox::DeleteLineList [mozilla/layout/generic/nsLineBox.cpp, line 325]
nsFrameList::DestroyFrame [mozilla/layout/generic/nsFrameList.cpp, line 234]
nsCSSFrameConstructor::ContentRemoved [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10048]
nsCSSFrameConstructor::RecreateFramesForContent [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 12004]
nsCSSFrameConstructor::ProcessRestyledFrames [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10437]
nsIPresShell::ReconstructStyleDataInternal [mozilla/layout/base/nsPresShell.cpp, line 5608]
PresShell::EndUpdate [mozilla/layout/base/nsPresShell.cpp, line 3581]
nsCSSStyleSheet::SetDisabled [mozilla/layout/style/nsCSSStyleSheet.cpp, line 2060]
XPCWrappedNative::CallMethod [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2169]
XPC_WN_GetterSetter [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1479]
js_Invoke [mozilla/js/src/jsinterp.c, line 1377]
js_InternalInvoke [mozilla/js/src/jsinterp.c, line 1471]
JS_CallFunctionValue [mozilla/js/src/jsapi.c, line 4419]
XPC_NW_GetOrSetProperty [mozilla/js/src/xpconnect/src/XPCNativeWrapper.cpp, line 588]
XPC_NW_SetProperty [mozilla/js/src/xpconnect/src/XPCNativeWrapper.cpp, line 613]
js_Invoke [mozilla/js/src/jsinterp.c, line 1396]
js_InternalInvoke [mozilla/js/src/jsinterp.c, line 1471]
JS_CallFunctionValue [mozilla/js/src/jsapi.c, line 4419]
nsJSContext::CallEventHandler [mozilla/dom...

Read more...

Revision history for this message
g_f (gfsans-deactivatedaccount) wrote : crasch when I try to access to pnpMyAdmin

Binary package hint: firefox

I don't know only I was trying to access to http://localhost/phpmyadmin/
and I was copy and past the error message when Firefox crasched

Revision history for this message
g_f (gfsans-deactivatedaccount) wrote :

This is the report::: I am newbie, so sorry If I do a mistake...

Revision history for this message
Alex Latchford (alex.latchford) wrote :

Hello wordf,

Thanks you for the bug report, I was wondering if I could get you to note down a few more steps needed to reproduce this bug, which part of phpMyAdmin were you using etc..?

Thanks, Alex

PS.. The crash report looks fine to me, good job :)

Changed in firefox:
assignee: nobody → admin-yawnster
status: Unconfirmed → Needs Info
Revision history for this message
g_f (gfsans-deactivatedaccount) wrote : Re: [Bug 73857] Re: crasch when I try to access to pnpMyAdmin

*Well, I was in the page where there are the fields to log in.

The title said:

"Welcome to phpMyAdmin 2.8.2-debian-0.2"
*http://localhost/phpmyadmin/

Only I was trying to log in, but I forget the password, and I was trying
writing some passwords and usernames...
After I was copying the error

"#1045 - Access denied for user 'root'@'localhost' (using password: YES)"

With the menu cut_copy_paste_etc... and this moment when I was trying to
change of page for search the error.
This happened 2 times
But I don't remember any more.

Now I was trying to do the bug, but... nop ,All is right...

On 12/1/06, Alex Latchford <email address hidden> wrote:
>
> Hello wordf,
>
> Thanks you for the bug report, I was wondering if I could get you to
> note down a few more steps needed to reproduce this bug, which part of
> phpMyAdmin were you using etc..?
>
> Thanks, Alex
>
> PS.. The crash report looks fine to me, good job :)
>
> ** Changed in: firefox (Ubuntu)
> Assignee: (unassigned) => Alex Latchford
> Status: Unconfirmed => Needs Info
>
> --
> crasch when I try to access to pnpMyAdmin
> https://launchpad.net/bugs/73857
>

Revision history for this message
Alex Latchford (alex.latchford) wrote : Re: crasch when I try to access to pnpMyAdmin

Hello wordf,

Thank you for stating the steps, I forgot to ask you before, could you also please note down which version of Ubuntu you are using and also which version of firefox please?

Thanks again, Alex

Revision history for this message
g_f (gfsans-deactivatedaccount) wrote : Re: [Bug 73857] Re: crasch when I try to access to pnpMyAdmin

   - Ubuntu 6.10 Edgy Eft.
   - Mozilla/5.0 (x11; u; linux i686 en-us rv:1.8.1) Gecko/20060601
   Firefox/2.0 (Ubuntu-edgy)

Thanks.

On 12/2/06, Alex Latchford <email address hidden> wrote:
>
> Hello wordf,
>
> Thank you for stating the steps, I forgot to ask you before, could you
> also please note down which version of Ubuntu you are using and also
> which version of firefox please?
>
> Thanks again, Alex
>
> --
> crasch when I try to access to pnpMyAdmin
> https://launchpad.net/bugs/73857
>

--
gabriel francisco sanchez suarez
<email address hidden>
phone:8034870219
Blog :http://lanopalabra.com

Alex Latchford (alex.latchford)
Changed in firefox:
assignee: admin-yawnster → nobody
status: Needs Info → Confirmed
Revision history for this message
In , Hskupin (hskupin) wrote :

A crash with the same stack trace happens for me now with Thunderbird. The window was opened in the background and I moved with the mouse over the window title to click on the minimize button. Then Thunderbird crashed:

Talkback id: TB28278990Y

Stack Signature js_LookupPropertyWithFlags 9cfc61fe
Product ID Thunderbird2
Build ID 2007011004
Trigger Time 2007-01-12 00:12:11.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module js3250.dll + (00031a45)
URL visited
User Comments Moving mouse over window title to minimize the application
Since Last Crash 2096 sec
Total Uptime 28182 sec
Trigger Reason Access violation
Source File, Line No. e:/builds/tinderbox/Tb-Mozilla1.8/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3187
Stack Trace
js_LookupPropertyWithFlags [mozilla/js/src/jsobj.c, line 3187]
js_LookupProperty [mozilla/js/src/jsobj.c, line 3114]
js_GetProperty [mozilla/js/src/jsobj.c, line 3491]
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject [mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 243]
nsXPCWrappedJSClass::DelegatedQueryInterface [mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 595]
nsXPCWrappedJS::QueryInterface [mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 106]
nsEventListenerManager::HandleEvent [mozilla/content/events/src/nsEventListenerManager.cpp, line 1752]
nsXULElement::HandleDOMEvent [mozilla/content/xul/content/src/nsXULElement.cpp, line 2230]
nsXULElement::HandleDOMEvent [mozilla/content/xul/content/src/nsXULElement.cpp, line 2209]
nsXULElement::HandleDOMEvent [mozilla/content/xul/content/src/nsXULElement.cpp, line 2209]
nsXULElement::HandleDOMEvent [mozilla/content/xul/content/src/nsXULElement.cpp, line 2209]
nsEventStateManager::DispatchMouseEvent [mozilla/content/events/src/nsEventStateManager.cpp, line 2797]
nsEventStateManager::NotifyMouseOver [mozilla/content/events/src/nsEventStateManager.cpp, line 2922]
nsEventStateManager::GenerateMouseEnterExit [mozilla/content/events/src/nsEventStateManager.cpp, line 2954]
nsEventStateManager::PreHandleEvent [mozilla/content/events/src/nsEventStateManager.cpp, line 567]
PresShell::HandleEventInternal [mozilla/layout/base/nsPresShell.cpp, line 6419]
PresShell::HandleEvent [mozilla/layout/base/nsPresShell.cpp, line 6261]
nsViewManager::HandleEvent [mozilla/view/src/nsViewManager.cpp, line 2559]
nsViewManager::DispatchEvent [mozilla/view/src/nsViewManager.cpp, line 2246]
HandleEvent [mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent [mozilla/widget/src/windows/nsWindow.cpp, line 1389]
nsWindow::DispatchMouseEvent [mozilla/widget/src/windows/nsWindow.cpp, line 6435]
ChildWindow::DispatchMouseEvent [mozilla/widget/src/windows/nsWindow.cpp, line 6682]
nsWindow::WindowProc [mozilla/widget/src/windows/nsWindow.cpp, line 1577]
USER32.dll + 0x8734 (0x77d18734)
USER32.dll + 0x8816 (0x77d18816)
USER32.dll + 0x89cd (0x77d189cd)
USER32.dll + 0x8a10 (0x77d18a10)
nsAppShell::Run [mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run [mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152]
main [mozilla/mail/app/nsMailApp.cpp, line 62]
kernel32.dll + 0x16fd7 (0x7c816fd7)

David Farning (dfarning)
Changed in firefox:
assignee: nobody → mozillateam
importance: Undecided → Medium
David Farning (dfarning)
Changed in firefox:
assignee: mozillateam → mozilla-bugs
Revision history for this message
Alexander Sack (asac) wrote : Re: crasch when I try to access to pnpMyAdmin

needs a retrace

Changed in firefox:
status: Confirmed → Needs Info
importance: Medium → High
Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote : Retraced Stacktrace

Retrace done.

Extract from retraced stacktrace:
...
#3 <signal handler called>
#4 XPC_WN_Helper_NewResolve (cx=0x8d78f98, obj=0x89d70b0,
#5 js_LookupPropertyWithFlags (cx=0x8d78f98, obj=0x89d70b0,
#6 js_LookupProperty (cx=0x8d78f98, obj=0x89d70b0,
#7 js_GetProperty (cx=0x8d78f98, obj=0x89d70b0,
#8 js_Interpret (cx=0x8d78f98,
...

Tagging as mt-confirm for further processing

Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote : Retraced Thread Stacktrace

Retraced Thread Stacktrace

description: updated
Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote :

TODO: The duplicates have more info than the Master (will review asap).

Alexander Sack (asac)
Changed in firefox:
status: Needs Info → Confirmed
John Vivirito (gnomefreak)
Changed in firefox:
status: Confirmed → In Progress
Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Unknown → Confirmed
Revision history for this message
In , Frenchfrog (frenchfrog) wrote :

Good news,

Here an URL telling how to crash with js_LookupPropertyWithFlags:
http://jsx.cc/firefox/diff.html

Here my talkback TB34424073M

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6pre) Gecko/20070727 BonEcho/2.0.0.6pre ID:2007072704

Revision history for this message
In , Martijn-martijn (martijn-martijn) wrote :

Thanks for that testcase, François!
I get a regression range on the 1.8.1 branch between 2006-09-12 and 2006-09-13:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-09-12+03&maxdate=2006-09-13+06&cvsroot=%2Fcvsroot
On trunk I've tested with a 2006-09-11 build which doesn't crash and a 2006-09-13 build which does crash, so same regression range.
It seems this doesn't crash on the 1.8.0.x tree, I've tried it with the latest 1.8.0.x build.

On trunk it seems to be fixed somehow in the latest trunk builds.
I crash with a 2007-03-07 trunk build, but I don't crash anymore with a 2007-03-08 trunk build:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-03-07+04&maxdate=2007-03-08+09&cvsroot=%2Fcvsroot

Revision history for this message
In , Martijn-martijn (martijn-martijn) wrote :

Created an attachment (id=274267)
testcase from François

This is the testcase from François. I've added an automatic reload function in it, for easier crashing.
I get a different stacktrace with it, though, not sure if that matters. Talkback ID: TB34439062E

Revision history for this message
In , Bzbarsky (bzbarsky) wrote :

The branch regression range corresponds to a whole bunch of JS stuff landing on the branch. The trunk "it got fixed" range corresponds to several JS fixes too. I'm willing to bet this is a JS engine bug...

Revision history for this message
In , Martijn-martijn (martijn-martijn) wrote :

Boris, I think you wanted to blocking1.8.1.7+ it, right?
Let me know if you want to have a smaller testcase (I could try).

Revision history for this message
In , Bzbarsky (bzbarsky) wrote :

I meant to "blocking1.8.1.7?"....

No idea about testcase. Brendan or Igor would be the ones to ask.

Revision history for this message
In , Dveditz (dveditz) wrote :

Brendan, Igor, Crowder: would it be possible to track down what caused this crash to increase into a topcrash, and what fixed it on the trunk? regression and fix ranges are in comment 19

Revision history for this message
In , Abillings (abillings) wrote :

Why is this QAwanted? We have a reduced test case for this.

Revision history for this message
In , Samuel Sidler (samuel-sidler) wrote :

It was added with comment 14 and can be removed now.

Revision history for this message
In , Martijn-martijn (martijn-martijn) wrote :

It might be useful to get a smaller testcase (it isn't exactly reduced).
I asked that in comment 22, but I didn't get a reply from Brendan or Igor, so I'm not going to try that just yet, since it's a lot of work.

Revision history for this message
In , Hskupin (hskupin) wrote :

I tried to run the testcase once again and I'm getting a total different stack trace (TB35460264G):

msvcrt.dll + 0x372e3 (0x77c172e3)
SprintPut [mozilla/js/src/jsopcode.c, line 406]
js_DecompileCode [mozilla/js/src/jsopcode.c, line 4226]
js_DecompileFunction [mozilla/js/src/jsopcode.c, line 4424]
JS_DecompileFunction [mozilla/js/src/jsapi.c, line 4154]
fun_toString [mozilla/js/src/jsfun.c, line 1543]
js_Invoke [mozilla/js/src/jsinterp.c, line 1375]
js_Interpret [mozilla/js/src/jsinterp.c, line 3946]
js_Execute [mozilla/js/src/jsinterp.c, line 1634]
JS_EvaluateUCScriptForPrincipals [mozilla/js/src/jsapi.c, line 4296]
nsJSContext::EvaluateString [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1100]
nsScriptLoader::EvaluateScript [mozilla/content/base/src/nsScriptLoader.cpp, line 813]
nsScriptLoader::ProcessRequest [mozilla/content/base/src/nsScriptLoader.cpp, line 711]
nsScriptLoader::DoProcessScriptElement [mozilla/content/base/src/nsScriptLoader.cpp, line 644]
nsScriptLoader::ProcessScriptElement [mozilla/content/base/src/nsScriptLoader.cpp, line 396]
nsHTMLScriptElement::MaybeProcessScript [mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 663]
nsHTMLScriptElement::BindToTree [mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 456]
nsGenericElement::AppendChildTo [mozilla/content/base/src/nsGenericElement.cpp, line 2876]
HTMLContentSink::ProcessSCRIPTTag [mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 4174]
HTMLContentSink::AddLeaf [mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 3040]
HTMLContentSink::AddHeadContent [mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 2991]
CNavDTD::AddHeadLeaf [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 3609]
CNavDTD::HandleToken [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 955]
CNavDTD::BuildModel [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 458]
nsParser::BuildModel [mozilla/parser/htmlparser/src/nsParser.cpp, line 2169]

Is this the same issue or a different one?

Revision history for this message
In , Johnjbarton (johnjbarton) wrote :

There are three stack traces in this bug report. Two of them are familiar to me as problems hit by Firebug. They look completely different, but I think they may be the same problem.

Based on tracing output from Firebug I am fairly confident that the stack from talkback 36785076 is caused by jsdIScript.functionSource. This stack ends with "detecting" but the preceding call is js_LookupProperty and two up is QI. Notice that the call stack at the top of this report has js_LookupProperty and two up is QI. Now the third call stack in this report, just above me here, is a seemingly completely different trace, but it has js_DecompileCode. This latter trace is one that comes up often in Firebug 1.1.

There is a small and two large mysteries here:
 small: why is the trace right above me here calling decompile
 large: why does jsdIScript.functionSource die on QI
 large: whats the bug here?

This is an important bug to fix for firebug because otherwise we cannot use jsdIScript.functionSource and we lose the ability to debug event handlers. Venkman probably does not hit these cases because the scripts that crash Firebug are in event handlers that Venkman cannot see.

Also the code in question is a 724 line event handler from http://pagead2.googlesyndication.com/pagead/show_ads.js so it crashes Firebug a lot.

Revision history for this message
In , Johnjbarton (johnjbarton) wrote :

Ok so I know much of what I said makes no sense. But then neither do the stack traces.

What I am pretty sure of is that
  jsdIScript.functionSource crashes
  the stack has QI
  QI calls Detecting
  Detecting looks at script bytecodes.
The crash line for talkback 36786514
Detecting [mozilla/js/src/jsobj.c, line 3117]
 for (endpc = script->code + script->length; pc < endpc; pc++)

And jsdIScript.functionSource crashes in other cases.

I'm going to see what happens in FF3.

43 comments hidden view all 123 comments
Revision history for this message
In , Hskupin (hskupin) wrote :

No topcrasher on OS X and Linux but there are also some crash reports => All/All.

Revision history for this message
In , Hskupin (hskupin) wrote :

There are even listed a lot of crashes for trunk builds with the similar top frame:
http://crash-stats.mozilla.com/report/list?range_unit=months&query_search=signature&query_type=contains&branch=1.9&signature=js_LookupPropertyWithFlags&query=js_LookupPropertyWithFlags&range_value=1

I think the version field should be updated to Trunk.

Revision history for this message
In , Martijn-martijn (martijn-martijn) wrote :

The testcase attached to this bug is only crashing on branch.

Revision history for this message
In , Gebozinis (gebozinis) wrote :

Another one:

TB41826697Z

Revision history for this message
In , Gebozinis (gebozinis) wrote :

More:

TB41872185Y

Revision history for this message
In , Gebozinis (gebozinis) wrote :

Are these related to this bug?

https://bugzilla.mozilla.org/show_bug.cgi?id=418116
https://bugzilla.mozilla.org/show_bug.cgi?id=404787

http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB41575054W
http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB41575056G
http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB41575058X
http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB41707236E
http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB41709732W
http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB41710258Z
http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB41826697Z
http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB41872185Y

Revision history for this message
In , Frenchfrog (frenchfrog) wrote :

I guess a good way would be to verify the regression range in comment 19.

Download the builds from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/ (Check for the builds with 'mozilla1.8' in the directory name)

Revision history for this message
In , Gebozinis (gebozinis) wrote :

More:
http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB41961014H

Revision history for this message
In , Gebozinis (gebozinis) wrote :

I have discovered that disabling SwitchProxy Tool 1.4.1 will make this problem ( actually the problem I described in https://bugzilla.mozilla.org/show_bug.cgi?id=418116 ) disappear.

Revision history for this message
Alexander Sack (asac) wrote :

appears to be still active upstream.

Revision history for this message
In , Vseerror (vseerror) wrote :

#39 crasher for 2.0.0.14 - all comments refer to getting mail

Revision history for this message
In , Bmo-2 (bmo-2) wrote :

igor: were you ever able to repro this in windoze?

Revision history for this message
In , Dveditz (dveditz) wrote :

As much as it would be great to fix, it's even less of a blocker than before now that we've shipped Firefox 3 without this crash.

Alexander Sack (asac)
Changed in firefox:
assignee: mozilla-bugs → nobody
status: In Progress → Triaged
Changed in firefox-3.0:
importance: Undecided → High
status: New → Triaged
Revision history for this message
In , Johnjbarton (johnjbarton) wrote :

FF2 EOL, not a Firebug priority

Revision history for this message
In , Igor Bukanov (igor-mir2) wrote :

This goes back to the pool.

Revision history for this message
Kevin (kevinjohnson) wrote :

My bug #333891 keeps getting related to this one, but I don't really think they are the same.

Maybe someone can explain the rationale.

Revision history for this message
In , Ludovic-mozillamessaging (ludovic-mozillamessaging) wrote :

*** Bug 485680 has been marked as a duplicate of this bug. ***

Revision history for this message
Pander (pander) wrote :

firefox 3.0.8+nobinonly-0ubuntu0.8.10.2 crashes on http://castor.org/download.html , perhaps this is a case for this bug?

Revision history for this message
In , Vseerror (vseerror) wrote :

rare, but also exists on trunk. all 3 from the past month are 3.0b3pre
bp-16272751-900d-424d-a5f9-9b3522090503

Revision history for this message
In , Vseerror (vseerror) wrote :

top 20 topcrash for Thunderbird 2
if stack is a match - can we make anything out of the draft patch?

a few samples (lots of crashes have comments)
TB54712292 After a few moments, thunderbird closes without warning, no mater what I do, reading mail, downloading attachment or forwarding mail. This problem start yesterday 20/05/09
TB54577790 checking mail
TB55747402 checking news
TB54474790 returning from sleep

Revision history for this message
In , Frenchfrog (frenchfrog) wrote :

The good news is the testcase https://bugzilla.mozilla.org/attachment.cgi?id=274267 still crash in Firefox 2.0.0.20.

Clicking in the page to select some text should it make it crash if it doesn't crash by reloading the page automatically.

Revision history for this message
In , Frenchfrog (frenchfrog) wrote :

I got the talkback TB55825067W but it sadly doesn't crash anymore at js_LookupPropertyWithFlags :(

http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=TB55825067W

-------------

Stack trace:

msvcrt.dll + 0x372e3 (0x77c472e3)
SprintPut [mozilla/js/src/jsopcode.c, line 410]
js_DecompileCode [mozilla/js/src/jsopcode.c, line 4200]
js_DecompileFunction [mozilla/js/src/jsopcode.c, line 4398]
JS_DecompileFunction [mozilla/js/src/jsapi.c, line 4192]
fun_toString [mozilla/js/src/jsfun.c, line 1543]
js_Invoke [mozilla/js/src/jsinterp.c, line 1387]
js_Interpret [mozilla/js/src/jsinterp.c, line 3966]
js_Execute [mozilla/js/src/jsinterp.c, line 1648]
JS_EvaluateUCScriptForPrincipals [mozilla/js/src/jsapi.c, line 4334]
nsJSContext::EvaluateString [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1138]
nsScriptLoader::EvaluateScript [mozilla/content/base/src/nsScriptLoader.cpp, line 779]
nsScriptLoader::ProcessRequest [mozilla/content/base/src/nsScriptLoader.cpp, line 676]
nsScriptLoader::DoProcessScriptElement [mozilla/content/base/src/nsScriptLoader.cpp, line 609]
nsScriptLoader::ProcessScriptElement [mozilla/content/base/src/nsScriptLoader.cpp, line 361]
nsHTMLScriptElement::MaybeProcessScript [mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 663]
nsHTMLScriptElement::BindToTree [mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 456]
nsGenericElement::AppendChildTo [mozilla/content/base/src/nsGenericElement.cpp, line 2876]
HTMLContentSink::ProcessSCRIPTTag [mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 4181]
HTMLContentSink::AddLeaf [mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 3047]
HTMLContentSink::AddHeadContent [mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 2998]
CNavDTD::AddHeadLeaf [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 3616]
CNavDTD::HandleToken [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 955]
CNavDTD::BuildModel [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 458]
nsParser::BuildModel [mozilla/parser/htmlparser/src/nsParser.cpp, line 2169]

Revision history for this message
In , Frenchfrog (frenchfrog) wrote :

Did I just hit bug 400532?

Bug 424558 got a similar stack, and have a wip patch in it!

CCing Mats Palmgren

Revision history for this message
Micah Gersten (micahg) wrote :

Firefox 2 has reached end of life.

Changed in firefox (Ubuntu):
status: Triaged → Won't Fix
Revision history for this message
In , Chofmann (chofmann) wrote :

should this be WFM? 2.0 is no longer supported, and I don't see the crash in 3.5.x.

Revision history for this message
In , Frenchfrog (frenchfrog) wrote :

That is already 'Version: 1.8 Branch', so I don't see the point of WFM it.

Perhaps clear the 'Importance' and 'Target Milestone' ?

Revision history for this message
In , Chofmann (chofmann) wrote :

or mark as won't fix?

Revision history for this message
In , Samuel Sidler (samuel-sidler) wrote :

Only mark it WONTFIX if the Linux distros don't want this fixed for their Firefox 2 and 1.5 releases *and* if it doesn't affect Thunderbird. Can you confirm those two things are true?

Revision history for this message
In , Vseerror (vseerror) wrote :

  gebozini, can you still reproduce your problem using firefox 3.5?

I'm not so sure bug 418116 is properly a dupe of this. But I haven't compared stacks

Revision history for this message
In , Vseerror (vseerror) wrote :

  gebozinis?

Revision history for this message
In , Bugzilla-zirro (bugzilla-zirro) wrote :

Is there anything that is keeping this from being a WONTFIX now?

Revision history for this message
In , Samuel Sidler (samuel-sidler) wrote :

Have you done anything that was said in comment 78?

Revision history for this message
In , Jruderman (jruderman) wrote :

WFM on trunk. People using ancient branches (Linux distros and Thunderbird) can track branch status using branch status flags.

Revision history for this message
John Vivirito (gnomefreak) wrote :

Firefox-3.0 has reached EOL.
Changing package to Firefox-3.5 until confirmed it no longer happens. Can anyone reproduce this in Firefox-3.5 or Firefox-3.6.
When tested with the links in this bug report. Can you please confirm this does or does not happen in the latest stable release of Firefox-3.5

affects: firefox-3.0 (Ubuntu) → firefox-3.5 (Ubuntu)
Revision history for this message
John Vivirito (gnomefreak) wrote :

Sorry meant to say that i do not get crashes with the links in the bug report.

Revision history for this message
John Vivirito (gnomefreak) wrote :

Sorry but it has been decided to release 3.0.18 in Feb.

affects: firefox (Ubuntu) → firefox-3.0 (Ubuntu)
Changed in firefox-3.0 (Ubuntu):
status: Won't Fix → Triaged
frode davidsen (frodekarlsen-1)
Changed in firefox-3.5 (Ubuntu):
assignee: nobody → frode davidsen (frodekarlsen-1)
Changed in firefox-3.0 (Ubuntu):
assignee: nobody → frode davidsen (frodekarlsen-1)
Changed in firefox:
importance: Unknown → Undecided
status: Confirmed → New
assignee: nobody → frode davidsen (frodekarlsen-1)
frode davidsen (frodekarlsen-1)
Changed in firefox:
status: New → Confirmed
frode davidsen (frodekarlsen-1)
Changed in firefox:
status: Confirmed → New
Revision history for this message
Micah Gersten (micahg) wrote :

Please don't randomly assign yourself stuff. If you'd like to work on this, upstream is the place to do it.

Changed in firefox:
assignee: frode davidsen (frodekarlsen-1) → nobody
importance: Undecided → Unknown
status: New → Unknown
Changed in firefox-3.0 (Ubuntu):
assignee: frode davidsen (frodekarlsen-1) → nobody
Changed in firefox-3.5 (Ubuntu):
assignee: frode davidsen (frodekarlsen-1) → nobody
Revision history for this message
Micah Gersten (micahg) wrote :

Closing Firefox 3.5 task as upstream marked WFM on 3.5

Changed in firefox-3.5 (Ubuntu):
status: Triaged → Invalid
frode davidsen (frodekarlsen-1)
Changed in firefox-3.0 (Ubuntu):
status: Triaged → New
Changed in firefox-3.5 (Ubuntu):
status: Invalid → Incomplete
frode davidsen (frodekarlsen-1)
Changed in firefox-3.5 (Ubuntu):
status: Incomplete → New
frode davidsen (frodekarlsen-1)
Changed in firefox:
importance: Unknown → Undecided
status: Unknown → New
Revision history for this message
Micah Gersten (micahg) wrote :

Fixing statuses after last user's changes

Changed in firefox:
importance: Undecided → Unknown
status: New → Unknown
Changed in firefox-3.5 (Ubuntu):
status: New → Invalid
Changed in firefox-3.0 (Ubuntu):
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in firefox:
importance: Unknown → Critical
status: Unknown → Invalid
Revision history for this message
madbiologist (me-again) wrote :

Upstream support for Firefox 3.0 ended after the release of Firefox 3.0.19 on March 30, 2010. Support for Ubuntu Edgy, Feisty and Gutsy has also ended. Support for Ubuntu Hardy ended on 12th May 2011 for desktops, and I doubt anyone is running Firefox on a server.

Closing bug.

See comment #121.

Changed in firefox-3.0 (Ubuntu):
status: Triaged → Invalid
Displaying first 40 and last 40 comments. View all 123 comments or add a comment.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.