Closed Bug 320256 Opened 19 years ago Closed 15 years ago

crash [@ js_AllocStack - js_InternalInvoke] access violation (jsinterp.c line 390)

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: tonymec, Unassigned)

Details

(Keywords: crash)

Crash Data

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051213 Firefox/1.5 Build Identifier: branch 1.5 (Gecko 1.8) build 2005120103 TB12498125Z Reproducible: Didn't try Steps to Reproduce: Actual Results: crash Expected Results: no crash Stack Signature js_AllocStack 3e09427b Product ID Firefox15 Build ID 2005120103 Trigger Time 2005-12-01 22:10:39.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (0001e54c) URL visited User Comments Since Last Crash 6260 sec Total Uptime 6260 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 390 Stack Trace js_AllocStack [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 390] js_InternalInvoke [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1263] JS_CallFunctionValue [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4158] nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411] nsJSEventListener::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 195] nsXBLPrototypeHandler::ExecuteHandler [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp, line 505] nsXBLEventHandler::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xbl/src/nsXBLEventHandler.cpp, line 86] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1685] nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1786] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2153] nsXULElement::HandleChromeEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2833] nsGlobalWindow::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1574] nsDocument::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 4013] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2206] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2174] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2174] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6367] PresShell::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6203] nsViewManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2559] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246] HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1252] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5982] ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6233] nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1434] USER32.dll + 0x8734 (0x77d18734) USER32.dll + 0x8816 (0x77d18816) USER32.dll + 0x89cd (0x77d189cd) USER32.dll + 0x8a10 (0x77d18a10) nsAppShell::Run [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159] nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151] main [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Version: unspecified → 1.5 Branch
(In reply to comment #1) > Dupe of bug 237823? Steve, do you see a similarity in the stacks? (I don't - it's why Tony filed a new bug)
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Version: 1.5 Branch → 1.8 Branch
No i don't. But i'm a triage monkey, not a code ninja, hence why I suggested it /may/ be a dupe; it makes verifying such claims easier for people who know more about it than i do. (they don't have to do the search themselves)
See bug 237823 comment 9. /be
Assignee: general → events
Status: UNCONFIRMED → NEW
Component: JavaScript Engine → DOM: Events
Ever confirmed: true
QA Contact: general → ian
Quoting bug 237823 comment #9 by Brendan Eich: > jay, anyone: do the talkback reports show a consistent caller and even > grand-caller of js_AllocStack? Here in timeless's comment 0, the caller is > nsXPCWrappedJSClass::CallMethod. Over in bug 320356 the caller is > js_InternalInvoke, from JS_CallFunctionValue, from DOM event handler dispatch. > > I agree these are distinct bugs. The signature needs to include more than the > top frame of the stack. In that light, bug 320356 is unlikely to be a JS > engine bug. It's probably a DOM or embedding bug where a destroyed JSContext is > being used by faulty code that passes the bad pointer into the JS engine. > > /be > ...and IIUC his mentioning "bug 320356" (for 320256) is a typo.
Component: DOM: Events → JavaScript Engine
Component: JavaScript Engine → DOM: Events
Do we have any ideas on how to reproduce?
(In reply to comment #6) > Do we have any ideas on how to reproduce? I've filed bug 344062, it has a testcase which, I think, reproduces this crash.
(In reply to comment #7) > (In reply to comment #6) > > Do we have any ideas on how to reproduce? > > I've filed bug 344062, it has a testcase which, I think, reproduces this crash. > If one of you gurus has the savvy to check that it does reproduce -this- crash, then if it does, I guess this one should be marked as a dupe of bug 344062
(In reply to comment #9) > *** Bug 400618 has been marked as a duplicate of this bug. *** > Well, I'm not convinced. 400618 is reliably created with firebug+google ads. This one does not seem to be related to jsd and that matter how to even produce this trace?
Summary: crash [@ js_AllocStack 3e09427b] access violation (jsinterp.c line 390) → crash [@ js_AllocStack - js_InternalInvoke] access violation (jsinterp.c line 390)
Assignee: events → nobody
QA Contact: ian → events
Smaug, any idea what the DOM Events code might be doing wrong, given bug 237823 comment 9 and the stack trace in comment 0? If not, let's close this bug as incomplete.
The stack isn't too useful, and the whole DOM event dispatch handling has been written (over 3 years ago). So marking incomplete.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
Crash Signature: [@ js_AllocStack - js_InternalInvoke]
You need to log in before you can comment on or make changes to this bug.