Closed Bug 451884 Opened 16 years ago Closed 16 years ago

Crash [@ QuoteString] on the nytimes.com site

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1

People

(Reporter: martijn.martijn, Assigned: brendan)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(2 files)

testcase
(deleted), text/html
Details
fix
(deleted), patch
mrbkap
: review+
Details | Diff | Splinter Review
Attached file testcase (deleted) —
When I have the jit prefs enabled in the latest trunk build of Firefox (javascript.options.jit.chrome and javascript.options.jit.content), then I crash on the site I pasted in the url. http://crash-stats.mozilla.com/report/index/7c9f8e1c-7157-11dd-9678-001a4bd43ed6 0 js3250.dll QuoteString js/src/jsopcode.cpp:587 1 js3250.dll Decompile js/src/jsopcode.cpp:3796 2 js3250.dll DecompileCode js/src/jsopcode.cpp:4698 3 js3250.dll DecompileExpression js/src/jsopcode.cpp:5090 4 js3250.dll js_DecompileValueGenerator js/src/jsopcode.cpp:4967 5 js3250.dll js_ReportValueErrorFlags js/src/jscntxt.cpp:1329 6 js3250.dll js3250.dll@0x58732 7 js3250.dll js_Interpret js/src/jsinterp.cpp:4253 8 js3250.dll js_Execute js/src/jsinterp.cpp:1549 9 js3250.dll js_obj_eval js/src/jsobj.cpp:1341 10 js3250.dll js_Invoke js/src/jsinterp.cpp:1308 11 js3250.dll js_Interpret js/src/jsinterp.cpp:4963 12 js3250.dll js_Execute js/src/jsinterp.cpp:1549 13 js3250.dll JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:5054 14 xul.dll nsJSContext::EvaluateString dom/src/base/nsJSEnvironment.cpp:1540 15 xul.dll nsScriptLoader::EvaluateScript content/base/src/nsScriptLoader.cpp:594 16 xul.dll nsScriptLoader::ProcessRequest content/base/src/nsScriptLoader.cpp:504 17 xul.dll nsScriptLoader::ProcessScriptElement content/base/src/nsScriptLoader.cpp:458 18 xul.dll nsContentUtils::HasNonEmptyTextContent content/base/src/nsContentUtils.cpp:3641 19 xul.dll nsScriptElement::MaybeProcessScript content/base/src/nsScriptElement.cpp:188
I'm seeing this crash with one of my sessions with both JIT prefs at their default value (false). I can't tell which page in the session triggers the crash, though.
I crash with this stack every time I load Zimbra. :(
Flags: blocking1.9.1?
OS: Windows XP → All
Brendan's offered to take this. Here's a reduced testcase: (function(k){eval("k.y")})({})
Assignee: general → brendan
Blocks: 452298
Failing reduced testcase: (function(k){eval("k.y")})() /be
Status: NEW → ASSIGNED
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1
Attached patch fix (deleted) — Splinter Review
Attachment #335680 - Flags: review?(mrbkap)
Attachment #335680 - Flags: review?(mrbkap) → review+
Fixed on mozilla-central: http://hg.mozilla.org/mozilla-central/index.cgi/rev/61ee5bbbe005 /be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Blocks: upvar1
No longer blocks: 452298
Keywords: regression
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-451884.js,v <-- regress-451884.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/rev/3ae03411eae7
Flags: in-testsuite+
Flags: in-litmus-
Flags: blocking1.9.1? → blocking1.9.1+
Verified fix on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090122 Shiretoko/3.1b3pre and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090122 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Crash Signature: [@ QuoteString]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: