From bug 37592... ------- Additional Comments From Matti (Matthias Versen) 2001-09-01 17:45 ------- This is crashing for me if I use about:config the second time. 1. Type about:config 2. Load another page 3. type about:config again -> crash win2k build 20010901.. (CVS opt)

When I leave the about:config page the first time, I see a bunch of debug spew in the console window... almost like it's trying to re-draw the about:config page after deleting it or something... ************************************************************ * Call to xpconnect wrapped JSObject produced this error: * [Exception... "'[JavaScript Error: "arr is not defined" {file: "chrome://global/content/config.js" line: 27}]' when calling method: [nsIOutlinerView::getCellText]" nsresult: "0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)" location: "<unknown>" data: yes] ************************************************************ When you try and return to about:config it crashes in JS. Stack coming.

Segmentation fault on linux - debugging problem

bug 97444 is also a crash at JS_GetPrivate; may be a dup but I'm not quite ready to pull the trigger yet.

Actually, this looks like another skidmark from the same bug that's causing bug 97293. This bug may be more reproducible, so I'm not marking it dup. dbaron, is this the smoking gun? I'll try to debug later today, but someone feel free to beat me to it. (The JS_GetPrivate crash is not the interesting part that links this bug's backtrace to bug 97293 rather than to the also-in-JS_GetPrivate bug 97444 -- rather, the nsXULDocument::ExecuteScript that passes a bad, probably-GC'd script object into JS_ExecuteScript, is the key.) /be

I just gave this a whirl and got the same results as Brendan - the aScriptObject is garbage. FWIW, on NT my debug build goes off into the weeds without leaving me a usable stack. My release-with-symbols build yields the same stack as already posted to this bug.

jband: I still haven't tried to debug this, but I will tonight. Did you divine whether a XUL precompiled script object reference was unrooted? /be

brendan: I didn't dig that deep. The 'bad' JSObject is the one called 'aScriptProto->mJSObject' in nsXULDocument::LoadScript. aScriptProto looks like a nice object. But the JSObject is smelly.

Adding topcrash as per Bug 97293. P1, 0.9.5, component JavaScript Engine (belongs to khanson@netscape.com as well?)

jpatel: I'm betting this will end up a XUL bug, but you can assign it to me or to jband. The other bug, bug 97293, might better be forward-duped against this one, because this bug has reproducible instructions. But bug 97293 has some nice dbaron disassembly analysis, so I've been hesitant to dup it. Yeah, I'm just shy. /be

*** Bug 97293 has been marked as a duplicate of this bug. ***

jussi, sorry -- I saw a leading "j" in your name, saw "topcrash", and my brain went off like a plastic trap. /be

Adding Trunk [@ js_Interpret] for tracking, since bug 97293 was just marked a dup.

This is a XUL bug, and I caused it with my FastLoad hacking (sob). The about:config URL loads but does not enter its XUL prototype nodes, including prototype scripts that contain rooted JSObject pointers, into the XUL prototype cache -- because the URL scheme is not chrome. But, code in nsXULDocument.cpp nsXULDocument::LoadScript, needed by FastLoad for "exactly-once" script loading, does enter the chrome:/navigator/content/config.js script into the XUL script cache -- becaus ethe URL scheme *is* chrome. That XUL script cache entry holds an unrooted JSObject* -- it counts on there being a companion XUL prototype cache entry holding a root. Blammo. Patch soon. /be

Comment on attachment 48374 [details] [diff] [review] proposed fix (one-line change, excluding comments) r/sr=waterson

Comment on attachment 48374 [details] [diff] [review] proposed fix (one-line change, excluding comments) sr=jband

Comment on attachment 48374 [details] [diff] [review] proposed fix (one-line change, excluding comments) a=asa for checkin to 0.9.4 branch.

(Fixing component and QA contact...) Fix checked into trunk and branch. /be

verified fixed -- does not crash on second use of about:config and config.js is not serialized into the fastload file (or placed in xul cache) -- mac/linux/win32 2001-09-06-08 builds. [Note: needed a slight workaround to test about:config on Linux -- bug 98667].

*** Bug 98823 has been marked as a duplicate of this bug. ***