Closed Bug 98901 Opened 24 years ago Closed 24 years ago

mozilla crashes on http://www.sony.com/productregistration - N620 [@js_emit] [@ js_EmitTree]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.6

People

(Reporter: mpalczew, Assigned: brendan)

References

(
URL
)

Details

(4 keywords, Whiteboard: [PDT])

Crash Data

Attachments

(3 files, 1 obsolete file)

Full Stack Trace
70.82 KB, text/plain
Details
Testcase. This is the file that crashes mozilla.
45.66 KB, text/html
Details
proposed fix, with side order of cleanup
12.60 KB, patch
jband_mozilla
: review+
shaver
: superreview+
Details | Diff | Splinter Review
In the location bar type the url and hit enter mozilla will soon crash. This is mozilla 0.9.3 on linux.
Also happens for me on Win95 on build 2001 09 04 08. MOZILLA caused a stack fault in module JS3250.DLL at 0157:60d001c0. Registers: EAX=00000013 CS=0157 EIP=60d001c0 EFLGS=00010212 EBX=0eb52900 SS=015f ESP=00591f58 EBP=00592460 ECX=00000000 DS=015f ESI=0068ee74 FS=124f EDX=00000000 ES=015f EDI=0fdc9260 GS=0000 Bytes at CS:EIP: 53 56 8b 75 0c 8b 5d 10 57 8b 7d 08 8b 4e 40 8b Stack dump: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
win2k build 20010905 (cvs debug) -> JS Engine A part of the stack : This lines are 100x reapeated and MSC++ reports a stack overflow, js_EmitTree(JSContext * 0x03757218, JSCodeGenerator * 0x0012ec78, JSParseNode * 0x042c4570) line 924 + 5 bytes js_EmitTree(JSContext * 0x03757218, JSCodeGenerator * 0x0012ec78, JSParseNode * 0x042c45d0) line 2444 + 20 bytes js_EmitTree(JSContext * 0x03757218, JSCodeGenerator * 0x0012ec78, JSParseNode * 0x042c4958) line 2444 + 20 bytes
Assignee: asa → rogerl
Component: Browser-General → Javascript Engine
QA Contact: doronr → pschwartau
Severity: major → critical
Keywords: crash
OS: Linux → All
The code defines a lot of variables: EMAL=""; PASS=""; PASV=""; FNAM=""; LNAM=""; ADD1=""; ADD2=""; CITY=""; STAT=""; STATi=0; ZIPC=""; etc. etc. And then a function to concatenate them all: function formData() { age_header="19"; if (isNaN(AGES)||AGES.length==0) {age_header="";} data=""; data+="&UNID="+UNID +"&DIstat="+DI_Reg_Code +"&EMAL="+EMAL +"&PASS="+PASS +"&PASV="+PASV +"&FNAM="+FNAM +"&LNAM="+LNAM +"&ADD1="+ADD1 +"&ADD2="+ADD2 +"&CITY="+CITY +"&STAT="+STAT +"&ZIPC="+ZIPC etc. etc. } Result: stack overflow. cc'ing Brendan for advice. Is this a duplicate of one of these bugs? bug 56940 O(n**2) and O(n**3) growth too easy with JS string concat bug 80981 Need extended jump bytecode to avoid "script too large" errors, etc. Or is this bug a separate issue? Thanks - Note: NN4.7, IE4.7 have no trouble with this site -
Assignee: rogerl → khanson
Netscape 4.7 under linux does crash on this page.
Mike is right - I have completely different experiences with this site on my Linux box vs. on my WinNT, Mac: NN4.7 WinNT --> loads the site in less than 1 second NN4.7 Mac 9 --> loads the site in less than 1 second NN4.7 Linux --> wait, wait, CRASH Here's what happens with Mozilla trunk builds 20010909xx: Moz WinNT --> CRASH Moz Mac 9 --> loads the site in about 1 second Moz Linux --> CRASH
Simple stack overflow due to incredibly unmaintainable, unreadable, etc. program structure (yeah, I'm blaming the customer), or (to blame the engine) due to KISS use of recursion in the JS engine's code generator. Phil, this bug is not related to the "string concat is O(bad)" and "SpiderMonkey needs an extended jump bytecode" bugs. /be
*** Bug 106046 has been marked as a duplicate of this bug. ***
Copying keywords and status whiteboard from duped bug 106046
Keywords: 4xp, nsbranch, topcrash
Whiteboard: [PDT]
brendan> Simple stack overflow due to incredibly unmaintainable, unreadable, brendan> etc. program structure (yeah, I'm blaming the customer) so, should we evangelize the site?
Summary: mozilla crashes on this page → mozilla crashes on http://www.sony.com/productregistration [@js_emit]
FYI, I looked at this: data+="&UNID="+UNID +"&DIstat="+DI_Reg_Code +"&EMAL="+EMAL +"&PASS="+PASS +"&PASV="+PASV +"&FNAM="+FNAM +"&LNAM="+LNAM +"&ADD1="+ADD1 +"&ADD2="+ADD2 +"&CITY="+CITY +"&STAT="+STAT +"&ZIPC="+ZIPC etc. etc. and it goes on for 1654 lines.
Whiteboard: [PDT] → [PDT][Reassign to Tech Evangelism? - see below]
We can try, in parallel, to tell Sony* to make their code better and less sloppy. But this is absolutely a product bug and not merely an evangelism bug, so this bug ought to remain open and assigned. Evangelism will not alter the fact that this web page *crashes* the browser. Yes, I agree that the JavaScript in it is ugly and ought to be cleaned up, but the code is not guilty of anything other than ugliness. The browser ought to fail gracefully, and not crash. A crash is a sign of something suspect in the JS Engine. Does anyone here *really* think that the task of finding someone to talk to at Sony and telling them that their web page crashes our browser and not any other browser is likely to win us any respect, along with the requisite code change?
Whiteboard: [PDT][Reassign to Tech Evangelism? - see below] → [PDT]
Keywords: topembed
I agree that it doesn't seem right to evangelize changing poor bug correct code because we crash. Any user hitting one of these pages crashes -- much worse than the page just not working. Looking at the attached stack trace, it appears we recursively called js_EmitTree() 596 times before crashing. I don't know if that is a reasonable limitation even if we degraded more gracefully.
Adding N620 and [@ js_EmitTree] to summary, since this has been a topcrasher on recent branch builds.
Summary: mozilla crashes on http://www.sony.com/productregistration [@js_emit] → mozilla crashes on http://www.sony.com/productregistration - N620 [@js_emit] [@ js_EmitTree]
Attached patch proposed fix (obsolete) — Splinter Review
I'll take this in exchange for an r= in return. Patch comments: (1) The main problem here is the stack consumed by recursive js_EmitTree, which exceeds the parallel recursion that the parser's various functions go through. Recursion in the parser could blow the stack too, but we haven't seen bugs there, so to fix just the main problem, this patch flattens left-heavy trees of like binary operators into a list. It does this during constant folding, to allow 1+2 and "hi "+"there" to be combined at compile time. This change required adding a left-associative operator format flag. (2) While testing, I noticed that the js shell was compiling twice, when it should have been parsing, then compiling once it had assembled a compileable unit in a single buffer that parsed. Fixing that entailed making the jsparse.c friend method js_ParseTokenStream work when called from elsewhere in the engine without knowledge of its internals (its need to disable the GC). /be
Assignee: khanson → brendan
Keywords: js1.5, mozilla0.9.6
Priority: -- → P1
Target Milestone: --- → mozilla0.9.6
Status: NEW → ASSIGNED
Comment on attachment 55155 [details] [diff] [review] proposed fix The main fix is good, but I didn't minimize mccabe's code in JS_BufferIsCompilableUnit enough (hitEOF is singly-used, doubly-set; pn is singly-used; both must die). /be
Comment on attachment 55155 [details] [diff] [review] proposed fix The main fix is good, but I didn't minimize mccabe's code in JS_BufferIsCompilableUnit enough (hitEOF is singly-used, doubly-set; pn is singly-used; both must die). /be
Attachment #55155 - Attachment is obsolete: true
Comment on attachment 55161 [details] [diff] [review] proposed fix, with side order of cleanup Yeah, that's what I was hoping to see. sr=shaver
Attachment #55161 - Flags: superreview+
Comment on attachment 55161 [details] [diff] [review] proposed fix, with side order of cleanup r=jband I *thought* I marked this reviewed yesterday!
Attachment #55161 - Flags: review+
Fix is in, thanks for the reviews. /be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Using Mozilla trunk binaries 20011030xx on WinNT, Linux, Mac9.1. The given URL loads fine every time: http://www.sony.com/productregistration The URL from duped bug 106047 loads fine on my WinNT and Linux boxes, but crashes my Mac9.1 build: http://www.sony.com/productregistration/indexl.html Before I reopen the other bug, however, I need to check with Mac developers to see if my memory allocations are correct. On the same box, NN4.7 also crashes on this URL. I would also like to ask bobj and others what their experiences are like at each of these sites now -
Typo: that's duped bug 106046 (not 106047)
Marking Verified -
Status: RESOLVED → VERIFIED
*** Bug 129287 has been marked as a duplicate of this bug. ***
please make sure this is embedded...
Keywords: nsbeta1
Susie: what is the exact branch name to check in CVS?
i.e. is it "MOZILLA_0_9_9_BRANCH" we should check in CVS?
won't need this on the 0.9.9 branch if its not there already.. (looks like it might be if fix was checked in before march 02).
I verified that http://www.sony.com/productregistration loads without crashing within the latest mfcEmbed 2002-04-03-23-099ec ( embed-win32.zip located at ftp://ftp.mozilla.org/pub/mozilla/nightly/2002-04-03-23-0.9.9ec/ )
Flags: testcase?
Checking in regress-98901.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-98901.js,v <-- regress-98901.js initial revision: 1.1 done
Flags: testcase? → testcase+
Crash Signature: [@js_emit] [@ js_EmitTree]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: