Closed Bug 308111 Opened 19 years ago Closed 19 years ago

browser crash when searching large e4x tree [@ GetProperty]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta5

People

(Reporter: boogs, Assigned: brendan)

Details

(Keywords: crash, verified1.8)

Crash Data

Attachments

(6 files)

testcase
51.30 KB, text/html
Details
js shell version of testcase
51.59 KB, text/plain
Details
fix one of the bugs biting here, and possibly elsewhere
3.26 KB, patch
mrbkap
: review+
shaver
: superreview+
Details | Diff | Splinter Review
diff -w version of last patch
2.83 KB, patch
Details | Diff | Splinter Review
complete fix
7.76 KB, patch
Details | Diff | Splinter Review
diff -w version of last patch
7.15 KB, patch
mrbkap
: review+
shaver
: superreview+
asa
: approval1.8b5+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4

Searches using foo.bar.(baz == 'hotdog') over large trees crashes DPb1. 

Reproducible: Always

Steps to Reproduce:
1. Open attached file in FFb1
2. Say yes to security confirmation


Actual Results:  
FF crashes.

Expected Results:  
Printed out the name of each item in the tree, followed by ": 1" (because the
match it is perforing should produce one result).

It stops crashing if you make the source input significantly smaller (about a
quarter the size worked forme).
Attached file testcase 

    
    

    
  
Incident ID: 9264453
Stack Signature	GetProperty() 1392ea8b
Product ID	FirefoxTrunk
Build ID	2005091006
Trigger Time	2005-09-11 23:52:28.0
Platform	MacOSX
Operating System	Darwin 8.2.0
Module	libmozjs.dylib.1.0.0 + (00070d74)
URL visited	
User Comments	
Since Last Crash	515 sec
Total Uptime	93976 sec
Trigger Reason	SIGBUS: Bus Error: (signal 10)
Source File, Line No.
/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4002
Stack Trace 	
GetProperty() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4002]
GetProperty() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4001]
js_FilterXMLList() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 7871]
js_Interpret() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line
5068]
js_Invoke() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line
1183]
js_InternalInvoke() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line
1261]
JS_CallFunctionValue() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsapi.c, line 4024]
nsJSContext::CallEventHandler() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1430]
nsJSEventListener::HandleEvent()   nsEventListenerManager::HandleEventSubType()
 [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 848]
nsEventListenerManager::HandleEvent() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1766]
nsGlobalWindow::HandleDOMEvent() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 1523]
DocumentViewerImpl::LoadComplete() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/layout/base/nsDocumentViewer.cpp,
line 842]
nsDocShell::EndPageLoad()   nsWebShell::EndPageLoad() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/docshell/base/nsWebShell.cpp,
line 496]
nsDocShell::OnStateChange()   nsDocLoader::FireOnStateChange() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 848]
nsDocLoader::doStopDocumentLoad() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 839]
nsDocLoader::DocLoaderIsEmpty() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 741]
nsDocLoader::OnStopRequest() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 662]
nsLoadGroup::RemoveRequest() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/netwerk/base/src/nsLoadGroup.cpp,
line 848]
nsDocument::DoUnblockOnload() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/base/src/nsDocument.cpp,
line 388]
nsDocument::HandleOnloadBlockerEvent() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/base/src/nsDocument.cpp,
line 5142]
PL_HandleEvent() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/xpcom/threads/plevent.c,
line 689]
PL_ProcessPendingEvents() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/xpcom/threads/plevent.c,
line 623]
CoreFoundation.368.12.0 + 0x23c8c (0x9074bc8c)
CoreFoundation.368.12.0 + 0x231bc (0x9074b1bc)
CoreFoundation.368.12.0 + 0x22c3c (0x9074ac3c)
HIToolbox.221.0.0 + 0x8ac0 (0x93129ac0)
HIToolbox.221.0.0 + 0xed768 (0x9320e768)
HIToolbox.221.0.0 + 0xed51c (0x9320e51c)
HIToolbox.221.0.0 + 0xed47c (0x9320e47c)
nsMacMessagePump::GetEvent()   nsMacMessagePump::DoMessagePump()  
nsAppShell::Run() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/widget/src/mac/nsAppShell.cpp,
line 114]
nsAppStartup::Run()   XRE_main() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/toolkit/xre/nsAppRunner.cpp,
line 2311]
_start()   start()

Severity: normal → critical
Keywords: crash
Summary: browser crash when searching large e4x tree → browser crash when searching large e4x tree [@ GetProperty]

    
  
Assignee: general → brendan
Flags: blocking1.8b5+

    
    

    
  


  

    
    

    
  


  
Oops, js_MarkLocalRoots marked only the top local root scope!

There's another bug peculiar to filtering predicate expressions.  Patch for
that soon, I hope.

/be

        Attachment #195954 -
        Flags: superreview?(shaver)

        Attachment #195954 -
        Flags: review?(mrbkap)

    
    

    
  
The patch might fix crashes Bob is seeing trying to test the patch for bug 280769.

/be
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta5

    
    

    
  
Comment on attachment 195954 [details] [diff] [review]
fix one of the bugs biting here, and possibly elsewhere

r=mrbkap

        Attachment #195954 -
        Flags: review?(mrbkap) → review+

    
    

    
  
Comment on attachment 195954 [details] [diff] [review]
fix one of the bugs biting here, and possibly elsewhere

sr=shaver

        Attachment #195954 -
        Flags: superreview?(shaver)

        Attachment #195954 -
        Flags: superreview+

        Attachment #195954 -
        Flags: review?(mrbkap)

        Attachment #195954 -
        Flags: review+

        Attachment #195954 -
        Flags: review?(mrbkap) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        complete fixSplinter Review
      

    


  
diff -w version next.

/be

    
    

    
  


  
I thought about relayering js_Interpret so common-case calls go through another
level that allocates the stack frame, but that penalizes those cases even worse
than adding two branch-tests.  So to make up for that, I copied NS_*LIKELY
macros from nscore.h into jstypes.h.

/be

        Attachment #196094 -
        Flags: superreview?(shaver)

        Attachment #196094 -
        Flags: review?(mrbkap)

    
    

    
  
Comment on attachment 196094 [details] [diff] [review]
diff -w version of last patch

r=mrbkap

        Attachment #196094 -
        Flags: review?(mrbkap) → review+

    
    

    
  
Comment on attachment 196094 [details] [diff] [review]
diff -w version of last patch

sr=shaver

        Attachment #196094 -
        Flags: superreview?(shaver) → superreview+

    
    

    
  
Fixed on trunk.

/be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 196094 [details] [diff] [review]
diff -w version of last patch

We can let this bake, but E4X testing is required to find it, and the testcase
is here (thanks, Aaron!), and this patch fixes it.

/be

        Attachment #196094 -
        Flags: approval1.8b5?

    
  

        Attachment #196094 -
        Flags: approval1.8b5? → approval1.8b5+

    
    

    
  
Fixed on the 1.8 branch.

/be
Keywords: fixed1.8

    
    

    
  
Checking in regress-308111.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-308111.js,v  <--  regress-308111.js
initial revision: 1.1
done

Flags: testcase+

    
    

    
  
no crash firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8verified1.8

    
    

    
  
verified fixed 1.9 20060818 win/mac*/linux
Status: RESOLVED → VERIFIED
Crash Signature: [@ GetProperty]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: