274096 - Trunk crash blocking iframes with AdBlock extension

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Stephen Walker]

The following comes from bug 267804.

------- Additional Comment #12 From Stephen Walker  2004-12-10 11:01 PDT -------

Using last night's trunk cvs on Windows XP I'm crashing while trying to block
the atdmt iframe in the middle of the right-hand column on
http://www.warp2search.net/.  I'm getting the following stack often; I was only
able to reproduce the nsESM::PreHandleEvent stack in talkback once.

JS API usage error: the address passed to JS_AddNamedRoot currently holds an
invalid jsval.  This is usually caused by a missing call to JS_RemoveRoot.
The root's name is "exn.report.root".
Assertion failure: root_points_to_gcArenaPool, at
c:/Mozilla/mozilla/js/src/jsgc.c:1335

 ntdll.dll!7c901230() 	
>js3250.dll!JS_Assert(const char * s=0x100cb0a0, const char * file=0x100cb07c,
int ln=1335)  Line 155	C
 js3250.dll!gc_root_marker(JSDHashTable * table=0x00af8028, JSDHashEntryHdr *
hdr=0x02710264, unsigned long num=256, void * arg=0x02cf3c60)  Line 1335 +
0x1c bytes	C
 js3250.dll!JS_DHashTableEnumerate(JSDHashTable * table=0x00af8028,
JSDHashOperator (JSDHashTable *, JSDHashEntryHdr *, unsigned long, void *)*
etor=0x10043980, void * arg=0x02cf3c60)  Line 618 + 0x19 bytes	C
 js3250.dll!js_GC(JSContext * cx=0x02cf3c60, unsigned int gcflags=0)  Line 1551
+ 0x15 bytes	C
 js3250.dll!js_ForceGC(JSContext * cx=0x02cf3c60, unsigned int gcflags=0)  Line
1363 + 0xd bytes	C
 js3250.dll!JS_GC(JSContext * cx=0x02cf3c60)  Line 1747 + 0xb bytes	C
 js3250.dll!JS_MaybeGC(JSContext * cx=0x02cf3c60)  Line 1766 + 0x9 bytes	C
 gklayout.dll!nsJSContext::ScriptEvaluated(int aTerminated=0)  Line 1876 + 0xd
bytes	C++
 gklayout.dll!nsJSContext::ScriptExecuted()  Line 1947	C++
 xpc3250.dll!AutoScriptEvaluate::~AutoScriptEvaluate()  Line 107	C++
 xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *
wrapper=0x01ffc248, unsigned short methodIndex=3, const nsXPTMethodInfo *
info=0x00ba4598, nsXPTCMiniVariant * nativeParams=0x0012b200)  Line 1588 +
0x1f bytes	C++
 xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const
nsXPTMethodInfo * info=0x00ba4598, nsXPTCMiniVariant * params=0x0012b200) 
Line 450	C++
 xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x01ffc248, unsigned
int methodIndex=3, unsigned int * args=0x0012b2c8, unsigned int *
stackBytesToPop=0x0012b2b8)  Line 117 + 0x1e bytes	C++
 xpcom_core.dll!SharedStub()  Line 147	C++
 xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x0012b3d8, unsigned int
methodIndex=1226172, unsigned int paramCount=12802554, nsXPTCVariant *
params=0x01ffc248)  Line 102	C++
 xpc3250.dll!AutoJSSuspendRequest::SuspendRequest()  Line 3009 + 0xd bytes	C++
 js3250.dll!GetPropertyTreeChild(JSContext * cx=0x003e4aa0, JSScopeProperty *
parent=0x02e3cdf8, JSScopeProperty * child=0x02d302e8)  Line 785 + 0x9 bytes	C
 00000001()

Comment 1

[Brendan Eich [:brendan]]

Oops!  Where was my brain, and my code reviewers'? ;-)  Error paths must goto
out to remove that root.

/be

Comment 2

[Brendan Eich [:brendan]]

Attachment: fix

Comment 3

[Brendan Eich [:brendan]]

Comment on attachment 168433 [details] [diff] [review]
fix

So what operation was adblock causing to fail? Why would a get on an exception
object fail, anyway?

Reporter, could you debug with a breakpoint at each return JS_FALSE in
js_ReportUncaughtException?  Thanks.

In any case, this patch is a fix.  I'm just wondering why adblock prevents
properties of exception objects from being got.

/be

Comment 4

[Brendan Eich [:brendan]]

Comment on attachment 168433 [details] [diff] [review]
fix

D'oh!  What if someone throws null?  We need a separate "rooted" flag.

/be

Comment 5

[Stephen Walker]

Blocking the 2nd iframe down from the top of http://www.warp2search.net/

 ntdll.dll!7c901230() 
>xpcom_core.dll!nsDebugImpl::Break(const char * aFile=0x01aad518, int
aLine=2943)  Line 374C++
 xpcom_core.dll!nsDebugImpl::Assertion(const char * aStr=0x01aad554, const char
* aExpr=0x01aad54c, const char * aFile=0x01aad518, int aLine=2943)  Line 290C++
 xpcom_core.dll!nsDebug::Assertion(const char * aStr=0x01aad554, const char *
aExpr=0x01aad54c, const char * aFile=0x01aad518, int aLine=2943)  Line 109C++
 gklayout.dll!nsDOMClassInfo::GetProperty(nsIXPConnectWrappedNative *
wrapper=0x02f1dbd8, JSContext * cx=0x02ddaf40, JSObject * obj=0x02e5d520, long
id=38986012, long * vp=0x0012c00c, int * _retval=0x0012b6ec)  Line 2943 + 0x1a
bytesC++
 gklayout.dll!nsHTMLExternalObjSH::GetProperty(nsIXPConnectWrappedNative *
wrapper=0x02f1dbd8, JSContext * cx=0x02ddaf40, JSObject * obj=0x02e5d520, long
id=38986012, long * vp=0x0012c00c, int * _retval=0x0012b6ec)  Line 7169C++
 xpc3250.dll!XPC_WN_Helper_GetProperty(JSContext * cx=0x02ddaf40, JSObject *
obj=0x02e5d520, long idval=38986012, long * vp=0x0012c00c)  Line 811 + 0x31 bytesC++
 js3250.dll!js_GetProperty(JSContext * cx=0x02ddaf40, JSObject * obj=0x02e5d520,
long id=39019056, long * vp=0x0012c00c)  Line 2638 + 0x13d bytesC
 js3250.dll!js_Interpret(JSContext * cx=0x02ddaf40, long * result=0x0012c154) 
Line 3445 + 0x611 bytesC
 js3250.dll!js_Invoke(JSContext * cx=0x02ddaf40, unsigned int argc=2, unsigned
int flags=2)  Line 1306 + 0xd bytesC
 js3250.dll!js_InternalInvoke(JSContext * cx=0x02ddaf40, JSObject *
obj=0x024db3c0, long fval=39909824, unsigned int flags=0, unsigned int argc=2,
long * argv=0x02e1a798, long * rval=0x0012c2dc)  Line 1383 + 0x14 bytesC
 js3250.dll!JS_CallFunctionValue(JSContext * cx=0x02ddaf40, JSObject *
obj=0x024db3c0, long fval=39909824, unsigned int argc=2, long * argv=0x02e1a798,
long * rval=0x0012c2dc)  Line 3767 + 0x1f bytesC
 gklayout.dll!nsJSContext::CallEventHandler(JSObject * aTarget=0x024db3c0,
JSObject * aHandler=0x0260f9c0, unsigned int argc=2, long * argv=0x02e1a798,
long * rval=0x0012c2dc)  Line 1352 + 0x21 bytesC++
 gklayout.dll!GlobalWindowImpl::RunTimeout(nsTimeoutImpl * aTimeout=0x02e1a8a8)
 Line 5197C++
 gklayout.dll!GlobalWindowImpl::TimerCallback(nsITimer * aTimer=0x02e1a978, void
* aClosure=0x02e1a8a8)  Line 5558C++
 xpcom_core.dll!nsTimerImpl::Fire()  Line 383 + 0x13 bytesC++
 xpcom_core.dll!nsTimerManager::FireNextIdleTimer()  Line 617C++
 gkwidget.dll!nsAppShell::GetNativeEvent(int & aRealEvent=1, void * &
aEvent=0x00d9a458)  Line 197C++
 appshell.dll!nsXULWindow::ShowModal()  Line 378 + 0x21 bytesC++
 appshell.dll!nsWebShellWindow::ShowModal()  Line 1101C++
 appshell.dll!nsContentTreeOwner::ShowAsModal()  Line 441C++
 embedcomponents.dll!nsWindowWatcher::OpenWindowJS(nsIDOMWindow *
aParent=0x01eeed8c, const char * aUrl=0x0253a7f0, const char * aName=0x0012c8e8,
const char * aFeatures=0x0012c940, int aDialog=1, unsigned int argc=2, long *
argv=0x02daf150, nsIDOMWindow * * _retval=0x0012ca84)  Line 786C++
 gklayout.dll!GlobalWindowImpl::OpenInternal(const nsAString & aUrl={...}, const
nsAString & aName={...}, const nsAString & aOptions={...}, int aDialog=1, long *
argv=0x02daf144, unsigned int argc=5, nsISupports * aExtraArgument=0x00000000,
nsIDOMWindow * * aReturn=0x0012ce04)  Line 4792 + 0x91 bytesC++
 gklayout.dll!GlobalWindowImpl::OpenDialog(nsIDOMWindow * * _retval=0x0012ce04)
 Line 3394 + 0x37 bytesC++
 xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x00000010, unsigned int
methodIndex=1, unsigned int paramCount=1232388, nsXPTCVariant *
params=0x0012cd08)  Line 102C++
 xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...},
XPCWrappedNative::CallMode mode=CALL_METHOD)  Line 2034 + 0x1e bytesC++
 xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x01eef000, JSObject *
obj=0x01fbd960, unsigned int argc=5, long * argv=0x02daf144, long *
vp=0x0012d0d8)  Line 1287 + 0xb bytesC++
 js3250.dll!js_Invoke(JSContext * cx=0x01eef000, unsigned int argc=5, unsigned
int flags=0)  Line 1286 + 0x20 bytesC
 js3250.dll!js_Interpret(JSContext * cx=0x01eef000, long * result=0x0012db24) 
Line 3619 + 0xf bytesC
 js3250.dll!js_Invoke(JSContext * cx=0x01eef000, unsigned int argc=1, unsigned
int flags=0)  Line 1306 + 0xd bytesC
 js3250.dll!js_Interpret(JSContext * cx=0x01eef000, long * result=0x0012e4ec) 
Line 3619 + 0xf bytesC
 js3250.dll!js_Invoke(JSContext * cx=0x01eef000, unsigned int argc=1, unsigned
int flags=2)  Line 1306 + 0xd bytesC
 js3250.dll!js_InternalInvoke(JSContext * cx=0x01eef000, JSObject *
obj=0x020da0d8, long fval=38645888, unsigned int flags=0, unsigned int argc=1,
long * argv=0x0012e768, long * rval=0x0012e770)  Line 1383 + 0x14 bytesC
 js3250.dll!JS_CallFunctionValue(JSContext * cx=0x01eef000, JSObject *
obj=0x020da0d8, long fval=38645888, unsigned int argc=1, long * argv=0x0012e768,
long * rval=0x0012e770)  Line 3767 + 0x1f bytesC
 gklayout.dll!nsJSContext::CallEventHandler(JSObject * aTarget=0x020da0d8,
JSObject * aHandler=0x024db080, unsigned int argc=1, long * argv=0x0012e768,
long * rval=0x0012e770)  Line 1352 + 0x21 bytesC++
 gklayout.dll!nsJSEventListener::HandleEvent(nsIDOMEvent * aEvent=0x02c78b38) 
Line 175 + 0x2d bytesC++
 gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct *
aListenerStruct=0x02546c50, nsIDOMEvent * aDOMEvent=0x02c78b38,
nsIDOMEventTarget * aCurrentTarget=0x02c78ae8, unsigned int aSubType=8, unsigned
int aPhaseFlags=7)  Line 1520 + 0x16 bytesC++
 gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext *
aPresContext=0x024c75d8, nsEvent * aEvent=0x0012edb4, nsIDOMEvent * *
aDOMEvent=0x0012eca8, nsIDOMEventTarget * aCurrentTarget=0x02c78ae8, unsigned
int aFlags=7, nsEventStatus * aEventStatus=0x0012edb0)  Line 1614C++
 gklayout.dll!nsXULElement::HandleDOMEvent(nsPresContext *
aPresContext=0x024c75d8, nsEvent * aEvent=0x0012edb4, nsIDOMEvent * *
aDOMEvent=0x0012eca8, unsigned int aFlags=7, nsEventStatus *
aEventStatus=0x0012edb0)  Line 2820C++
 gklayout.dll!PresShell::HandleDOMEventWithTarget(nsIContent *
aTargetContent=0x02546c88, nsEvent * aEvent=0x0012edb4, nsEventStatus *
aStatus=0x0012edb0)  Line 5996C++
 gklayout.dll!nsMenuFrame::Execute(nsGUIEvent * aEvent=0x0012f27c)  Line 1622C++
 gklayout.dll!nsMenuFrame::HandleEvent(nsPresContext * aPresContext=0x024c75d8,
nsGUIEvent * aEvent=0x0012f27c, nsEventStatus * aEventStatus=0x0012f01c)  Line
439 + 0xc bytesC++
 gklayout.dll!PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f27c,
nsIView * aView=0x02c5f990, unsigned int aFlags=1, nsEventStatus *
aStatus=0x0012f01c)  Line 5961 + 0x29 bytesC++
 gklayout.dll!PresShell::HandleEvent(nsIView * aView=0x02c5f990, nsGUIEvent *
aEvent=0x0012f27c, nsEventStatus * aEventStatus=0x0012f01c, int aForceHandle=0,
int & aHandled=1)  Line 5772 + 0x19 bytesC++
 gklayout.dll!nsViewManager::HandleEvent(nsView * aView=0x02c8c9f8, nsGUIEvent *
aEvent=0x0012f27c, int aCaptured=0)  Line 2402C++
 gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f27c,
nsEventStatus * aStatus=0x0012f150)  Line 2127 + 0x14 bytesC++
 gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012f27c)  Line 174C++
 gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f27c,
nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1102 + 0xc bytesC++
 gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f27c)  Line
1123C++
 gkwidget.dll!nsWindow::DispatchMouseEvent(unsigned int aEventType=301, unsigned
int wParam=0, nsPoint * aPoint=0x00000000)  Line 5385 + 0x17 bytesC++
 gkwidget.dll!ChildWindow::DispatchMouseEvent(unsigned int aEventType=301,
unsigned int wParam=0, nsPoint * aPoint=0x00000000)  Line 5639C++
 gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=514, unsigned int
wParam=0, long lParam=16777266, long * aRetValue=0x0012f758)  Line 4083 + 0x1e
bytesC++
 gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x009205f8, unsigned int
msg=514, unsigned int wParam=0, long lParam=16777266)  Line 1383 + 0x1d bytesC++
 user32.dll!77d48709() 
 user32.dll!77d487eb() 
 user32.dll!77d70494() 
 user32.dll!77d489a5() 
 user32.dll!77d493df() 
 user32.dll!77d70494() 
 user32.dll!77d489e8() 
 gkwidget.dll!nsAppShell::Run()  Line 135C++
 tkitcmps.dll!nsAppStartup::Run()  Line 156C++
 firefox.exe!xre_main(int argc=1, char * * argv=0x003e6b10, const nsXREAppData *
aAppData=0x00420060)  Line 2235 + 0x25 bytesC++
 firefox.exe!main(int argc=1, char * * argv=0x003e6b10)  Line 60 + 0x12 bytesC++
 firefox.exe!mainCRTStartup()  Line 524 + 0x19 bytesC
 kernel32.dll!7c816d4f() 
 kernel32.dll!7c8399f3() 

Comment 6

[Brendan Eich [:brendan]]

No, I'm wrong.  The null value is a primitive type value, so JSVAL_IS_PRIMITIVE
will be true, so we won't js_AddRoot and !exnObject will avoid save us from the
js_RemoveRoot call.

/be

Comment 7

[Brendan Eich [:brendan]]

Re: comment 5, that is not related to the failure to remove a GC root bug, but
it's interesting (and it *might* be related).  Cc'ing jst.

/be

Comment 8

[Brendan Eich [:brendan]]

> Re: comment 5, that is not related to the failure to remove a GC root bug, but

I meant to write "*probably* not related".

/be

Comment 9

[Brendan Eich [:brendan]]

Comment on attachment 168433 [details] [diff] [review]
fix

This is a fix, no matter what else is bad.

/be

Comment 10

[Brendan Eich [:brendan]]

Fixed.  Still wondering what native getter was being called, that failed, for
"lineNumber" on the exception object that was thrown.  Perhaps it was an
XPConnect wrapped object that had no such attribute or method?

/be

Comment 11

[David Koppelman]

I've gotten a crash in the 12 December build blocking an iframe at
http://www.wunderground.com/US/LA/Baton_Rouge.html  

Incident ID: 2503500

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041212
Firefox/1.0+

Comment 12

[Brendan Eich [:brendan]]

File a new bug.  The signature in that talkback:

nsEventStateManager::PreHandleEvent 
[c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 801]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp,
line 5914]

has nothing to do with this bug, which is fixed.

/be

Comment 13

[timeless]

fwiw bug 274425 seems to cover that new stack