an asynchronous "oom" loop in jsconsole's implementation of nsIConsoleListener.observe with nsIConsoleService and xpconnect

RESOLVED FIXED

Status

Core Graveyard
Error Console
--
major
RESOLVED FIXED
12 years ago
7 years ago

People

(Reporter: timeless, Assigned: timeless)

Tracking

Trunk
x86
Windows XP

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 obsolete attachment)

(Assignee)

Description

12 years ago
mozilla1.8a5

an asynchronous "oom" loop

code being executed:
+	cx->fp->script->filename
	0x02e662ed "chrome://global/content/consoleBindings.xml"	const 
char *
	cx->fp->script->lineno,d	130	unsigned int
	cx->fp->pc-cx->fp->script->main	0x00000003	unsigned long
(specifically: getprop "message" - not in a try block! - tsk)

js> dissrc(appendItem)
;-------------------------   2:           if (!aObject.message) return;
00000:   2  getarg 0
00003:   2  getprop "message"
00006:   2  not
00007:   2  ifeq 12 (5)
00010:   2  push
00011:   2  return
;-------------------------   3:
;-------------------------   4:           try {
00012:   4  try
;-------------------------   5:             // Try to QI it to a script error 
to get more info
;-------------------------   6:             var scriptError = 
aObject.QueryInterface(Components.interfaces.nsIScriptError);
00013:   6  getarg 0
00016:   6  getprop "QueryInterface"
00019:   6  pushobj
00020:   6  name "Components"
00023:   6  getprop "interfaces"
00026:   6  getprop "nsIScriptError"
00029:   6  call 1
00032:   6  setvar 0
00035:   6  pop
;-------------------------   7:
;-------------------------   8:             // filter chrome urls
;-------------------------   9:             if (!this.showChromeErrors && 
scriptError.sourceName.substr(0, 9) == "chrome://")
00036:   9  this
00037:   9  getprop "showChromeErrors"
00040:   9  not
00041:   9  and 65 (24)
00044:   9  getvar 0
00047:   9  getprop "sourceName"
00050:   9  getprop "substr"
00053:   9  pushobj
00054:   9  zero
00055:   9  uint16 9
00058:   9  call 2
00061:   9  string "chrome://"
00064:   9  eq
00065:   9  ifeq 70 (5)
;-------------------------  10:               return;
00068:  10  push
00069:  10  return
;-------------------------  11:
;-------------------------  12:             this.appendError(scriptError);
00070:  12  this
00071:  12  getprop "appendError"
00074:  12  pushobj
00075:  12  getvar 0
00078:  12  call 1
00081:  12  popv
00082:  12  goto 177 (95)
;-------------------------  13:           } catch (ex) {
00085:  13  setsp 0
00088:  13  nop
00089:  13  name "Object"
00092:  13  pushobj
00093:  13  newinit
00094:  13  exception
00095:  13  initcatchvar "ex"
00098:  13  enterwith
;-------------------------  14:             try {
00099:  14  try
;-------------------------  15:               // Try to QI it to a console 
message
;-------------------------  16:               var msg = aObject.QueryInterface
(Components.interfaces.nsIConsoleMessage);
00100:  16  getarg 0
00103:  16  getprop "QueryInterface"
00106:  16  pushobj
00107:  16  name "Components"
00110:  16  getprop "interfaces"
00113:  16  getprop "nsIConsoleMessage"
00116:  16  call 1
00119:  16  setvar 1
00122:  16  pop
;-------------------------  17:               this.appendMessage(msg.message);
00123:  17  this
00124:  17  getprop "appendMessage"
00127:  17  pushobj
00128:  17  getvar 1
00131:  17  getprop "message"
00134:  17  call 1
00137:  17  popv
00138:  17  goto 172 (34)
;-------------------------  18:             } catch (ex2) {
00141:  18  setsp 1
00144:  18  nop
00145:  18  name "Object"
00148:  18  pushobj
00149:  18  newinit
00150:  18  exception
00151:  18  initcatchvar "ex2"
00154:  18  enterwith
;-------------------------  19:               // Give up and append the object 
itself as a string
;-------------------------  20:               this.appendMessage(aObject);
00155:  20  this
00156:  20  getprop "appendMessage"
00159:  20  pushobj
00160:  20  getarg 0
00163:  20  call 1
00166:  20  popv
00167:  20  leavewith
00168:  20  goto 172 (4)
00171:  20  nop
00172:  20  leavewith
00173:  20  goto 177 (4)
00176:  20  nop

	cx->runtime->gcBytes	0x00400002	unsigned long
	cx->runtime->gcMaxBytes	0x00400000	unsigned long
	cx->runtime->gcMaxBytes - cx->runtime->gcBytes,d	-2
	unsigned long
	sizeof(JSObject)	0x00000008	unsigned int

 	js3250.dll!js_NewGCThing(JSContext * cx=0x00ab9a98, unsigned int 
flags=0x00000000, unsigned int nbytes=0x00000008)  Line 694	C
 	js3250.dll!js_NewObject(JSContext * cx=0x00ab9a98, JSClass * 
clasp=0x00b5e618, JSObject * proto=0x02d3ae48, JSObject * parent=0x02d3ae40)  
Line 1872 + 0xa	C
>	js3250.dll!js_CloneFunctionObject(JSContext * cx=0x00ab9a98, JSObject * 
funobj=0x02d3ae48, JSObject * parent=0x02d3ae40)  Line 1935 + 0x18	C
 	js3250.dll!JS_CloneFunctionObject(JSContext * cx=0x00ab9a98, JSObject * 
funobj=0x02d3ae48, JSObject * parent=0x02d3ae40)  Line 3125 + 0xb	C
 	xpc3250.dll!DefinePropertyIfFound(XPCCallContext & ccx={...}, JSObject 
* obj=0x02d3ae40, long idval=0x00000001, XPCNativeSet * set=0x00a2fdd4, 
XPCNativeInterface * iface=0x1772e788, XPCNativeMember * member=0x1772e7a0, 
XPCWrappedNativeScope * scope=0x0012f7a4, int 
reflectToStringAndToSource=0x00000001, XPCWrappedNative * 
wrapperToReflectInterfaceNames=0x1776fc20, XPCWrappedNative * 
wrapperToReflectDoubleWrap=0x1776fc20, XPCNativeScriptableInfo * 
scriptableInfo=0x00000000, unsigned int propFlags=0x00000007, int * 
resolved=0x00000000)  Line 449 + 0x11	C++
 	xpc3250.dll!XPC_WN_NoHelper_Resolve(JSContext * cx=0x00ab9a98, JSObject 
* obj=0x02d3ae40, long idval=0x009e0e5c)  Line 732 + 0x18	C++
 	js3250.dll!js_LookupPropertyWithFlags(JSContext * cx=0x00000000, 
JSObject * obj=0x02d3ae40, long id=0x00a64958, unsigned int flags=0x00000000, 
JSObject * * objp=0x0012f840, JSProperty * * propp=0x0012f83c)  Line 2557 + 0x1d
	C
 	js3250.dll!js_LookupProperty(JSContext * cx=0x00ab9a98, JSObject * 
obj=0x02d3ae40, long id=0x00a64958, JSObject * * objp=0x0012f840, JSProperty * 
* propp=0x0012f83c)  Line 2418 + 0x16	C
 	js3250.dll!js_GetProperty(JSContext * cx=0x00ab9a98, JSObject * 
obj=0x02d3ae40, long id=0x00a64958, long * vp=0x0012f9b4)  Line 2700 + 0x18
	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00000000, unsigned char * 
pc=0x02d3ae40, long * result=0x1772e788)  Line 5219 + 0x197	C
 	js3250.dll!js_Invoke(JSContext * cx=0x00000000, unsigned int 
argc=0x02d3ae40, unsigned int flags=0x1772e788)  Line 1313 + 0xc	C
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * 
wrapper=0x00af59a8, unsigned short methodIndex=0x0000, const nsXPTMethodInfo * 
info=0x02d3ae40, nsXPTCMiniVariant * nativeParams=0x1772e788)  Line 1339 + 0x10
	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short 
methodIndex=0x0003, const nsXPTMethodInfo * info=0x00a3a1d8, nsXPTCMiniVariant 
* params=0x0012fc08)  Line 450	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x02f35e28, 
unsigned int methodIndex=0x00000003, unsigned int * args=0x0012fcc4, unsigned 
int * stackBytesToPop=0x0012fcb4)  Line 117 + 0x12	C++
 	xpcom_core.dll!SharedStub()  Line 147	C++
 	xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x02f35e28, 
unsigned int methodIndex=0x00000003, unsigned int paramCount=0x00000001, 
nsXPTCVariant * params=0x1779aaa8)  Line 102	C++
 	xpcom_core.dll!EventHandler(PLEvent * self=0x17671220)  Line 563 + 0x15
	C++
 	xpcom_core.dll!PL_HandleEvent(PLEvent * self=0x17671220)  Line 693
	C
 	xpcom_core.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x00a4b328)  
Line 627 + 0x6	C
 	xpcom_core.dll!_md_EventReceiverProc(HWND__ * hwnd=0x00160148, unsigned 
int uMsg=0x0000c137, unsigned int wParam=0x00000000, long lParam=0x00a4b328)  
Line 1434	C
 	user32.dll!GetDC()  + 0x72	
 	user32.dll!GetDC()  + 0x154	
 	user32.dll!GetWindowLongW()  + 0x127	
 	user32.dll!DispatchMessageW()  + 0xf	
 	gkwidget.dll!nsAppShell::Run()  Line 159	C++
 	appcomps.dll!nsAppStartup::Run()  Line 216	C++
 	mozilla.exe!main1(int argc=0x00000002, char * * argv=0x002a46f8, 
nsISupports * nativeApp=0x00000001)  Line 1321 + 0x9	C++
 	mozilla.exe!main(int argc=0x00000002, char * * argv=0x002a46f8)  Line 
1813 + 0x13	C++
 	mozilla.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ * 
__formal=0x00400000, char * args=0x0015235a, HINSTANCE__ * 
__formal=0x00400000)  Line 1841 + 0x17	C++
 	mozilla.exe!WinMainCRTStartup()  Line 390 + 0x1b	C
 	kernel32.dll!RegisterWaitForInputIdle()  + 0x49	

the oom bubbles up to xpc3250.dll!nsXPCWrappedJSClass::CallMethod. where it 
tails down and decides to asynchronously dispatch:

 	xpcom_core.dll!nsProxyObject::Post(unsigned int methodIndex=0x00000003, 
nsXPTMethodInfo * methodInfo=0x00a3a1d8, nsXPTCMiniVariant * params=0x0012f7d0, 
nsIInterfaceInfo * interfaceInfo=0x02f35e10)  Line 457	C++
>	xpcom_core.dll!nsProxyEventObject::CallMethod(unsigned short 
methodIndex=0x0003, const nsXPTMethodInfo * info=0x00a3a1d8, nsXPTCMiniVariant 
* params=0x0012f7d0)  Line 550	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x02f35f18, 
unsigned int methodIndex=0x00000003, unsigned int * args=0x0012f88c, unsigned 
int * stackBytesToPop=0x0012f87c)  Line 117 + 0x12	C++
 	xpcom_core.dll!SharedStub()  Line 147	C++
 	xpcom_core.dll!nsConsoleService::LogMessage(nsIConsoleMessage * 
message=0x00000000)  Line 181 + 0xa	C++
 	xpc3250.dll!nsXPCWrappedJSClass::CheckForException(XPCCallContext & ccx=
{...}, const char * aPropertyName=0x0012f858, const char * 
anInterfaceName=0x7c90ee18)  Line 923	C++
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * 
wrapper=0x0012f764, unsigned short methodIndex=0x0000, const nsXPTMethodInfo * 
info=0x0012f858, nsXPTCMiniVariant * nativeParams=0x7c90ee18)  Line 1373 + 0x18
	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short 
methodIndex=0x0003, const nsXPTMethodInfo * info=0x00a3a1d8, nsXPTCMiniVariant 
* params=0x0012fc08)  Line 450	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x02f35e28, 
unsigned int methodIndex=0x00000003, unsigned int * args=0x0012fcc4, unsigned 
int * stackBytesToPop=0x0012fcb4)  Line 117 + 0x12	C++
 	xpcom_core.dll!SharedStub()  Line 147	C++
 	xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x02f35e28, 
unsigned int methodIndex=0x00000003, unsigned int paramCount=0x00000001, 
nsXPTCVariant * params=0x1779a680)  Line 102	C++
 	xpcom_core.dll!EventHandler(PLEvent * self=0x1779a6c0)  Line 563 + 0x15
	C++
 	xpcom_core.dll!PL_HandleEvent(PLEvent * self=0x1779a6c0)  Line 693
	C
 	xpcom_core.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x00a4b328)  
Line 627 + 0x6	C
 	xpcom_core.dll!_md_EventReceiverProc(HWND__ * hwnd=0x00160148, unsigned 
int uMsg=0x0000c137, unsigned int wParam=0x00000000, long lParam=0x00a4b328)  
Line 1434	C
 	user32.dll!GetDC()  + 0x72	
 	user32.dll!GetDC()  + 0x154	
 	user32.dll!GetWindowLongW()  + 0x127	
 	user32.dll!DispatchMessageW()  + 0xf	
 	gkwidget.dll!nsAppShell::Run()  Line 159	C++
 	appcomps.dll!nsAppStartup::Run()  Line 216	C++
 	mozilla.exe!main1(int argc=0x00000002, char * * argv=0x002a46f8, 
nsISupports * nativeApp=0x02f35f38)  Line 1321 + 0x9	C++
 	mozilla.exe!main(int argc=0x00000002, char * * argv=0x002a46f8)  Line 
1813 + 0x13	C++
 	mozilla.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ * 
__formal=0x00400000, char * args=0x0015235a, HINSTANCE__ * 
__formal=0x00400000)  Line 1841 + 0x17	C++
 	mozilla.exe!WinMainCRTStartup()  Line 390 + 0x1b	C
 	kernel32.dll!RegisterWaitForInputIdle()  + 0x49	

our proxy object implements:
+	{,,xpcom_core.dll}(*((*(xptiInterfaceInfo*)(((*(nsCOMPtr_base*)(&(*
(nsProxyEventClass*){*}(((*(nsCOMPtr_base*)(&
(*this).mClass))).mRawPtr)).mInfo))).mRawPtr)).mEntry)).mName
	0x009f96d9 "nsIConsoleListener"	char [1]
it's js object is:
+	{,,xpc3250.dll}(*(nsXPCWrappedJS*){*}((nsXPTCStubBase*)((*
(nsCOMPtr_base*)(&(*
(((*this).mProxyObject).mRawPtr)).mRealObject))).mRawPtr)).mJSObj
	0x02c8b9a0 {map=0x02eb2750 {nrefs=0x00000001 ops=0x00b5ea60 
_js_ObjectOps nslots=0x00000005 ...} slots=0x02bfcf8c }	JSObject *
that object's parent is:
+	{,,js3250.dll}(JSObject*)(((JSObject*)0x02c8b9a0)->slots[1])
	0x0272b898 {map=0x02de64e0 {nrefs=0x00000001 ops=0x00af5d58 
XPC_WN_NoCall_JSOps nslots=0x000000d2 ...} slots=0x02d3c884 }	JSObject *
that parent's class is:
+	{,,js3250.dll}(JSClass*)(((JSObject*)(((JSObject*)0x02c8b9a0)->slots
[1]))->slots[2]-1)	0x00a73edc {name=0x00ab8620 "ChromeWindow" 
flags=0x0000000d addProperty=0x00ae5dab XPC_WN_Helper_AddProperty(JSContext *, 
JSObject *, long, long *) ...}	JSClass *

conlusion: this is _the_ jsconsole's consolelistener, and it's listening to a 
report that the js console ran out of memory trying to report an out of memory 
condition. as it happens, the message the jsconsole released in order to make 
room for the message in its 250 item array was an out of memory message too :).
(Assignee)

Comment 1

12 years ago
Created attachment 179231 [details] [diff] [review]
establish a top level try/catch block to protect the console service from an infinite loop under this error reporter
Attachment #179231 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #179231 - Flags: review?(neil.parkwaycc.co.uk)

Updated

12 years ago
Attachment #179231 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #179231 - Flags: superreview+
Attachment #179231 - Flags: review?(neil.parkwaycc.co.uk)
Attachment #179231 - Flags: review+
(Assignee)

Comment 2

12 years ago
Comment on attachment 179231 [details] [diff] [review]
establish a top level try/catch block to protect the console service from an infinite loop under this error reporter

mozilla/xpfe/components/console/resources/content/consoleBindings.xml	1.22
Attachment #179231 - Attachment is obsolete: true
(Assignee)

Updated

12 years ago
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Blocks: 344955
Product: Core → SeaMonkey
(Assignee)

Updated

7 years ago
Component: Error Console → Error Console
Product: SeaMonkey → Core Graveyard
You need to log in before you can comment on or make changes to this bug.