Closed
Bug 303821
Opened 19 years ago
Closed 17 years ago
Topcrash [@ XPCJSStackFrame::CreateStack] due to deeply recursive scripts
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
VERIFIED
FIXED
mozilla1.9
People
(Reporter: timeless, Assigned: mayhemer)
References
()
Details
(4 keywords, Whiteboard: See comment 34 for the testcase [firebug-p2])
Crash Data
Attachments
(6 files, 1 obsolete file)
Incident ID: 8093959
Stack Signature XPCJSStackFrame::CreateStack e183daba
Product ID FirefoxTrunk
Build ID 2005080306
Trigger Time 2005-08-04 04:59:57.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module firefox.exe + (00021177)
URL visited
User Comments
Since Last Crash 34520 sec
Total Uptime 34520 sec
Trigger Reason Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 141
Stack Trace
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 141]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStackFrame::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 144]
XPCJSStack::CreateStack
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcstack.cpp,
line 87]
nsXPCException::NewException
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcexception.cpp,
line 438]
XPCThrower::BuildAndThrowException
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcthrower.cpp,
line 215]
XPCThrower::ThrowBadParam
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcthrower.cpp,
line 147]
XPCWrappedNative::CallMethod
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2227]
XPC_WN_CallMethod
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1401]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1173]
js_Interpret
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3464]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1193]
js_InternalInvoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1270]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1313]
js_GetProperty
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2843]
JS_GetProperty
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 2703]
nsXPCWrappedJSClass::CallMethod
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 1318]
nsXPCWrappedJS::CallMethod
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 462]
SharedStub
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 147]
nsXULElement::IsFocusable
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 696]
nsIFrame::IsFocusable
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrame.cpp,
line 4702]
nsEventStateManager::PostHandleEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 1972]
PresShell::HandleEventInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6434]
PresShell::HandleEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6199]
nsViewManager::HandleEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2559]
nsViewManager::DispatchEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2246]
HandleEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line
174]
nsWindow::DispatchEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1241]
nsWindow::DispatchMouseEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5930]
ChildWindow::DispatchMouseEvent
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 6181]
nsWindow::WindowProc
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1418]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0x89cd (0x77d489cd)
USER32.dll + 0x8a10 (0x77d48a10)
nsAppShell::Run
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp,
line 159]
nsAppStartup::Run
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp,
line 146]
main
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp,
line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)
url contains my more detailed analysis
Comment 1•19 years ago
|
||
*** Bug 304711 has been marked as a duplicate of this bug. ***
Comment 2•19 years ago
|
||
This is currently a topcrasher in the latest Firefox15 branch
builds:http://talkback-public.mozilla.org/reports/firefox/FF15x/FF15x-topcrashers.html
We should keep an eye on this and try to get a reproducible testcase. Adding
topcrash and helpwanted keywords. Nominating, but we should probably wait until
we know more about this before +'ing it.
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=XPCJSStackFrame::CreateStack&vendor=MozillaOrg&product=Firefox15&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid
Comment 3•19 years ago
|
||
I'm not able to reproduce this crash. I went to a half dozen sites mentioned in
Talkback reports. Could this somehow be related to bug 200511 (outdated version
of Flash) All the sites I visited in checking for this had Flash content. I
installed version 7 of flash player as suggested by our plugin finder.
Comment 4•19 years ago
|
||
I have had Flash 7 for quite some time, but it might be related to FlashBlock. I
did have that installed.
Comment 5•19 years ago
|
||
I cannot reproduce this with Adblock or FlashBlock or both running.
Comment 6•19 years ago
|
||
Using today's Windows branch build, I cannot reproduce this. I visited all the
sites listed in the search, played around with both Flashblock and Adblock. Will
continue to see if I can reproduce this.
note that we have been experiencing this crash occasionally in our builds, so
please don't just kill it just because you can't reproduce.
Comment 8•19 years ago
|
||
Well, all the crashes appear to be on Firefox builds between 20050812 and
20050816. What was changed on those two dates?
Comment 9•19 years ago
|
||
20050812: Fix for 299992 backed out.
20050815: Fix for 299992 back in.
Coincidence?
Comment 10•19 years ago
|
||
also see the last few comments in bug 304420 (another topcrasher that hasn't
occured since 08/16, they suspect a fix in split windows may have solved that crash)
can anyone that was seeing this before reproduce it with todays build?
Comment 11•19 years ago
|
||
Do we believe the crash is due to fp being a bad ptr, or self? If fp, I'm at a
loss, since we know of no way for that to happen.
Talkback interpretation gurus, what does that line 141 in xpcstack.cpp mean for
the leaf crash frame?
/be
Reporter | ||
Comment 12•19 years ago
|
||
it should be fp, note that 144 properly points to recursively calling
CreateStack
Comment 13•19 years ago
|
||
|self| can't really be bogus here. The code is:
135 XPCJSStackFrame* self = new XPCJSStackFrame();
136 JSBool failed = JS_FALSE;
137 if(self)
138 {
139 NS_ADDREF(self);
So if self is bogus then |new| returned a completely bogus pointer. Seems very
unlikely.
Comment 14•19 years ago
|
||
Benjamin, comment 9 is blaming you, I think.
/be
Comment 15•19 years ago
|
||
The only change from bug 299992 that I think could possibly affect this stack is
the jsdhash change to use JS_CEILING_LOG2 instead of JS_CeilingLog2:
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jsdhash.c&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=1.37&rev2=1.38
Comment 16•19 years ago
|
||
Not showing up as top crasher in talkback anymore .
Flags: blocking1.8b4? → blocking1.8b4-
Comment 17•19 years ago
|
||
No crashes in the latest Talkback data since 8/16. Marking WFM. If anyone is
able to reproduce this with a recent nightly trunk or branch build, please check
the stack and reopen if you think this is still around or back.
Any idea what might have "fixed" this one?
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Comment 18•19 years ago
|
||
(In reply to comment #17)
> Any idea what might have "fixed" this one?
Not sure, but the only way fp could be bad is if the context is bad, and bug
300756 could lead through freed memory into such badness. Cc'ing jst in case he
has a better idea of what fixed this. If it really went away starting with
builds from the 17th, the hook for that build would probably contain the fix.
/be
Comment 19•19 years ago
|
||
just crashed my nightly firefox (2005091406) with this stack.
TB9374453E
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB9374453E
was on http://noter.tdconline.dk/ trying to enter my password when I crashed.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Comment 20•19 years ago
|
||
The fix referenced in comment 15 didn't fix it. I've just seen the crash and my code base contains that fix.
Reporter | ||
Comment 21•19 years ago
|
||
*** Bug 319019 has been marked as a duplicate of this bug. ***
Comment 22•19 years ago
|
||
i just got bitten by this, i think.
talkback: TB14628173Y
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 ID:2006011112
Comment 23•19 years ago
|
||
I crashed w/ this a couple of weeks ago:
TB15248607H
This is showing up as about 0.32% of crashes for Firefox 1.5.0.2. The three stacks I looked at were all exactly the same except for the number of levels of recursion at the top of the stack.
The information in talkback isn't adequate here. If somebody gets the windows crash dialog when seeing this crash ***while using a build that I can download (and you have to say which one)***, could you paste its contents in the bug?
Actually, the Windows incidents are more varied than that, and there are a handful of Linux incidents which have usable data, so I should be able to find something out from the Linux talkback incidents.
In this incident, fp is a bad, non-null pointer.
In this one, filename is bad. (But it seems atypical.)
Unfortunately these were the only two Linux incidents fresh enough to analyze; neither seems to fit the typical pattern of the Windows incidents.
It's also worth noting that probably half of the talkback incidents that have comments mention that the crash was on ebay's registration page.
Updated•19 years ago
|
Summary: [@ XPCJSStackFrame::CreateStack] → Topcrash [@ XPCJSStackFrame::CreateStack]
Updated•18 years ago
|
Flags: blocking1.8.1?
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1-
Updated•18 years ago
|
Assignee: dbradley → nobody
Status: REOPENED → NEW
Updated•18 years ago
|
QA Contact: pschwartau → xpconnect
I've been doing some statistical analysis of the presence of modules (since we have the list of DLLs loaded with their base addresses, so we can convert the raw stack to something useful) and talkback crash signatures, and it appears that this crash is siginificantly more common for users who have the skype toolbar running (which shows up as PNRComponent.dll and SPhoneParser.dll).
(I'm still looking at pretty small sample sizes, though.)
Comment 32•17 years ago
|
||
As bug 416932 shows it still happens for Linux/Windows when opening the site:
http://www.propagandamatrix.com/articles/february2008/021108_changed_gop.htm
With this test case I get over 23000 calls of XPCJSStackFrame::CreateStack!
The top frames of bp-df131733-d97d-11dc-b2f9-001a4bd43ed6 are:
0 arena_malloc_small jemalloc.c:3584
1 arena_malloc jemalloc.c:3691
2 malloc jemalloc.c:5637
3 operator new(unsigned int) new.cpp:54
4 XPCJSStackFrame::CreateStack(JSContext*, JSStackFrame*,
XPCJSStackFrame**) mozilla/js/src/xpconnect/src/xpcstack.cpp:135
5 XPCJSStackFrame::CreateStack(JSContext*, JSStackFrame*,
XPCJSStackFrame**) mozilla/js/src/xpconnect/src/xpcstack.cpp:144
6 XPCJSStackFrame::CreateStack(JSContext*, JSStackFrame*,
Flags: blocking1.9?
OS: Windows XP → All
Comment 33•17 years ago
|
||
Jeff Cook: want to try this under valgrind? If you can hit it reliably, it might be quite useful.
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Comment 34•17 years ago
|
||
This crash does only happen on the mentioned website if you have Firebug 1.1b10 installed. With my OS X debug build there are 104670 stack frames to load... which looks like a recursion.
Hardware: PC → All
Updated•17 years ago
|
Keywords: testcase
Whiteboard: [need testing] → See comment 34 for the testcase
Comment 35•17 years ago
|
||
We cycle through following lines:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/js/src/xpconnect/src/xpcstack.cpp&rev=1.22&mark=131-144‚
Comment 36•17 years ago
|
||
Henrik, any chance you can get a stack trace with argument values in it? In particular it would be helpful to see the value of the fp argument in CreateStack().
Comment 37•17 years ago
|
||
mrbkap, any thoughts on how Firebug could cause a never-ending JS stack frame chain here (assuming that's what's happening)?
Comment 38•17 years ago
|
||
Sure. Just some cycles at the beginning of the recursion which show valid pointers. 'fp->down' will be fp in the next cycle:
(gdb) frame 56
#56 0x136f5349 in XPCJSStackFrame::CreateStack (cx=0x3aa74bb0, fp=0xbfffb9ac, stack=0xbfffb3a0) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp:143
143 in /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp
(gdb) frame 55
#55 0x136f5349 in XPCJSStackFrame::CreateStack (cx=0x3aa74bb0, fp=0xbfffc35c, stack=0x449e8f6c) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp:143
143 in /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp
(gdb) frame 54
#54 0x136f5349 in XPCJSStackFrame::CreateStack (cx=0x3aa74bb0, fp=0x452d8b00, stack=0x449e8f8c) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp:143
143 in /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp
(gdb) frame 53
#53 0x136f5349 in XPCJSStackFrame::CreateStack (cx=0x3aa74bb0, fp=0x452d8a7c, stack=0x449e933c) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp:143
143 in /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp
(gdb) frame 52
#52 0x136f5349 in XPCJSStackFrame::CreateStack (cx=0x3aa74bb0, fp=0x452d89f8, stack=0x449e935c) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp:143
143 in /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp
(gdb) frame 51
#51 0x136f5349 in XPCJSStackFrame::CreateStack (cx=0x3aa74bb0, fp=0x452d8974, stack=0x449e937c) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp:143
143 in /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp
(gdb) frame 50
#50 0x136f5349 in XPCJSStackFrame::CreateStack (cx=0x3aa74bb0, fp=0x452d88f0, stack=0x449e939c) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp:143
143 in /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp
(gdb) frame 49
#49 0x136f5349 in XPCJSStackFrame::CreateStack (cx=0x3aa74bb0, fp=0x452d886c, stack=0x449e946c) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp:143
143 in /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp
(gdb) frame 48
#48 0x136f5349 in XPCJSStackFrame::CreateStack (cx=0x3aa74bb0, fp=0x452d87e8, stack=0x449e948c) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp:143
143 in /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/xpcstack.cpp
Comment 39•17 years ago
|
||
Better one. I stopped the recursion after 120 cycles.
Comment 40•17 years ago
|
||
hmm, interestingly enough that stack trace doesn't show us in a JS stack frame that's pointing back to itself, unless the chain is longer than what's visible in the attached stack trace.
Comment 41•17 years ago
|
||
Using firebug 1.2 code under FF2.0.0.12, I get error
too much recursion
With a stack trace containing a lot of these lines:
(0)http://www.propagandamatrix.com/articles/february2008/021108_changed_gop.htm:923-929@925
...
(0)http://www.propagandamatrix.com/articles/february2008/021108_changed_gop.htm:923-929@925
(0)http://www.propagandamatrix.com/articles/february2008/021108_changed_gop.htm:951-957@953
<bottom>
Then I get a lot of
onThrow from tag:50:http://www.propagandamatrix.com/articles/february2008/021108_changed_gop.htm@925: 12
from a method:
function SymOnLoad() {
if (SymRealOnLoad != null) {
SymRealOnLoad();
}
window.open = SymRealWinOpen;
SymRealOnUnload = window.onunload;
window.onunload = SymOnUnload;
}
Followed by
debugger.onError: InternalError: too much recursion
<top>
(0)http://www.propagandamatrix.com/articles/february2008/021108_changed_gop.htm:36-38@37
<bottom>
For 1.1b10 I guess from the stack in Comment #39 , ie
#123 0x136da2fa in nsXPCComponents::GetStack
that the stack that loops is Components.stack. (This part of 1.1 is completely different in 1.2).
Assignee | ||
Comment 42•17 years ago
|
||
I am able to reproduce this at 100% cases with TRUNK from this morning and Firebug 1.1.0b10 on both my Mac and Windows machine. I will take a closer look at this, but will probably need some help soon because I am not expert to JS engine.
Assignee: nobody → honzab
Comment 43•17 years ago
|
||
Find shaver, timeless, or me on IRC (try #jsapi for a channel).
/be
Assignee | ||
Updated•17 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 44•17 years ago
|
||
The cause is this code embed in the page HTML source:
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;
function SymOnUnload()
{
window.open = SymWinOpen;
if(SymRealOnUnload != null)
SymRealOnUnload();
}
function SymOnLoad()
{
if(SymRealOnLoad != null)
SymRealOnLoad();
window.open = SymRealWinOpen;
SymRealOnUnload = window.onunload;
window.onunload = SymOnUnload;
}
SymRealOnLoad = window.onload;
window.onload = SymOnLoad;
//-->
</script>
This piece of code is contained twice it that HTML (it is simply duplicated from some reason!). Please, see the page source. When these two lines:
SymRealOnLoad = window.onload;
window.onload = SymOnLoad;
are executed two times then SymRealOnLoad contains reference to SymOnUnload. Then the function instead of calling the original onload handler calls its self. Probably because it has no arguments nor local vars, many stack frames could be allocated for it (I have about 120'000 on Mac and 230'000 on Win). When the quota is reached then an exception "script stack space quota is exhausted" (021108_changed_gop.htm, line 1017) is thrown. But when Firebug tries to log this exception that extra long stack could not be build up with XPCJSStackFrame::CreateStack recursion because it simply exhausts the machine stack.
I am not sure if this is some bug in the stack depth limitation in the JS interpreter (probably not, because the JS engine lives correctly on) or it is simply too deep for XPCJSStackFrame::CreateStack to make its job in the recursive way (which is obviously natural).
When you enable Firebug for local files then this simple code reproduce the problem:
...
<body onload="DoSomething();">
<script language="JavaScript">
function DoSomething()
{
DoSomething();
}
</script>
...
My ideas for solution:
1. changing XPCJSStackFrame::CreateStack implementation to cycle on the linked list would help, but is that the true solution? I believe there are other places those need to turn from recursion to cycle.
2. Should there still be some hard limit for depth as it was removed with bug 392973?
3. Just add some limit for recursion depth of XPCJSStackFrame::CreateStack? It is still not the true solution because you cannot be sure how much space on the stack is available for it /and it will not give you complete stack trace /and it is difficult to decide what is the right depth.
Comment 45•17 years ago
|
||
That piece of code is injected by Norton System Works to prevent popup windows. Those of us without Norton System Works won't see that code.
Comment 46•17 years ago
|
||
If you're referring to the code identified in #44 as the cause of this issue, you're incorrect; I'm using Linux, definitely don't have Norton System Works and running, and still see that code. Perhaps it's injected on the author's side?
Comment 47•17 years ago
|
||
Strictly from the debugger's point of view simply counting identical stack frames is sufficient. I don't need 120,000 frames, I'm good with "119,999 frames like this one elided" ;-).
Comment 48•17 years ago
|
||
That won't solve:
function foo() { bar(); }
function bar() { foo(); }
bar();
or similar slightly more convoluted variants.
Comment 49•17 years ago
|
||
Same results as Honza in comment 44, with a simple testcase:
function a() { a(); } a();
Seems like truncating the stack if it's deeper than $BIGNUMBER frames would be an acceptable result -- if you've hit a recursion bug in your code, that should be obvious within the first thousand frames or so.
Is that the root problem, though? Without Firebug, the error console just quickly reports "Error: script stack space quota is exhausted." With Firebug, we're seeing 100K stack frames (albeit C, not JS)... Is debugging causing the "stack space quota" to be ignored? Or are grossly deep stacks like this efficient under normal (non-debugging) circumstances?
Comment 50•17 years ago
|
||
As Honza sorted out, I think problem is that Firebug wants to help the dev by reporting the erroneous stack. Since the stack is large, this 'help' isn't so helpful. I'll look to see if I can detect this case.
Comment 51•17 years ago
|
||
This could be buggy, or plain wrong and dumb, but it seems like this should work here.
The problem as I understand it is that we're doing JS stuff and we use up a ton of the stack space, then we throw the exception about running out of stack space, and while all that's on the stack, we get into XPCJSStackFrame::CreateStack() and we recursively call that for fp->down, which will be the whole chain of JS calls. This patch makes XPCJSStackFrame not be recursive (modulo bugs, as this is totally untested) and thus it won't use much stack space at all.
XPCJSStackFrame's destructor is also recursive, releasing its caller, so if that happens when the stack is close to full, we could still crash, but seems like this would be worth a try either way. Plus, it's not very likely for GC to happen (or any of the error cases in CreateStack() to triger) with tons of stuff already on the stack.
Reporter | ||
Comment 52•17 years ago
|
||
Comment on attachment 305640 [details] [diff] [review]
Totally untested possible fix.
XPCJSStackFrame::CreateStack(JSContext* cx, JSStackFrame* fp,
XPCJSStackFrame** stack)
{
+ nsRefPtr<XPCJSStackFrame> top;
+ *stack = top;
return self ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
Am I wrong in assuming top being a RefPtr results in *stack being freed data?
Comment 53•17 years ago
|
||
(In reply to comment #52)
> Am I wrong in assuming top being a RefPtr results in *stack being freed data?
Yeah, that's one of two problems with the patch. It's not worth testing (as confirmed by dolske in person).
Comment 54•17 years ago
|
||
Comment on attachment 305640 [details] [diff] [review]
Totally untested possible fix.
This, with the refcounting issues fixed, does fix the crash here, but it exposes the next one, as I suspected in the destructor of XPCJSStackFrame. I've got a patch baking for that too, but I'm also investigating whether it's sane to end up here with a stack that's *thousands* of frames deep...
Attachment #305640 -
Attachment is obsolete: true
Reporter | ||
Comment 55•17 years ago
|
||
js> function a(b) { try { a(b) } catch (e) { if (b.stop) return; b.stop=true; var g=0; function z() {++g}; var stack=e.stack; var len = stack.length; var avg = stack.indexOf("\n"); print (len, avg, len/avg); } }; a({})
1048576 28 37449.142857142855
So, you can get ~30,000 frames if you're careful :).
Comment 56•17 years ago
|
||
From a sample size of 1 with dolske's simple recurse-to-death sample, we end up with a JS stack that's 130432 frames deep. That seems a bit excessive to me, but I guess that's what we get for giving JS a 512k stack.
Comment 57•17 years ago
|
||
So this patch does prevent this crash, but it instead makes the process hang in some sort of loop where it's accessing this stack repeatedly for some reason. IOW, XPCJSStackFrame::CreateStack() is called through a non-obvious path for what looks like the same stack.
This patch limits the stack frame chain length to 1000 (plus 1, plus a dummy frame). It the stack will show the frame where the exception was thrown, and then a dummy frame that shows how many frames were skipped (as the function name), and then the 1000 frames that started this whole mess.
Something seems to be wrong with firebug when we hit an stack quota exceeded exception, and this patch does *not* address that.
Comment 58•17 years ago
|
||
In FF2, firebug works fine, it gets "too much recursion" from FF and tells the user. So there must be a difference in FF3, let me know when to look into this when you have a FF3 with your fix.
Comment 59•17 years ago
|
||
The builds at https://build.mozilla.org/tryserver-builds/2008-02-26_17:55-jst@mozilla.com-createstackcrash/ contain the last attachment in this bug. Please feel free to test it as much as you can.
Comment 60•17 years ago
|
||
Good news and bad news: that build doesn't crash like 3.0b4pre, butinstead it just pegs my CPU. I'll attach the exact file I used, its from
http://code.google.com/p/fbug/issues/detail?id=476
Comment 61•17 years ago
|
||
Comment 62•17 years ago
|
||
I ran my testcase (comment 49), and got the hang...
It logs on execption to the console, trimmed:
JavaScript Error: "script stack space quota is exhausted"
{file: "file:///.../firebug1.2/components/firebug-service.js" line: 1894}
when calling method: [jsdIExecutionHook::onExecute]" nsresult:
"0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)"
location: http://people.mozilla.com/~dolske/tmp/infiniteloop.html :: a
DTrace shows JS activity during the hang, spinning for more than an hour with a repeated pattern of:
C PID DELTA(us) FILE:LINE TYPE -- FUNC
0 36156 4 firebug-service.js:1887 func -> apply
0 36156 229 firebug-service.js:903 func -> isFilteredURL
0 36156 61 firebug-service.js:- func <- isFilteredURL
0 36156 57 firebug-service.js:908 func -> getFrameGlobal
0 36156 163 firebug-service.js:1903 func -> getWrappedValue
0 36156 70 firebug-service.js:- func <- getWrappedValue
0 36156 46 firebug-service.js:- func <- getFrameGlobal
0 36156 50 firebug-service.js:- func <- apply
0 36156 67582 infiniteloop.html:- func <- a
0 36156 228657 firebug-service.js:1887 func -> apply
0 36156 198 firebug-service.js:903 func -> isFilteredURL
0 36156 55 firebug-service.js:- func <- isFilteredURL
0 36156 55 firebug-service.js:908 func -> getFrameGlobal
0 36156 145 firebug-service.js:1903 func -> getWrappedValue
0 36156 67 firebug-service.js:- func <- getWrappedValue
0 36156 45 firebug-service.js:- func <- getFrameGlobal
0 36156 52 firebug-service.js:- func <- apply
0 36156 73925 infiniteloop.html:- func <- a
:1887 looks to be the JSD hook, :903/:908 are in "onThrow()". Note that there's no "--> a" entry, is this the recursion slowly unwinding?
Reporter | ||
Comment 63•17 years ago
|
||
Comment on attachment 305891 [details] [diff] [review]
This prevents the crash by limiting the number of stack frames we expose...
ok, so the first part of the patch fixes a jsd bug specifically bug 282660 comment 6 (reentrancy).
I don't suppose you'd be willing to split the jsd bug fix into that bug?
Comment 64•17 years ago
|
||
(In reply to comment #62)
> I ran my testcase (comment 49), and got the hang...
...
> no "--> a" entry, is this the recursion slowly unwinding?
>
Could be, the exception would examine each frame looking for catch and calling onThrow where Firebug noodles around to get the frame since it won't be available when we get the error message. If you had set trackThrowCatch you'd still be waiting ;-).
The correct behavior for the engine in this case is to unwind the stack before processing the throw rather than searching for the catch over and over. But of course that would require the engine to distinguish recursion from other ways of blowing the stack.
If Firebug could get the value of the exception we could take special steps for recursion.
If we had onCatch rather than onThrow-when-there-is-no-catch then this would not happen: we would get two calls, onThrow at the error and onCatch when the handler was found down at the bottom of the stack. That would be the best solution IMO.
Comment 65•17 years ago
|
||
(In reply to comment #63)
> I don't suppose you'd be willing to split the jsd bug fix into that bug?
I'm not, but you're more than welcome to.
Updated•17 years ago
|
Whiteboard: See comment 34 for the testcase → See comment 34 for the testcase [firebug-p2]
Updated•17 years ago
|
Summary: Topcrash [@ XPCJSStackFrame::CreateStack] → Topcrash [@ XPCJSStackFrame::CreateStack] due to deeply recursive scripts
Comment 66•17 years ago
|
||
Another report that looks similar uses this page for test:
http://mozillalinks.org/wp/
Crashes 3.0b5pre
http://crash-stats.mozilla.com/report/index/a33cc8b0-ed44-11dc-970e-001a4bd43ef6?date=2008-03-08-19
Assignee | ||
Comment 67•17 years ago
|
||
JS stack causing this crash:
0 [native frame]
1 anonymous([xpconnect wrapped jsdIStackFrame @ 0x82b9318 (native @ 0x82b92b0)],
4, [object Object]) ["file:///D:/Profiles/Testing/extensions/firebug@software.j
oehewitt.com/components/firebug-service.js":1757]
frame = undefined
msg = "Error in hook: InternalError: script stack space quota is exhausted s
tack="
this = [object Object]
2 anonymous(inline = undefined) ["http://mozillalinks.org/wp/wp-content/plugins/
IMM-Glossary/JavaScripts/prototype.js":584]
this = [object DocumentFragment @ 0x7b0efd8 (native @ 0x77e7060)]
3 anonymous(inline = undefined) ["http://mozillalinks.org/wp/wp-content/plugins/
IMM-Glossary/JavaScripts/prototype.js":584]
this = [object DocumentFragment @ 0x7b0efd8 (native @ 0x77e7060)]
4 anonymous(inline = undefined) ["http://mozillalinks.org/wp/wp-content/plugins/
IMM-Glossary/JavaScripts/prototype.js":584]
this = [object DocumentFragment @ 0x7b0efd8 (native @ 0x77e7060)]
537: if (!Array.prototype._reverse)
Array.prototype._reverse = Array.prototype.reverse;
584: reverse: function(inline) {
return (inline !== false ? this : this.toArray())._reverse();
},
I applied the patch from Johnny Stenback.
number of frames: 261506
XPCJSStackFrame::CreateStack is then called 261506 times for each frame. Then each frame is being destroyed.
Assignee | ||
Comment 68•17 years ago
|
||
> Then each frame is being destroyed.
It seems to me that there is different problem. Exception thrown (the JS stack quota exhaustion) is captured *in JS* by Firebug. But this again throws the same exception and this way for each frame during stack back.
This is the top of the JS stack:
1 ERROR(text = "onScriptCreated failed: InternalError: script stack space quota
is exhausted") ["file:///D:/Profiles/Testing/extensions/firebug@software.joehewi
tt.com/components/firebug-service.js":1926]
this = [object BackstagePass @ 0x41a5f20 (native @ 0xcbfb84)]
2 anonymous(script = [xpconnect wrapped jsdIScript @ 0xa9d11c8 (native @ 0xa9d10
f0)]) ["file:///D:/Profiles/Testing/extensions/firebug@software.joehewitt.com/co
mponents/firebug-service.js":1076]
fileName = "XPCSafeJSObjectWrapper.cpp"
this = [object Object]
3 anonymous([xpconnect wrapped jsdIScript @ 0xa9d11c8 (native @ 0xa9d10f0)]) ["f
ile:///D:/Profiles/Testing/extensions/firebug@software.joehewitt.com/components/
firebug-service.js":1752]
frame = undefined
msg = undefined
this = [object Object]
4 anonymous(win = [object Window @ 0x4452a78 (native @ 0x447e554)]) ["chrome://f
irebug/content/tabWatcher.js":296]
context = undefined
i = undefined
this = [object Object]
5 anonymous(win = [object Window @ 0x4452a78 (native @ 0x447e554)]) ["chrome://f
irebug/content/debugger.js":571]
context = undefined
this = [object Object]
6 [native frame]
7 anonymous(frame = [xpconnect wrapped jsdIStackFrame @ 0xa9c55d8 (native @ 0xa9
c5570)]) ["file:///D:/Profiles/Testing/extensions/firebug@software.joehewitt.com
/components/firebug-service.js":1242]
debuggr = [xpconnect wrapped nsIFireBugDebugger @ 0x546da20 (native @ 0x5338
550)]
i = 0
win = [object Window @ 0x4452a78 (native @ 0x447e554)]
this = [object Object]
8 anonymous(arguments = [object Object], rv = [object Object], type = 4, frame =
[xpconnect wrapped jsdIStackFrame @ 0xa9c55d8 (native @ 0xa9c5570)]) ["file:///
D:/Profiles/Testing/extensions/firebug@software.joehewitt.com/components/firebug
-service.js":867]
debuggr = undefined
this = [object Object]
9 anonymous(arguments = [object Object], 4, [object Object]) ["file:///D:/Profil
es/Testing/extensions/firebug@software.joehewitt.com/components/firebug-service.
js":1752]
frame = undefined
msg = undefined
this = [object Object]
10 anonymous(arguments = [object Object], inline = undefined) ["http://mozillali
nks.org/wp/wp-content/plugins/IMM-Glossary/JavaScripts/prototype.js":584]
this = [object DocumentFragment @ 0x5c31de0 (native @ 0x5c34c80)]
11 anonymous(arguments = [object Object], inline = undefined) ["http://mozillali
nks.org/wp/wp-content/plugins/IMM-Glossary/JavaScripts/prototype.js":584]
this = [object DocumentFragment @ 0x5c31de0 (native @ 0x5c34c80)]
12 anonymous(arguments = [object Object], inline = undefined) ["http://mozillali
nks.org/wp/wp-content/plugins/IMM-Glossary/JavaScripts/prototype.js":584]
Comment 69•17 years ago
|
||
Well we could look into details, but it seems to me that if the stack is exhausted then we can't expect anything good to happen until we recover from that. Two choices:
1) Provide a small recovery buffer on the stack that allows the debugger enough headroom to run,
2) Always roll back the stack on this error, but that means analyzing the recursion which will be hard.
Or is there something more than "debugger running on full stack" ?
I am a bit confused by this statement in Comment 67:
XPCJSStackFrame::CreateStack is then called 261506 times for each frame.
Did you mean
XPCJSStackFrame::CreateStack is then called 261506 times *once* for each frame.
Or did you mean 261506 times for each of 261506 frames? Seems like a lot ;-)
Assignee | ||
Comment 70•17 years ago
|
||
(In reply to comment #69)
> I am a bit confused by this statement in Comment 67:
> XPCJSStackFrame::CreateStack is then called 261506 times for each frame.
> Did you mean
> XPCJSStackFrame::CreateStack is then called 261506 times *once* for each frame.
> Or did you mean 261506 times for each of 261506 frames? Seems like a lot ;-)
>
Sorry for that confusion :) This number is probably completely wrong observation. The method was simply called multiple times by Firebug and I deduced from it that it is called ones per each frame as they are being rolled back.
Comment 71•17 years ago
|
||
I can tell you this is a serious issue for Amazon.com developers because we cannot open the majority of the site pages in internal debug mode and many of us are using Firebug.
Comment 72•17 years ago
|
||
Fixing bug 424683 will also help this, I think -- can someone build with the most recent patch in that bug and see if it does?
Comment 73•17 years ago
|
||
(In reply to comment #71)
> I can tell you this is a serious issue for Amazon.com developers because we
> cannot open the majority of the site pages in internal debug mode and many of
> us are using Firebug.
>
I am concerned that there is another bug here. This report concerns a crash that only happens when two things are true:
1) Your page has an infinite loop
2) You are running firebug.
If you don't have an infinite loop and you are still crashing with firebug we need to find out why.
Comment 74•17 years ago
|
||
The testcase from comment #61 is fixed by the landing of bug 424683, so I think this bug can generally be considered fixed. Other issues should go to other bugs.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago → 17 years ago
Resolution: --- → FIXED
Comment 75•17 years ago
|
||
I see the testcase in comment #61 passes with FF3b5. I was responding in comment #71 to John Barton's comment #66 because I've been generating almost identical crash reports to the one he referenced. Is there a separate bug for that issue?
Comment 76•17 years ago
|
||
(In reply to comment #75)
> I see the testcase in comment #61 passes with FF3b5. I was responding in
> comment #71 to John Barton's comment #66 because I've been generating almost
> identical crash reports to the one he referenced. Is there a separate bug for
> that issue?
>
Please post the URL for your crash. We can't help you without either the stack from your crash or the page you crash on and the version you are running.
Comment 77•17 years ago
|
||
Now I can't reproduce it (with FF3b5 and Firebug 1.2.0a13x), but for reference, these crash reports were the latest.
http://crash-stats.mozilla.com/report/index/599cebb0-01d8-11dd-88de-001a4bd43e5c
http://crash-stats.mozilla.com/report/index/874f1e8c-01d5-11dd-8a54-001a4bd43e5c
Comment 78•17 years ago
|
||
No crash anymore with the testcase and loading the given URL.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008041005 Minefield/3.0pre ID:2008041005
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9pre) Gecko/2008041104 Minefield/3.0pre ID:2008041104
paxunix, in your mentioned crash reports you can see that the build identifiers are too old. The patch went in later.
Tests were added on bug 424683.
Status: RESOLVED → VERIFIED
Flags: in-testsuite-
Flags: in-litmus-
Target Milestone: --- → mozilla1.9
Updated•13 years ago
|
Crash Signature: [@ XPCJSStackFrame::CreateStack]
You need to log in
before you can comment on or make changes to this bug.
Description
•