browser crash when searching large e4x tree [@ GetProperty]

VERIFIED FIXED in mozilla1.8beta5

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
13 years ago
7 years ago

People

(Reporter: Aaron Boodman, Assigned: brendan)

Tracking

({crash, verified1.8})

Trunk
mozilla1.8beta5
x86
Windows XP
crash, verified1.8
Points:
---
Bug Flags:
blocking1.8b5 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(6 attachments)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4

Searches using foo.bar.(baz == 'hotdog') over large trees crashes DPb1. 

Reproducible: Always

Steps to Reproduce:
1. Open attached file in FFb1
2. Say yes to security confirmation


Actual Results:  
FF crashes.

Expected Results:  
Printed out the name of each item in the tree, followed by ": 1" (because the
match it is perforing should produce one result).

It stops crashing if you make the source input significantly smaller (about a
quarter the size worked forme).
(Reporter)

Comment 1

13 years ago
Created attachment 195714 [details]
testcase

Comment 2

13 years ago
Incident ID: 9264453
Stack Signature	GetProperty() 1392ea8b
Product ID	FirefoxTrunk
Build ID	2005091006
Trigger Time	2005-09-11 23:52:28.0
Platform	MacOSX
Operating System	Darwin 8.2.0
Module	libmozjs.dylib.1.0.0 + (00070d74)
URL visited	
User Comments	
Since Last Crash	515 sec
Total Uptime	93976 sec
Trigger Reason	SIGBUS: Bus Error: (signal 10)
Source File, Line No.
/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4002
Stack Trace 	
GetProperty() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4002]
GetProperty() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4001]
js_FilterXMLList() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 7871]
js_Interpret() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line
5068]
js_Invoke() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line
1183]
js_InternalInvoke() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line
1261]
JS_CallFunctionValue() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsapi.c, line 4024]
nsJSContext::CallEventHandler() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1430]
nsJSEventListener::HandleEvent()   nsEventListenerManager::HandleEventSubType()
 [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 848]
nsEventListenerManager::HandleEvent() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1766]
nsGlobalWindow::HandleDOMEvent() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 1523]
DocumentViewerImpl::LoadComplete() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/layout/base/nsDocumentViewer.cpp,
line 842]
nsDocShell::EndPageLoad()   nsWebShell::EndPageLoad() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/docshell/base/nsWebShell.cpp,
line 496]
nsDocShell::OnStateChange()   nsDocLoader::FireOnStateChange() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 848]
nsDocLoader::doStopDocumentLoad() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 839]
nsDocLoader::DocLoaderIsEmpty() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 741]
nsDocLoader::OnStopRequest() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 662]
nsLoadGroup::RemoveRequest() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/netwerk/base/src/nsLoadGroup.cpp,
line 848]
nsDocument::DoUnblockOnload() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/base/src/nsDocument.cpp,
line 388]
nsDocument::HandleOnloadBlockerEvent() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/base/src/nsDocument.cpp,
line 5142]
PL_HandleEvent() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/xpcom/threads/plevent.c,
line 689]
PL_ProcessPendingEvents() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/xpcom/threads/plevent.c,
line 623]
CoreFoundation.368.12.0 + 0x23c8c (0x9074bc8c)
CoreFoundation.368.12.0 + 0x231bc (0x9074b1bc)
CoreFoundation.368.12.0 + 0x22c3c (0x9074ac3c)
HIToolbox.221.0.0 + 0x8ac0 (0x93129ac0)
HIToolbox.221.0.0 + 0xed768 (0x9320e768)
HIToolbox.221.0.0 + 0xed51c (0x9320e51c)
HIToolbox.221.0.0 + 0xed47c (0x9320e47c)
nsMacMessagePump::GetEvent()   nsMacMessagePump::DoMessagePump()  
nsAppShell::Run() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/widget/src/mac/nsAppShell.cpp,
line 114]
nsAppStartup::Run()   XRE_main() 
[/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/toolkit/xre/nsAppRunner.cpp,
line 2311]
_start()   start()
Severity: normal → critical
Keywords: crash
Summary: browser crash when searching large e4x tree → browser crash when searching large e4x tree [@ GetProperty]
(Assignee)

Updated

13 years ago
Assignee: general → brendan
Flags: blocking1.8b5+
(Assignee)

Comment 3

13 years ago
Created attachment 195835 [details]
js shell version of testcase
(Assignee)

Comment 4

13 years ago
Created attachment 195954 [details] [diff] [review]
fix one of the bugs biting here, and possibly elsewhere

Oops, js_MarkLocalRoots marked only the top local root scope!

There's another bug peculiar to filtering predicate expressions.  Patch for
that soon, I hope.

/be
Attachment #195954 - Flags: superreview?(shaver)
Attachment #195954 - Flags: review?(mrbkap)
(Assignee)

Comment 5

13 years ago
Created attachment 195955 [details] [diff] [review]
diff -w version of last patch
(Assignee)

Comment 6

13 years ago
The patch might fix crashes Bob is seeing trying to test the patch for bug 280769.

/be
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta5
Comment on attachment 195954 [details] [diff] [review]
fix one of the bugs biting here, and possibly elsewhere

r=mrbkap
Attachment #195954 - Flags: review?(mrbkap) → review+
Comment on attachment 195954 [details] [diff] [review]
fix one of the bugs biting here, and possibly elsewhere

sr=shaver
Attachment #195954 - Flags: superreview?(shaver)
Attachment #195954 - Flags: superreview+
Attachment #195954 - Flags: review?(mrbkap)
Attachment #195954 - Flags: review+

Updated

13 years ago
Attachment #195954 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 9

13 years ago
Created attachment 196093 [details] [diff] [review]
complete fix

diff -w version next.

/be
(Assignee)

Comment 10

13 years ago
Created attachment 196094 [details] [diff] [review]
diff -w version of last patch

I thought about relayering js_Interpret so common-case calls go through another
level that allocates the stack frame, but that penalizes those cases even worse
than adding two branch-tests.  So to make up for that, I copied NS_*LIKELY
macros from nscore.h into jstypes.h.

/be
Attachment #196094 - Flags: superreview?(shaver)
Attachment #196094 - Flags: review?(mrbkap)
Comment on attachment 196094 [details] [diff] [review]
diff -w version of last patch

r=mrbkap
Attachment #196094 - Flags: review?(mrbkap) → review+
Comment on attachment 196094 [details] [diff] [review]
diff -w version of last patch

sr=shaver
Attachment #196094 - Flags: superreview?(shaver) → superreview+
(Assignee)

Comment 13

13 years ago
Fixed on trunk.

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
(Assignee)

Comment 14

13 years ago
Comment on attachment 196094 [details] [diff] [review]
diff -w version of last patch

We can let this bake, but E4X testing is required to find it, and the testcase
is here (thanks, Aaron!), and this patch fixes it.

/be
Attachment #196094 - Flags: approval1.8b5?

Updated

13 years ago
Attachment #196094 - Flags: approval1.8b5? → approval1.8b5+
(Assignee)

Comment 15

13 years ago
Fixed on the 1.8 branch.

/be
Keywords: fixed1.8

Comment 16

13 years ago
Checking in regress-308111.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-308111.js,v  <--  regress-308111.js
initial revision: 1.1
done
Flags: testcase+

Comment 17

13 years ago
no crash firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8 → verified1.8

Comment 18

12 years ago
verified fixed 1.9 20060818 win/mac*/linux
Status: RESOLVED → VERIFIED
Crash Signature: [@ GetProperty]
You need to log in before you can comment on or make changes to this bug.