Closed Bug 308111 Opened 20 years ago Closed 20 years ago

browser crash when searching large e4x tree [@ GetProperty]

Tracking

()

Status:

VERIFIED FIXED

Milestone:

mozilla1.8beta5

People

(Reporter: boogs, Assigned: brendan)

Details

(Keywords: crash, verified1.8)

Crash Data

Attachments

(6 files)

testcase 20 years ago Aaron Boodman 51.30 KB, text/html		Details
js shell version of testcase 20 years ago Brendan Eich [:brendan] 51.59 KB, text/plain		Details
fix one of the bugs biting here, and possibly elsewhere 20 years ago Brendan Eich [:brendan] 3.26 KB, patch	mrbkap : review+ shaver : superreview+	Details \| Diff \| Splinter Review
diff -w version of last patch 20 years ago Brendan Eich [:brendan] 2.83 KB, patch		Details \| Diff \| Splinter Review
complete fix 20 years ago Brendan Eich [:brendan] 7.76 KB, patch		Details \| Diff \| Splinter Review
diff -w version of last patch 20 years ago Brendan Eich [:brendan] 7.15 KB, patch	mrbkap : review+ shaver : superreview+ asa : approval1.8b5+	Details \| Diff \| Splinter Review

Aaron Boodman

Reporter

Description

•

20 years ago

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 Searches using foo.bar.(baz == 'hotdog') over large trees crashes DPb1. Reproducible: Always Steps to Reproduce: 1. Open attached file in FFb1 2. Say yes to security confirmation Actual Results: FF crashes. Expected Results: Printed out the name of each item in the tree, followed by ": 1" (because the match it is perforing should produce one result). It stops crashing if you make the source input significantly smaller (about a quarter the size worked forme).

Aaron Boodman

Reporter

Comment 1

•

20 years ago

Attached file testcase — Details

timeless

Comment 2

•

20 years ago

Incident ID: 9264453 Stack Signature GetProperty() 1392ea8b Product ID FirefoxTrunk Build ID 2005091006 Trigger Time 2005-09-11 23:52:28.0 Platform MacOSX Operating System Darwin 8.2.0 Module libmozjs.dylib.1.0.0 + (00070d74) URL visited User Comments Since Last Crash 515 sec Total Uptime 93976 sec Trigger Reason SIGBUS: Bus Error: (signal 10) Source File, Line No. /builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4002 Stack Trace GetProperty() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4002] GetProperty() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 4001] js_FilterXMLList() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsxml.c, line 7871] js_Interpret() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line 5068] js_Invoke() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line 1183] js_InternalInvoke() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsinterp.c, line 1261] JS_CallFunctionValue() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/js/src/jsapi.c, line 4024] nsJSContext::CallEventHandler() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1430] nsJSEventListener::HandleEvent() nsEventListenerManager::HandleEventSubType() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 848] nsEventListenerManager::HandleEvent() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1766] nsGlobalWindow::HandleDOMEvent() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1523] DocumentViewerImpl::LoadComplete() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 842] nsDocShell::EndPageLoad() nsWebShell::EndPageLoad() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/docshell/base/nsWebShell.cpp, line 496] nsDocShell::OnStateChange() nsDocLoader::FireOnStateChange() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 848] nsDocLoader::doStopDocumentLoad() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 839] nsDocLoader::DocLoaderIsEmpty() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 741] nsDocLoader::OnStopRequest() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 662] nsLoadGroup::RemoveRequest() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/netwerk/base/src/nsLoadGroup.cpp, line 848] nsDocument::DoUnblockOnload() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/base/src/nsDocument.cpp, line 388] nsDocument::HandleOnloadBlockerEvent() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/content/base/src/nsDocument.cpp, line 5142] PL_HandleEvent() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/xpcom/threads/plevent.c, line 689] PL_ProcessPendingEvents() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/xpcom/threads/plevent.c, line 623] CoreFoundation.368.12.0 + 0x23c8c (0x9074bc8c) CoreFoundation.368.12.0 + 0x231bc (0x9074b1bc) CoreFoundation.368.12.0 + 0x22c3c (0x9074ac3c) HIToolbox.221.0.0 + 0x8ac0 (0x93129ac0) HIToolbox.221.0.0 + 0xed768 (0x9320e768) HIToolbox.221.0.0 + 0xed51c (0x9320e51c) HIToolbox.221.0.0 + 0xed47c (0x9320e47c) nsMacMessagePump::GetEvent() nsMacMessagePump::DoMessagePump() nsAppShell::Run() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/widget/src/mac/nsAppShell.cpp, line 114] nsAppStartup::Run() XRE_main() [/builds/tinderbox/Fx-Trunk/Darwin_7.9.0_Depend/mozilla/toolkit/xre/nsAppRunner.cpp, line 2311] _start() start()

Severity: normal → critical

Keywords: crash

Summary: browser crash when searching large e4x tree → browser crash when searching large e4x tree [@ GetProperty]

Brendan Eich [:brendan]

Assignee

Updated

•

20 years ago

Assignee: general → brendan

Flags: blocking1.8b5+

Brendan Eich [:brendan]

Assignee

Comment 3

•

20 years ago

Attached file js shell version of testcase — Details

Brendan Eich [:brendan]

Assignee

Comment 4

•

20 years ago

Attached patch fix one of the bugs biting here, and possibly elsewhere — Details — Splinter Review

Oops, js_MarkLocalRoots marked only the top local root scope! There's another bug peculiar to filtering predicate expressions. Patch for that soon, I hope. /be

Attachment #195954 - Flags: superreview?(shaver)

Attachment #195954 - Flags: review?(mrbkap)

Brendan Eich [:brendan]

Assignee

Comment 5

•

20 years ago

Attached patch diff -w version of last patch — Details — Splinter Review

Brendan Eich [:brendan]

Assignee

Comment 6

•

20 years ago

The patch might fix crashes Bob is seeing trying to test the patch for bug 280769. /be

Status: NEW → ASSIGNED

Target Milestone: --- → mozilla1.8beta5

Blake Kaplan (:mrbkap) (inactive)

Comment 7

•

20 years ago

Comment on attachment 195954 [details] [diff] [review] fix one of the bugs biting here, and possibly elsewhere r=mrbkap

Attachment #195954 - Flags: review?(mrbkap) → review+

Mike Shaver (:shaver emeritus)

Comment 8

•

20 years ago

Comment on attachment 195954 [details] [diff] [review] fix one of the bugs biting here, and possibly elsewhere sr=shaver

Attachment #195954 - Flags: superreview?(shaver)

Attachment #195954 - Flags: superreview+

Attachment #195954 - Flags: review?(mrbkap)

Attachment #195954 - Flags: review+

Blake Kaplan (:mrbkap) (inactive)

Updated

•

20 years ago

Attachment #195954 - Flags: review?(mrbkap) → review+

Brendan Eich [:brendan]

Assignee

Comment 9

•

20 years ago

Attached patch complete fix — Details — Splinter Review

diff -w version next. /be

Brendan Eich [:brendan]

Assignee

Comment 10

•

20 years ago

Attached patch diff -w version of last patch — Details — Splinter Review

I thought about relayering js_Interpret so common-case calls go through another level that allocates the stack frame, but that penalizes those cases even worse than adding two branch-tests. So to make up for that, I copied NS_*LIKELY macros from nscore.h into jstypes.h. /be

Attachment #196094 - Flags: superreview?(shaver)

Attachment #196094 - Flags: review?(mrbkap)

Blake Kaplan (:mrbkap) (inactive)

Comment 11

•

20 years ago

Comment on attachment 196094 [details] [diff] [review] diff -w version of last patch r=mrbkap

Attachment #196094 - Flags: review?(mrbkap) → review+

Mike Shaver (:shaver emeritus)

Comment 12

•

20 years ago

Comment on attachment 196094 [details] [diff] [review] diff -w version of last patch sr=shaver

Attachment #196094 - Flags: superreview?(shaver) → superreview+

Brendan Eich [:brendan]

Assignee

Comment 13

•

20 years ago

Fixed on trunk. /be

Status: ASSIGNED → RESOLVED

Closed: 20 years ago

Resolution: --- → FIXED

Brendan Eich [:brendan]

Assignee

Comment 14

•

20 years ago

Comment on attachment 196094 [details] [diff] [review] diff -w version of last patch We can let this bake, but E4X testing is required to find it, and the testcase is here (thanks, Aaron!), and this patch fixes it. /be

Attachment #196094 - Flags: approval1.8b5?

Asa Dotzler [:asa]

Updated

•

20 years ago

Attachment #196094 - Flags: approval1.8b5? → approval1.8b5+

Brendan Eich [:brendan]

Assignee

Comment 15

•

20 years ago

Fixed on the 1.8 branch. /be

Keywords: fixed1.8

Bob Clary [:bc] (inactive)

Comment 16

•

20 years ago

Checking in regress-308111.js; /cvsroot/mozilla/js/tests/e4x/Regress/regress-308111.js,v <-- regress-308111.js initial revision: 1.1 done

Flags: testcase+

Bob Clary [:bc] (inactive)

Comment 17

•

20 years ago

no crash firefox 1.5 rc2 winxp/linux

Keywords: fixed1.8 → verified1.8

Bob Clary [:bc] (inactive)

Comment 18

•

19 years ago

verified fixed 1.9 20060818 win/mac*/linux

Status: RESOLVED → VERIFIED

Nobody; OK to take it and work on it

Updated

•

15 years ago

Crash Signature: [@ GetProperty]

You need to log in before you can comment on or make changes to this bug.