Closed Bug 325540 Opened 19 years ago Closed 19 years ago

Javascript library jsMath causes Firefox to crash [@ ClaimScope][@ WillDeadLock]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jamie, Assigned: mrbkap)

References

(
URL
)

Details

(Keywords: crash, fixed1.8.1, verified1.8.0.2, Whiteboard: [rft-dl])

Crash Data

Attachments

(2 files)

testcase
103.14 KB, text/html
Details
Fix
1.57 KB, patch
mrbkap
: review+
brendan
: approval-branch-1.8.1+
brendan
: approval1.8.0.2+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 The jsMath javascript library worked fine with Firefox 1.5. However, when using it in Firefox 1.5.0.1 it causes Firefox to crash immediately. You can see this at http://www.roadsignmath.com/. The jsMath library itself can be found at http://www.math.union.edu/~dpvc/jsMath/. (I have notified the author of this issue as well.) Reproducible: Always Steps to Reproduce: 1. Go to any page that uses the jsMath library. 2. 3. Actual Results: Browser crashes. Expected Results: Should have loaded the page.
please reinstall firefox with talkback and then crash again, run talkback.exe, and copy the incident id to this bug.
Keywords: stackwanted
(In reply to comment #1) > please reinstall firefox with talkback and then crash again, run talkback.exe, > and copy the incident id to this bug. > Check out TB14651859H, TB14651716M, TB14645808Y, TB14645140W.
Incident ID: 14645140 Stack Signature ClaimScope a3077c61 Product ID Firefox15 Build ID 2006011112 Trigger Time 2006-02-01 21:40:03.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (00028064) URL visited http://www.roadsignmath.com/ User Comments just opened up site. Since Last Crash 3158 sec Total Uptime 3158 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 453 Stack Trace ClaimScope [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 453] js_LockScope [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 1055] js_LockObj [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 1207] js_LookupProperty [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2615] js_LookupHiddenProperty [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2367] call_resolve [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsfun.c, line 818] js_LookupPropertyWithFlags [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2710] js_LookupProperty [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2615] js_FindProperty [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2824] js_FindIdentifierBase [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2855] js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 2619] js_Execute [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1424] JS_EvaluateUCScriptForPrincipals [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4103] nsJSContext::EvaluateString [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1061] nsGlobalWindow::RunTimeout [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6296] nsGlobalWindow::TimerCallback [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6667] nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151] main [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] Incident ID: 14645808 Stack Signature WillDeadlock c1d7eafa Product ID Firefox15 Build ID 2006011112 Trigger Time 2006-02-01 22:20:41.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (00028175) URL visited http://www.roadsignmath.com/ User Comments Since Last Crash 651 sec Total Uptime 3931 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 275 Stack Trace WillDeadlock [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 275] js_LockScope [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 1055] js_LockObj [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 1207] js_LookupProperty [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2615] js_LookupHiddenProperty [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2367] call_resolve [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsfun.c, line 818] js_LookupPropertyWithFlags [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2710] js_LookupProperty [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2615] js_FindProperty [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2824] js_FindIdentifierBase [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2855] js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 2619] js_Execute [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1424] JS_EvaluateUCScriptForPrincipals [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4103] nsJSContext::EvaluateString [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1061] nsGlobalWindow::RunTimeout [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6296] nsGlobalWindow::TimerCallback [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6667] nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151] main [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: stackwantedcrash
Product: Firefox → Core
QA Contact: general → general
Summary: Javascript library jsMath causes Firefox to crash → Javascript library jsMath causes Firefox to crash [@ ClaimScope][@ WillDeadLock]
Version: unspecified → 1.8 Branch
Attached file testcase
I haven't been able to minimise it much, but I definetely crashe almost every time after the alert with current trunk build.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Ria found a regression range between 2005-12-14 13 and 20051214 22. So I guess this could be a regression from bug 320172.
This seems to be related to the window.eval() call that is in the jsMath.Script.Uncompress() routine in the jsMath.js file. If I change "window.eval" to "eval" in that routine, Firefox doesn't crash.
Attached patch FixSplinter Review
*sigh*, we needed to js_PutCallObject in the return path from the inline call to avoid references to popped fp's coming back and biting us in the ass.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #210540 - Flags: review?(brendan)
Comment on attachment 210540 [details] [diff] [review] Fix Brendan says r=him
Attachment #210540 - Flags: review?(brendan)
Attachment #210540 - Flags: review+
Attachment #210540 - Flags: branch-1.8.1?(brendan)
Attachment #210540 - Flags: approval1.8.0.2?
Fix checked into trunk. Can someone contact the authors of the site and tell them that the workaround in comment 6 should work?
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.0.2?
Resolution: --- → FIXED
*** Bug 325721 has been marked as a duplicate of this bug. ***
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
Version: 1.8 Branch → Trunk
*** Bug 325647 has been marked as a duplicate of this bug. ***
*** Bug 325779 has been marked as a duplicate of this bug. ***
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.2+
Comment on attachment 210540 [details] [diff] [review] Fix Sure for 1.8.0.2 -- for 1.8.1 we can wait till the entire js engine is uplifted to 1.7 if you like, or land it now to reduce the merge diff later. /be
Attachment #210540 - Flags: branch-1.8.1?(brendan)
Attachment #210540 - Flags: branch-1.8.1+
Attachment #210540 - Flags: approval1.8.0.2?
Attachment #210540 - Flags: approval1.8.0.2+
I could use some help with creating a reduced testcase.
Flags: testcase?
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.2, fixed1.8.1
Whiteboard: [rft-dl]
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060301 Firefox/1.5.0.1, no crash with testcase, but I do see a hang as the page tries to load. Is that expected? Better than a crash I guess.
Keywords: fixed1.8.0.2verified1.8.0.2
Ok, it wasn't a hang, the page just doesn't load. I think something else running on my machine caused a temporary hang, but it's NOT the testcase (the page just doesn't finish rendering, throbber forever).
Flags: in-testsuite? → in-testsuite-
verified for Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1b2) Gecko/20060818 BonEcho/2.0b2 no crash on testcase and Url
Crash Signature: [@ ClaimScope] [@ WillDeadLock]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: