325540 - Javascript library jsMath causes Firefox to crash [@ ClaimScope][@ WillDeadLock]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Jamie Thingelstad]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

The jsMath javascript library worked fine with Firefox 1.5. However, when using it in Firefox 1.5.0.1 it causes Firefox to crash immediately. You can see this at http://www.roadsignmath.com/. The jsMath library itself can be found at http://www.math.union.edu/~dpvc/jsMath/. (I have notified the author of this issue as well.)

Reproducible: Always

Steps to Reproduce:
1. Go to any page that uses the jsMath library.
2.
3.

Actual Results:  
Browser crashes.

Expected Results:  
Should have loaded the page.

Comment 1

[timeless]

please reinstall firefox with talkback and then crash again, run talkback.exe,
and copy the incident id to this bug.

Comment 2

[Jamie Thingelstad]

(In reply to comment #1)
> please reinstall firefox with talkback and then crash again, run talkback.exe,
> and copy the incident id to this bug.
> 

Check out TB14651859H, TB14651716M, TB14645808Y, TB14645140W.

Comment 3

[timeless]

Incident ID: 14645140  Stack Signature    ClaimScope a3077c61 Product ID         Firefox15 Build ID           2006011112 Trigger Time       2006-02-01 21:40:03.0 Platform           Win32 Operating System   Windows NT 5.1 build 2600 Module             js3250.dll + (00028064) URL visited        http://www.roadsignmath.com/ User Comments      just opened up site. Since Last Crash   3158 sec Total Uptime       3158 sec Trigger Reason     Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 453 Stack Trace  ClaimScope  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 453] js_LockScope  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 1055] js_LockObj  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 1207] js_LookupProperty  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2615] js_LookupHiddenProperty  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2367] call_resolve  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsfun.c, line 818] js_LookupPropertyWithFlags  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2710] js_LookupProperty  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2615] js_FindProperty  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2824] js_FindIdentifierBase  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2855] js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 2619] js_Execute  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1424] JS_EvaluateUCScriptForPrincipals  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4103] nsJSContext::EvaluateString  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1061] nsGlobalWindow::RunTimeout  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6296] nsGlobalWindow::TimerCallback  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6667] nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151] main  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]  Incident ID: 14645808  Stack Signature    WillDeadlock c1d7eafa Product ID         Firefox15 Build ID           2006011112 Trigger Time       2006-02-01 22:20:41.0 Platform           Win32 Operating System   Windows NT 5.1 build 2600 Module             js3250.dll + (00028175) URL visited        http://www.roadsignmath.com/ User Comments Since Last Crash   651 sec Total Uptime       3931 sec Trigger Reason     Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 275 Stack Trace  WillDeadlock  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 275] js_LockScope  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 1055] js_LockObj  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 1207] js_LookupProperty  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2615] js_LookupHiddenProperty  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2367] call_resolve  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsfun.c, line 818] js_LookupPropertyWithFlags  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2710] js_LookupProperty  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2615] js_FindProperty  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2824] js_FindIdentifierBase  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2855] js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 2619] js_Execute  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1424] JS_EvaluateUCScriptForPrincipals  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4103] nsJSContext::EvaluateString  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1061] nsGlobalWindow::RunTimeout  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6296] nsGlobalWindow::TimerCallback  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6667] nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151] main  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)

Comment 4

[Martijn Wargers (dead)]

Attachment: testcase

I haven't been able to minimise it much, but I definetely crashe almost every time  after the alert with current trunk build.

Comment 5

[Martijn Wargers (dead)]

Ria found a regression range between 2005-12-14 13 and 20051214 22.
So I guess this could be a regression from bug 320172.

Comment 6

[Davide P. Cervone]

This seems to be related to the window.eval() call that is in the jsMath.Script.Uncompress() routine in the jsMath.js file.  If I change "window.eval" to "eval" in that routine, Firefox doesn't crash.

Comment 7

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Fix

*sigh*, we needed to js_PutCallObject in the return path from the inline call to avoid references to popped fp's coming back and biting us in the ass.

Comment 8

[Blake Kaplan (:mrbkap) (inactive)]

Comment on attachment 210540 [details] [diff] [review]
Fix

Brendan says r=him

Comment 9

[Blake Kaplan (:mrbkap) (inactive)]

Fix checked into trunk. Can someone contact the authors of the site and tell them that the workaround in comment 6 should work?

Comment 10

[Blake Kaplan (:mrbkap) (inactive)]

*** Bug 325721 has been marked as a duplicate of this bug. ***

Comment 11

[Blake Kaplan (:mrbkap) (inactive)]

*** Bug 325647 has been marked as a duplicate of this bug. ***

Comment 12

[Ryan Flint [:rflint] (ping via IRC for reviews)]

*** Bug 325779 has been marked as a duplicate of this bug. ***

Comment 13

[Brendan Eich [:brendan]]

Comment on attachment 210540 [details] [diff] [review]
Fix

Sure for 1.8.0.2 -- for 1.8.1 we can wait till the entire js engine is uplifted to 1.7 if you like, or land it now to reduce the merge diff later.

/be

Comment 14

[Bob Clary [:bc] (inactive)]

I could use some help with creating a reduced testcase.

Comment 15

[Blake Kaplan (:mrbkap) (inactive)]

Fix checked into the 1.8 branches.

Comment 16

[Jay Patel [:jay]]

v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060301 Firefox/1.5.0.1, no crash with testcase, but I do see a hang as the page tries to load.  Is that expected?  Better than a crash I guess.

Comment 17

[Jay Patel [:jay]]

Ok, it wasn't a hang, the page just doesn't load.  I think something else running on my machine caused a temporary hang, but it's NOT the testcase (the page just doesn't finish rendering, throbber forever).

Comment 18

[Carsten Book [:Tomcat]]

verified for Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1b2) Gecko/20060818 BonEcho/2.0b2 no crash on testcase and Url