363988 - huge javascript crashes firefox [@ JS_GetPrivate()]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Hein Roehrig]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0

loading the page above crashes Firefox 1.5.x and 2.x on Windows and Linux.


Reproducible: Always

Steps to Reproduce:
1. navigate to http://www.xnchina.net/bbs/listduty.asp?parent1=32


Actual Results:  
crash

Expected Results:  
a page with a table filled with Chinese characters

Comment 1

[Hein Roehrig]

talkback incident TB27375918K (I also created one with Firefox 1.5 on windows but haven't been able to figure out the incident id of that one)

Comment 2

[Ria Klaassen (not reading all bugmail)]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061215 Minefield/3.0a1
Yeah, crashes trunk too: TB27376571Z

Comment 3

[Ria Klaassen (not reading all bugmail)]

Incident ID: 27375918
Stack Signature	JS_GetPrivate() 8193a9f6
Product ID	Firefox2
Build ID	2006101022
Trigger Time	2006-12-15 12:45:20.0
Platform	LinuxIntel
Operating System	Linux 2.6.18-gg4
Module	libmozjs.so + (0001751f)
URL visited	http://www.xnchina.net/bbs/listduty.asp?parent1=32
User Comments	
Since Last Crash	250 sec
Total Uptime	250 sec
Trigger Reason	SIGSEGV: Segmentation Fault: (signal 11)
Source File, Line No.	/builds/tinderbox/Fx-Mozilla1.8-release/Linux_2.4.21-27.0.4.EL_Depend/mozilla/js/src/jsapi.c, line 2359
Stack Trace 	
JS_GetPrivate()  [mozilla/js/src/jsapi.c, line 2359]
js_Interpret()  [mozilla/js/src/jsinterp.c, line 4980]
js_Execute()  [mozilla/js/src/jsinterp.c, line 1622]
JS_EvaluateUCScriptForPrincipals()  [mozilla/js/src/jsapi.c, line 4365]
nsJSContext::EvaluateString()  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 146]
nsScriptLoader::EvaluateScript()  [mozilla/content/base/src/nsScriptLoader.cpp, line 848]
nsScriptLoader::ProcessRequest()  [mozilla/content/base/src/nsScriptLoader.cpp, line 674]
nsScriptLoader::OnStreamComplete()  [mozilla/content/base/src/nsScriptLoader.cpp, line 1040]
nsStreamLoader::OnStopRequest()  [mozilla/netwerk/base/src/nsStreamLoader.cpp, line 712]
nsStreamListenerTee::OnStopRequest()  [mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 66]
nsHttpChannel::OnStopRequest()  [mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 1149]
nsInputStreamPump::OnStateStop()  [mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 1149]
nsInputStreamPump::OnInputStreamReady()  [mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 400]
nsInputStreamReadyEvent::EventHandler()
PL_HandleEvent()  [mozilla/xpcom/threads/plevent.c, line 689]
PL_ProcessPendingEvents()  [mozilla/xpcom/threads/plevent.c, line 623]
nsEventQueueImpl::ProcessPendingEvents()  [mozilla/xpcom/threads/nsEventQueue.cpp, line 421]
event_processor_callback()  [mozilla/widget/src/gtk2/nsAppShell.cpp, line 67]
libglib-2.0.so.0 + 0x4a52c (0x4d74852c)
libglib-2.0.so.0 + 0x238d6 (0x4d7218d6)
libglib-2.0.so.0 + 0x26996 (0x4d724996)
libglib-2.0.so.0 + 0x26cb8 (0x4d724cb8)
libgtk-x11-2.0.so.0 + 0x11e765 (0x4db67765)
nsAppShell::Run()  [mozilla/widget/src/gtk2/nsAppShell.cpp, line 141]
nsAppStartup::Run()  [mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152]
XRE_main()  [mozilla/toolkit/xre/nsAppRunner.cpp, line 2440]
main()  [mozilla/browser/app/nsBrowserApp.cpp, line 62]
libc.so.6 + 0x14ea2 (0x4d3a3ea2)

Regression range 1.8b2_2005042206 - 1.8b2_2005042306:
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2005-04-22+05%3A00&maxdate=2005-04-23+07%3A00

Comment 4

[shutdown]

Attachment: fix

JSOP_DEFFUN should rely on the BEGIN_LITOPX_CASE's atom index magic.

Comment 5

[Daniel Veditz [:dveditz]]

Attachment: 7-zip of crashing web page (complete)

crashed with TB27394748G

Attaching copy of the crashing page just in case they change something before we try to verify the patch. Doesn't crash with JavaScript turned off, there's something it doesn't like in the 2Mb place.js file.

(sorry for the proprietary 7-zip format, tar-bz2 didn't get it small enough to attach)

Comment 6

[Erik Fabert]

Attachment: testcase

A little bit smaller and crashes just as nicely ;-)

Comment 7

[Daniel Veditz [:dveditz]]

Thanks! I didn't have time to reduce it last night and wanted to make sure it got captured in case it disappeared.

The two testcases crash with different stacks for me, but the patch fixes both.

Comment 8

[Brendan Eich [:brendan]]

Comment on attachment 248807 [details] [diff] [review]
fix

Ugh, I thought this was fixed already. Thanks for fixing. Please get it into the trunk ASAP. Nominating for branches.

/be

Comment 9

[Brendan Eich [:brendan]]

Fix landed on trunk:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.308; previous revision: 3.307
done

Thanks, shutdown.

/be

Comment 10

[Daniel Veditz [:dveditz]]

Comment on attachment 248807 [details] [diff] [review]
fix

approved for 1.8/1.8.0 branches, a=dveditz for drivers

Comment 11

[Brendan Eich [:brendan]]

1.8:   new revision: 3.181.2.78; previous revision: 3.181.2.77
1.8.0: new revision: 3.181.2.17.2.23; previous revision: 3.181.2.17.2.22

/be

Comment 12

[Carsten Book [:Tomcat]]

Verified fixed for 1.8.1.2 and 1.8.0.10
with Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.10pre) Gecko/20070104 Firefox/1.5.0.10pre and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.2pre) Gecko/2007010303 BonEcho/2.0.0.2pre on Windows XP x64 and Fedora FC6

Comment 13

[Bob Clary [:bc] (inactive)]

/cvsroot/mozilla/js/tests/js1_5/Regress/regress-363988.js,v  <--  regress-363988.js
initial revision: 1.1