Closing a "heavy" page (lots of iframes and script) with Firebug installed can crash [@ jsds_NotifyPendingDeadScripts]

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
P3
critical
RESOLVED WORKSFORME
10 years ago
2 years ago

People

(Reporter: Kevin Johnston, Assigned: Igor Bukanov)

Tracking

({crash, topcrash})

1.8 Branch
crash, topcrash
Points:
---
Bug Flags:
blocking1.8.1.13 -
wanted1.8.1.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?][needs patch] 1.8-branch, crash signature)

Attachments

(3 attachments)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070509 SeaMonkey/1.1.2
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7

When replacing a heavyweight page with about:blank Firebug will enumerate script objects from the old page that go stale (bad pointers) during the enumeration process.  This crashes Firefox on both Mac and Windows.  Heavyweight means the page has lots of iframes and script objects.


Reproducible: Sometimes

Steps to Reproduce:
1. Load a page with lots of iframes and script objects (test case will be submitted shortly)
2. Either,
2a. Close all other tabs, then press the close button for the "heavy" page (which will navigate the sole tab to about:blank)
2b. Enter "about:blank" in the location field to replace the page

Actual Results:  
On my MacBook Pro (mid-2007 vintage with 1MB RAM) this will usually, though not always crash Firefox with a bad address access exception.  On my PC with 1.67Mhz processor and 1MB RAM it will pretty consistently crash.  I have sent the test case to a half dozen other users inside my company and they can all reproduce it.  I marked it has happens sometimes because it is not 100%, however on some systems it close to 100%.


Expected Results:  
No crash, just a blank page.

I built FF 2.0.0.7 Mac locally and traced some of what's happening with XCode.  This is an ad hoc analysis (I'm not a Firefox expert), not a thorough one.  I was debugging a problem with crash-on-close of Yahoo Mail.  The crash does not happen consistently with Yahoo Mail (Beta) because the page is not as heavy as the test case, but in the right configuration of features, hardware, etc. individual users can see it frequently.

Once I traced a few times through the crash, I noticed that:

1. Firebug was responding to onStateChange, I believe for the new incoming document (URL was "about:blank")
2. in response to this, it calls back into Firefox with jsdService::EnumerateScripts
3. the items being enumerated include script objects from the page being destroyed (I was seeing Yahoo Mail script objects go by in the enumerator)
4. some time during the iteration one of the script objects goes stale with bad pointers

Based on mostly a gut feeling I suspected that the weight of the page was causing the page tear-down process inside Firefox to overlap with the page-attach process inside Firebug.  (This is still just a guess, again I'm not an expert on this.)  So I constructed a test case with 20 iframes (each of which contains a non-trivial document) and hundreds of script functions.  When this document is navigated to "about:blank" with Firebug installed, it crashes pretty regularly.  I'll be attaching this and some stack traces shortly.
(Reporter)

Comment 1

10 years ago
Created attachment 282780 [details]
Crash log from the upcoming test case - taken from firefox-bin.crash.log
(Reporter)

Comment 2

10 years ago
Created attachment 282782 [details]
Stack trace from XCode while trapping exceptions for the upcoming test case

Obtained while running on a local build of Firefox 2.0.0.7 and Firebug 1.05.
(Reporter)

Comment 3

10 years ago
Created attachment 282784 [details]
HTML test case that demonstrates the crash. Includes instructions.

This page exhibits the crash on Firefox 1.5/Firebug 1.05 as well, though I did not examine it as closely.  The crash does not appear to happen with Gran Paradiso alpha 9, based on a few tests.
(Reporter)

Comment 4

10 years ago
I did not find an identical existing bug, but I found a couple similar ones:

bug 351422 - Crash closing Gmail tab (Firebug extension) [@ block_getProperty]
(currently worksforme)

bug 383127 - Crash if follow the link; Crash if close tab; Crash if change to another link (address or search bars)
(currently unconfirmed)

Comment 5

10 years ago
bonecho winxp crashed with firebug but not without. minefield didn't crash without firebug which is incompatible with the trunk. sensitive for now due to the deleted memory. moving to js engine for now.

+		cx	0x035261d8 {links={...} interpLevel=5 stackLimit=718320 ...}	JSContext *
+		hook	{mRawPtr=0x0b38f150 }	nsCOMPtr<jsdIScriptHook>
+		ds	0x075e9348 {links={...} jsdc=0xdddddddd script=0xdddddddd }	DeadScript *


>	jsd3250.dll!jsds_NotifyPendingDeadScripts(JSContext * cx=0x035261d8)  Line 501 + 0xb bytes	C++
 	jsd3250.dll!jsds_GCCallbackProc(JSContext * cx=0x035261d8, JSGCStatus status=JSGC_END)  Line 519 + 0x9 bytes	C++
 	gklayout.dll!DOMGCCallback(JSContext * cx=0x035261d8, JSGCStatus status=JSGC_END)  Line 2269 + 0x17 bytes	C++
 	js3250.dll!js_GC(JSContext * cx=0x035261d8, int gckind=0)  Line 3173 + 0xf bytes	C
 	js3250.dll!JS_GC(JSContext * cx=0x035261d8)  Line 1873 + 0xb bytes	C
 	js3250.dll!JS_MaybeGC(JSContext * cx=0x035261d8)  Line 1945 + 0x9 bytes	C
 	gklayout.dll!nsJSContext::ScriptEvaluated(int aTerminated=0)  Line 2135 + 0xd bytes	C++
 	gklayout.dll!nsJSContext::ScriptExecuted()  Line 2213	C++
 	xpc3250.dll!AutoScriptEvaluate::~AutoScriptEvaluate()  Line 107	C++
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x0b15a998, unsigned short methodIndex=3, const nsXPTMethodInfo * info=0x033f75e0, nsXPTCMiniVariant * nativeParams=0x001289ac)  Line 1702 + 0x2f bytes	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const nsXPTMethodInfo * info=0x033f75e0, nsXPTCMiniVariant * params=0x001289ac)  Line 468	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x0b15a998, unsigned int methodIndex=3, unsigned int * args=0x00128a5c, unsigned int * stackBytesToPop=0x00128a4c)  Line 117 + 0x1f bytes	C++
 	xpcom_core.dll!SharedStub()  Line 147	C++
 	jsd3250.dll!jsdService::EnumerateScripts(jsdIScriptEnumerator * enumerator=0x0b15a998)  Line 2685 + 0x15 bytes	C++
Assignee: nobody → general
Group: security
Status: UNCONFIRMED → NEW
Component: Extension Compatibility → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: extension.compatibility → general
Version: unspecified → 1.8 Branch

Comment 6

10 years ago
Igor, could you please take a look at this?
(Assignee)

Comment 7

10 years ago
The bug looks like a GC hazard, i will look at it.
Assignee: general → igor
This is nr 14 in the list of topcrashers for FF2007.
Flags: blocking1.8.1.9?
Flags: blocking1.8.1.12? → blocking1.8.1.12+
Keywords: topcrash
Whiteboard: [sg:critical?]
See also bug 282660, another crash @ jsds_NotifyPendingDeadScripts when using Firebug.
Keywords: crash
Summary: Closing a "heavy" page (lots of iframes and script) with Firebug installed can crash Firefox → Closing a "heavy" page (lots of iframes and script) with Firebug installed can crash [@ jsds_NotifyPendingDeadScripts]
Flags: wanted1.8.1.x+
Whiteboard: [sg:critical?] → [sg:critical?] 1.8-branch
Guess we're not getting this one
Flags: blocking1.8.1.12+ → blocking1.8.1.13+
Priority: -- → P3
Whiteboard: [sg:critical?] 1.8-branch → [sg:critical?][needs patch] 1.8-branch
(In reply to comment #10)
> Guess we're not getting this one

Ditto.

Igor, did your looking turn up anything?
Flags: blocking1.8.1.14+
Flags: blocking1.8.1.13-
Flags: blocking1.8.1.13+
(Assignee)

Comment 12

10 years ago
(In reply to comment #11)
> Igor, did your looking turn up anything?

No.

(Assignee)

Updated

10 years ago
Depends on: 422137

Comment 13

10 years ago
I think the dependency on bug 422137 is bogus.
This WFM with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15pre) Gecko/2008060203 BonEcho/2.0.0.15pre and Firebug 1.05. This seems to have been fixed or masked by something else.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → WORKSFORME
possibly fixed by bug 282660
Depends on: 282660
No longer depends on: 422137
Keywords: fixed1.8.1.15
Flags: blocking1.8.1.15+
Keywords: fixed1.8.1.15
Crash Signature: [@ jsds_NotifyPendingDeadScripts]

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.