Closed
Bug 397959
Opened 17 years ago
Closed 17 years ago
Closing a "heavy" page (lots of iframes and script) with Firebug installed can crash [@ jsds_NotifyPendingDeadScripts]
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: kevykev, Assigned: igor)
References
Details
(Keywords: crash, topcrash, Whiteboard: [sg:critical?][needs patch] 1.8-branch)
Crash Data
Attachments
(3 files)
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070509 SeaMonkey/1.1.2
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
When replacing a heavyweight page with about:blank Firebug will enumerate script objects from the old page that go stale (bad pointers) during the enumeration process. This crashes Firefox on both Mac and Windows. Heavyweight means the page has lots of iframes and script objects.
Reproducible: Sometimes
Steps to Reproduce:
1. Load a page with lots of iframes and script objects (test case will be submitted shortly)
2. Either,
2a. Close all other tabs, then press the close button for the "heavy" page (which will navigate the sole tab to about:blank)
2b. Enter "about:blank" in the location field to replace the page
Actual Results:
On my MacBook Pro (mid-2007 vintage with 1MB RAM) this will usually, though not always crash Firefox with a bad address access exception. On my PC with 1.67Mhz processor and 1MB RAM it will pretty consistently crash. I have sent the test case to a half dozen other users inside my company and they can all reproduce it. I marked it has happens sometimes because it is not 100%, however on some systems it close to 100%.
Expected Results:
No crash, just a blank page.
I built FF 2.0.0.7 Mac locally and traced some of what's happening with XCode. This is an ad hoc analysis (I'm not a Firefox expert), not a thorough one. I was debugging a problem with crash-on-close of Yahoo Mail. The crash does not happen consistently with Yahoo Mail (Beta) because the page is not as heavy as the test case, but in the right configuration of features, hardware, etc. individual users can see it frequently.
Once I traced a few times through the crash, I noticed that:
1. Firebug was responding to onStateChange, I believe for the new incoming document (URL was "about:blank")
2. in response to this, it calls back into Firefox with jsdService::EnumerateScripts
3. the items being enumerated include script objects from the page being destroyed (I was seeing Yahoo Mail script objects go by in the enumerator)
4. some time during the iteration one of the script objects goes stale with bad pointers
Based on mostly a gut feeling I suspected that the weight of the page was causing the page tear-down process inside Firefox to overlap with the page-attach process inside Firebug. (This is still just a guess, again I'm not an expert on this.) So I constructed a test case with 20 iframes (each of which contains a non-trivial document) and hundreds of script functions. When this document is navigated to "about:blank" with Firebug installed, it crashes pretty regularly. I'll be attaching this and some stack traces shortly.
Reporter | ||
Comment 1•17 years ago
|
||
Reporter | ||
Comment 2•17 years ago
|
||
Obtained while running on a local build of Firefox 2.0.0.7 and Firebug 1.05.
Reporter | ||
Comment 3•17 years ago
|
||
This page exhibits the crash on Firefox 1.5/Firebug 1.05 as well, though I did not examine it as closely. The crash does not appear to happen with Gran Paradiso alpha 9, based on a few tests.
Reporter | ||
Comment 4•17 years ago
|
||
I did not find an identical existing bug, but I found a couple similar ones:
bug 351422 - Crash closing Gmail tab (Firebug extension) [@ block_getProperty]
(currently worksforme)
bug 383127 - Crash if follow the link; Crash if close tab; Crash if change to another link (address or search bars)
(currently unconfirmed)
Comment 5•17 years ago
|
||
bonecho winxp crashed with firebug but not without. minefield didn't crash without firebug which is incompatible with the trunk. sensitive for now due to the deleted memory. moving to js engine for now.
+ cx 0x035261d8 {links={...} interpLevel=5 stackLimit=718320 ...} JSContext *
+ hook {mRawPtr=0x0b38f150 } nsCOMPtr<jsdIScriptHook>
+ ds 0x075e9348 {links={...} jsdc=0xdddddddd script=0xdddddddd } DeadScript *
> jsd3250.dll!jsds_NotifyPendingDeadScripts(JSContext * cx=0x035261d8) Line 501 + 0xb bytes C++
jsd3250.dll!jsds_GCCallbackProc(JSContext * cx=0x035261d8, JSGCStatus status=JSGC_END) Line 519 + 0x9 bytes C++
gklayout.dll!DOMGCCallback(JSContext * cx=0x035261d8, JSGCStatus status=JSGC_END) Line 2269 + 0x17 bytes C++
js3250.dll!js_GC(JSContext * cx=0x035261d8, int gckind=0) Line 3173 + 0xf bytes C
js3250.dll!JS_GC(JSContext * cx=0x035261d8) Line 1873 + 0xb bytes C
js3250.dll!JS_MaybeGC(JSContext * cx=0x035261d8) Line 1945 + 0x9 bytes C
gklayout.dll!nsJSContext::ScriptEvaluated(int aTerminated=0) Line 2135 + 0xd bytes C++
gklayout.dll!nsJSContext::ScriptExecuted() Line 2213 C++
xpc3250.dll!AutoScriptEvaluate::~AutoScriptEvaluate() Line 107 C++
xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x0b15a998, unsigned short methodIndex=3, const nsXPTMethodInfo * info=0x033f75e0, nsXPTCMiniVariant * nativeParams=0x001289ac) Line 1702 + 0x2f bytes C++
xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const nsXPTMethodInfo * info=0x033f75e0, nsXPTCMiniVariant * params=0x001289ac) Line 468 C++
xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x0b15a998, unsigned int methodIndex=3, unsigned int * args=0x00128a5c, unsigned int * stackBytesToPop=0x00128a4c) Line 117 + 0x1f bytes C++
xpcom_core.dll!SharedStub() Line 147 C++
jsd3250.dll!jsdService::EnumerateScripts(jsdIScriptEnumerator * enumerator=0x0b15a998) Line 2685 + 0x15 bytes C++
Assignee: nobody → general
Group: security
Status: UNCONFIRMED → NEW
Component: Extension Compatibility → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: extension.compatibility → general
Version: unspecified → 1.8 Branch
Comment 6•17 years ago
|
||
Igor, could you please take a look at this?
Assignee | ||
Comment 7•17 years ago
|
||
The bug looks like a GC hazard, i will look at it.
Assignee: general → igor
Comment 8•17 years ago
|
||
This is nr 14 in the list of topcrashers for FF2007.
Flags: blocking1.8.1.9?
Updated•17 years ago
|
Comment 9•17 years ago
|
||
See also bug 282660, another crash @ jsds_NotifyPendingDeadScripts when using Firebug.
Keywords: crash
Summary: Closing a "heavy" page (lots of iframes and script) with Firebug installed can crash Firefox → Closing a "heavy" page (lots of iframes and script) with Firebug installed can crash [@ jsds_NotifyPendingDeadScripts]
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Updated•17 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] 1.8-branch
Comment 10•17 years ago
|
||
Guess we're not getting this one
Flags: blocking1.8.1.12+ → blocking1.8.1.13+
Priority: -- → P3
Updated•17 years ago
|
Whiteboard: [sg:critical?] 1.8-branch → [sg:critical?][needs patch] 1.8-branch
Comment 11•17 years ago
|
||
(In reply to comment #10)
> Guess we're not getting this one
Ditto.
Igor, did your looking turn up anything?
Flags: blocking1.8.1.14+
Flags: blocking1.8.1.13-
Flags: blocking1.8.1.13+
Assignee | ||
Comment 12•17 years ago
|
||
(In reply to comment #11)
> Igor, did your looking turn up anything?
No.
Comment 13•17 years ago
|
||
I think the dependency on bug 422137 is bogus.
Comment 14•17 years ago
|
||
This WFM with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15pre) Gecko/2008060203 BonEcho/2.0.0.15pre and Firebug 1.05. This seems to have been fixed or masked by something else.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
Updated•17 years ago
|
Flags: blocking1.8.1.15+
Keywords: fixed1.8.1.15
Updated•14 years ago
|
Crash Signature: [@ jsds_NotifyPendingDeadScripts]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•