Closed Bug 424609 Opened 16 years ago Closed 16 years ago

Crash due to max recursion [@ JS_GetReservedSlot] [@ MarkSharpObjects]

Tracking

()

Status:

VERIFIED DUPLICATE of bug 419661

People

(Reporter: whimboo, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Henrik Skupin [:whimboo][⌚️UTC+1]

Reporter

Description

•

16 years ago

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5pre) Gecko/2008031804 Minefield/3.0b5pre ID:2008031923

Firefox crashed after a hang for about 1 minute with following stack:
bp-ecfb38cf-f878-11dc-ae08-001a4bd46e84

Steps to reproduce:
1. Open given website: http://www.lexus.com/models/GSh/
2. Quickly click on "Photo Gallery" while page is loading
=> Hang and crash (perhaps doesn't occur each time)


Running my debug build and stopping in the meantime also shows a stack with thousands of frames in MarkSharpObjects. Here the first 20 frames:

#0  0x010cbc1a in js_InitTokenStream (cx=0x2949210, ts=0xbffd1cf0, base=0x479abb40, length=94, fp=0x0, filename=0x3582ad64 "XPCSafeJSObjectWrapper.cpp", lineno=445) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsscan.c:233
#1  0x010ac6be in js_InitParseContext (cx=0x2949210, pc=0xbffd1cf0, principals=0x39e52e74, base=0x479abb40, length=94, fp=0x0, filename=0x3582ad64 "XPCSafeJSObjectWrapper.cpp", lineno=445) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsparse.c:164
#2  0x010ae310 in js_CompileFunctionBody (cx=0x2949210, fun=0x40d29768, principals=0x39e52e74, chars=0x479abb40, length=94, filename=0x3582ad64 "XPCSafeJSObjectWrapper.cpp", lineno=445) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsparse.c:903
#3  0x0101f0f8 in JS_CompileUCFunctionForPrincipals (cx=0x2949210, obj=0x38d7b1c0, principals=0x39e52e74, name=0x0, nargs=0, argnames=0x0, chars=0x479abb40, length=94, filename=0x3582ad64 "XPCSafeJSObjectWrapper.cpp", lineno=445) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsapi.c:4759
#4  0x0101edfc in JS_CompileFunctionForPrincipals (cx=0x2949210, obj=0x38d7b1c0, principals=0x39e52e74, name=0x0, nargs=0, argnames=0x0, bytes=0x3582ae84 "if (arguments.length == 1) return this[arguments[0]];return this[arguments[0]] = arguments[1];", length=94, filename=0x3582ad64 "XPCSafeJSObjectWrapper.cpp", lineno=445) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsapi.c:4699
#5  0x35813797 in GetScriptedFunction (cx=0x2949210, obj=0x3e7433e0, unsafeObj=0x3b1b61e0, slotIndex=1, funScript=@0xbffd1f8c, scriptedFunVal=0xbffd1f88) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp:445
#6  0x3581484d in XPC_SJOW_GetOrSetProperty (cx=0x2949210, obj=0x3e7433e0, id=986641212, vp=0xbffd2124, aIsSet=0) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp:570
#7  0x3581494e in XPC_SJOW_GetProperty (cx=0x2949210, obj=0x3e7433e0, id=986641212, vp=0xbffd2124) at /Users/henrik/Projects/mozilla/source/mozilla/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp:594
#8  0x01094668 in js_NativeGet (cx=0x2949210, obj=0x3e7433e0, pobj=0x3e7433e0, sprop=0x3e9aa270, vp=0xbffd2124) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:3529
#9  0x01095443 in js_GetPropertyHelper (cx=0x2949210, obj=0x3e7433e0, id=986641212, vp=0xbffd2124, entryp=0x0) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:3679
#10 0x010954f0 in js_GetProperty (cx=0x2949210, obj=0x3e7433e0, id=986641212, vp=0xbffd2124) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:3693
#11 0x0108bc81 in MarkSharpObjects (cx=0x2949210, obj=0x3e7433e0, idap=0x0) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:401
#12 0x0108bce8 in MarkSharpObjects (cx=0x2949210, obj=0x3e73e4c0, idap=0x0) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:410
#13 0x0108bce8 in MarkSharpObjects (cx=0x2949210, obj=0x3e737660, idap=0x0) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:410
#14 0x0108bce8 in MarkSharpObjects (cx=0x2949210, obj=0x3e7307a0, idap=0x0) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:410
#15 0x0108bce8 in MarkSharpObjects (cx=0x2949210, obj=0x3e722820, idap=0x0) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:410
#16 0x0108bce8 in MarkSharpObjects (cx=0x2949210, obj=0x3e71b880, idap=0x0) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:410
#17 0x0108bce8 in MarkSharpObjects (cx=0x2949210, obj=0x3e7149e0, idap=0x0) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:410
#18 0x0108bce8 in MarkSharpObjects (cx=0x2949210, obj=0x3e705ac0, idap=0x0) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:410
#19 0x0108bce8 in MarkSharpObjects (cx=0x2949210, obj=0x3e4f7aa0, idap=0x0) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:410
#20 0x0108bce8 in MarkSharpObjects (cx=0x2949210, obj=0x3e430b80, idap=0x0) at /Users/Shared/Projects/mozilla/source/mozilla/js/src/jsobj.c:410

Source:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/js/src/jsobj.c&rev=3.455&mark=410-414&#404

Brendan and Blake, do you need any further information I have to fetch from gdb?

Flags: blocking1.9?

Brendan Eich [:brendan]

Comment 1

•

16 years ago

Ideally, you'll do what vlad did with some advice from me, in bug 419661 (I hope this is not a dup -- it could be). See also bug 423443.

/be

Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)

Comment 2

•

16 years ago

This may well be a dup -- the tail end of the call stack is

1108  	js_EnterSharpObject  	 mozilla/js/src/jsobj.c:467
1109 	obj_toSource 	mozilla/js/src/jsobj.c:636
1110 	js_Interpret 	mozilla/js/src/jsinterp.c:4819
1111 	js_Invoke 	mozilla/js/src/jsinvoke.c:1303
1112 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*)

... so toSource again :(

Henrik Skupin [:whimboo][⌚️UTC+1]

Reporter

Comment 3

•

16 years ago

Yes, looks like. Calling DumpJSStack() gives following output:

(gdb) p DumpJSStack()
0 [native frame]
1 sss_saveState(aUpdateAll = undefined) ["file:///Users/Shared/Projects/mozilla/source/obj/browser-i386-apple-darwin8.11.1/dist/MinefieldDebug.app/Contents/MacOS/components/nsSessionStore.js":1896]
    oState = [object Object]
    this = [object Object]
2 sss_observe(aData = null, aTopic = "timer-callback", aSubject = [xpconnect wrapped nsITimer @ 0x3bc25d60 (native @ 0x3bc263e0)]) ["file:///Users/Shared/Projects/mozilla/source/obj/browser-i386-apple-darwin8.11.1/dist/MinefieldDebug.app/Contents/MacOS/components/nsSessionStore.js":360]
    ix = undefined
    win = undefined
    _this = [object Object]
    this = [object Object]
$1 = void

Status: NEW → RESOLVED

Closed: 16 years ago

Resolution: --- → DUPLICATE

timeless

Updated

•

16 years ago

Status: RESOLVED → VERIFIED

Nobody; OK to take it and work on it

Updated

•

13 years ago

Crash Signature: [@ JS_GetReservedSlot] [@ MarkSharpObjects]

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Crash due to max recursion [@ JS_GetReservedSlot] [@ MarkSharpObjects]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: whimboo, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Comment 3

Updated

Updated