Closed
Bug 434673
Opened 16 years ago
Closed 16 years ago
Using a webmail client with LinkedIn's toolbar extension causes RC1 to crash [@ xpc_CloneJSFunction - XPCWrapper::GetOrSetNativeProperty]
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
VERIFIED
FIXED
People
(Reporter: mr_wgee, Unassigned)
References
()
Details
(Keywords: crash, Whiteboard: [RC2?])
Crash Data
Attachments
(6 files, 1 obsolete file)
107.78 KB,
image/pjpeg
|
Details | |
155.39 KB,
image/pjpeg
|
Details | |
3.25 KB,
application/x-zip-compressed
|
Details | |
7.49 KB,
text/plain
|
Details | |
837 bytes,
text/plain
|
Details | |
2.62 KB,
patch
|
brendan
:
review+
brendan
:
superreview+
shaver
:
approval1.9+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MSN Optimized;US) Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9) Gecko/2008051202 Firefox/3.0 RC1 crashes when using the AJAX version of Yahoo webmail with the LinkedIn toolbar installed. Reproducible: Always Steps to Reproduce: 1. Install the pre-release version of the LinkedIn toolbar (I will try to attach it to this bug report) 2. Open up a Yahoo Inbox using the AJAX (non-classic) version Actual Results: RC1 crashes Expected Results: Yahoo (AJAX) Inbox shows up Also crashes WinXP version of RC1, but not always. Crash IDs: a07afd0c-261c-11dd-a477-0013211cbf8a (Max) 3ded0db3-261d-11dd-b6fa-001cc45a2ce4 (WinXP) This bug is similar to bug #428418 reported earlier this year except that bug crashed beta5 when using any webmail.
Reporter | ||
Comment 1•16 years ago
|
||
Signature @0x1557bff5 UUID a07afd0c-261c-11dd-a477-0013211cbf8a Time 2008-05-19 20:26:11-07:00 Uptime 13950 Product Firefox Version 3.0 Build ID 2008051202 OS Mac OS X OS Version 10.5.2 9C7010 CPU x86 CPU Info GenuineIntel family 6 model 7 stepping 6 Crash Reason EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE Crash Address 0x1557bff5 Comments Crashing Thread Frame Module Signature Source 0 @0x1557bff5 1 XUL xpc_CloneJSFunction mozilla/js/src/xpconnect/src/xpcwrappednativeinfo.cpp:76 2 XUL XPCWrapper::GetOrSetNativeProperty mozilla/js/src/xpconnect/src/XPCWrapper.cpp:1399 3 XUL XPC_NW_GetOrSetProperty mozilla/js/src/xpconnect/src/XPCNativeWrapper.cpp:528 4 libmozjs.dylib js_NativeGet mozilla/js/src/jsobj.c:3561 5 libmozjs.dylib js_Interpret mozilla/js/src/jsinterp.c:4160 6 libmozjs.dylib js_Invoke mozilla/js/src/jsinvoke.c:1312 7 XUL nsXPCWrappedJSClass::CallMethod mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1523 8 XUL nsXPCWrappedJS::CallMethod mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp:559 9 XUL PrepareAndDispatch mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 10 XUL nsXPTCStubBase::Stub3 mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:1 11 XUL nsEventListenerManager::HandleEventSubType mozilla/content/events/src/nsEventListenerManager.cpp:1080
Component: Extension Compatibility → XPConnect
Keywords: crash
Product: Firefox → Core
QA Contact: extension.compatibility → xpconnect
Summary: Using a webmail client with LinkedIn's toolbar extension causes RC1 to crash → Using a webmail client with LinkedIn's toolbar extension causes RC1 to crash [@ xpc_CloneJSFunction - XPCWrapper::GetOrSetNativeProperty]
Whiteboard: DUPEME
Version: unspecified → Trunk
Reporter | ||
Comment 3•16 years ago
|
||
Reporter | ||
Comment 4•16 years ago
|
||
Reporter | ||
Comment 5•16 years ago
|
||
This bug also crashes RC1 with the AOL webmail client. The attached XPI does not crash FF2.0.0.14. Screen shots attached to show what pages I was trying to reach when the crashes occur.
Comment 6•16 years ago
|
||
Warren a reduced testcase (e.g. a block of javascript/c++ code), a set of crash reports, and a nightly build at which this stopped working would be most helpful in understanding the issue.
Comment 7•16 years ago
|
||
note that i'm not able to install this pre-release for testing because: Signing could not be verified. -260 Signature Verification Error: the signature on this .jar archive is invalid because the certificate used to sign this file has an unrecognized issuer.
Reporter | ||
Comment 8•16 years ago
|
||
Yeah, I forgot that the XPI was signed with developer certs. Sorry. I will put together a reduced test case, create some crash reports and check the nightlies.
Reporter | ||
Comment 9•16 years ago
|
||
I've been testing with the AOL webmail on Windows because it seems to be less stable than Yahoo webmail. The first nightly that failed is 2008-01-21-04. I've narrowed it down to a block of code, not sure if this is the direct or indirect cause of the crash: var urltype = ""; for (var i = 0; i < searchREs.length; i += 2) { var regexp = searchREs[i]; if (regexp.test(url)) { urltype = "site=" + searchREs[i + 1] + "&page=search"; break; } } searchREs contains alternating sequences of regexp patterns and strings. If this code block executes then FF will crash eventually. FF seems to run fine if you insert a 'return' at the top of the block. I'll do some more digging tomorrow.
Reporter | ||
Comment 10•16 years ago
|
||
Unzip and install into your extension folder under the name "{e2337727-f9c9-411b-929e-287584341d1a}"
Attachment #321713 -
Attachment is obsolete: true
Reporter | ||
Comment 11•16 years ago
|
||
We noticed that there's an easier way to reproduce this bug by visiting the home page of the Canadian Monster site. Reproducible: about 50% of the time on WinXP Steps to Reproduce: 1. Install FF3RC1 2. Install the attachment {e2337727-f9c9-411b-929e-287584341d1a}.zip by unzipping it into your extensions folder 3. Start FF 4. Visit "monster.ca" Actual Results: RC1 crashes Expected Results: Home page of Canadian Monster comes up. Crash IDs: c82cebc0-289d-11dd-8fe3-0013211cbf8a a5d8b0cc-289d-11dd-bae7-0013211cbf8a 750b8487-289d-11dd-a6df-0013211cbf8a Crashes Nightly Build: 2008-01-21-04-trunk, crash IDs: abecef91-28a1-11dd-bfb5-001cc45a2ce4 85b0a423-28a1-11dd-a325-001321b13766 Does NOT crash: 2008-01-20-04-trunk (I tried more than 10 times)
Comment 12•16 years ago
|
||
Warren that additional information is very useful there are a number of changes in that range that could be useful: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=mozilla%2Fjs&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2008-01-20+00%3A00%3A00&maxdate=2008-01-21+00%3A00%3A00&cvsroot=%2Fcvsroot Peter, JST, or Igor you have any thoughts?
Comment 13•16 years ago
|
||
Is there more to reproducing this than installing the extension? I did that, and it did install, but no crash. Tested on both Vista and Linux :( I also loaded monster.ca on both systems and saw no crash :(
Reporter | ||
Comment 14•16 years ago
|
||
Mike, thanks for the info. I'll take a peek if I have the time but I'm not used to digging into 2 million + lines of code? Johnny, having the extension installed alone does not cause a crash, it's having it installed AND visiting "monster.ca" that will trigger the crash. I had one of our QA guys try the extension on his machine running VMWare Fusion (MAC). It crashed RC1 on Vista, XP, and Mac. We don't have linux onsite so I don't know what would happen. Vista Ultimate SP1: 023ab730-290b-11dd-9262-0013211cbf8a 4e9c05e3-290a-11dd-96b3-001cc45a2c28 Win XP Pro SP2: 683e6707-290f-11dd-81d5-001cc45a2c28 02dc7526-290f-11dd-aaea-0013211cbf8a Mac OS X (10.5.2) 91868cd7-2911-11dd-bc12-001a4bd46e84 6b459c80-2911-11dd-b113-001cc45a2ce4 Please try: clearing your cache; make sure you have no 3rd party extensions; there's no leftover baggage from an existing profile like bookmarks (clean install of RC1); etc. You might also try setting your home page to the blank page. Restart your browser and enter "monster.ca" into the address bar. If that doesn't work try restarting FF instead of reloading the page. In general, I'd say it crashes about 50% of the time on Windows. Our Mac tests crashed most frequently--7 out of 8 tries.
Comment 15•16 years ago
|
||
I tried that too, several times, even created an account on monster.ca and logged in, still no luck :( Ben said he'd give it a try too...
Reporter | ||
Comment 16•16 years ago
|
||
You just need to land on the home page to trigger the crash. That page has about 18 frames and will cause FF to execute the JS extension code that will directly or indirectly cause the crash.
The optimizer or breakpad really messed up the stack trace that I got from RC1 so I got this trace from my debug build. Of note 'funobj' in frame 2 has been deleted (map has amazingly large refcount, dslots is 0xdadadada).
(In reply to comment #17) > Of note 'funobj' in frame 2 I meant frame 1 :(
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 19•16 years ago
|
||
I heard a rumor that FF3 might be officially launched on June 3rd. Since this bug will affect all LinkedIn toolbar users can anybody give me an idea of what is going to happen to this bug (when will it be fixed) and when is the actual release of FF3? We need to know to plan accordingly. Thanks.
We do not have a release date for FF3. It is unlikely that this will be fixed in the 3.0 release unless we get a very small patch, very very soon. Ben: can you get the JS stack at that point, so that LinkedIn can investigate workarounds? Based on the stack, my suspicion is that bug 408301 is involved. jst?
Here's the JS that's dying, in case anyone can work around this bug.
Bug 435502 may be a duplicate of this one.
The stacks make me think that this can't be worked around.
Comment 24•16 years ago
|
||
There's a GC hazard hiding in XPCNativeMember::NewFunctionObject() (which is inline and thus doesn't tend to show up in stacks from optimized builds). Normally when that function is called the member is one that's already resolved and defined on a wrapper or its prototype, and thus won't be collected, but in this case we're manually resolving the member in the XPCWrapper code (XOW/XPCNW/SJOW), and thus it's never seen by the GC, so the GC collects it. In this case we come in to xpc_CloneJSFunction() (from NewFunctionObject()) with a live function object to clone, we clone it but then JS_SetPrototype() GCs and the funobj we cloned can be dead.
Attachment #322704 -
Flags: superreview?(brendan)
Attachment #322704 -
Flags: review?(brendan)
Flags: blocking1.9?
Whiteboard: DUPEME → [RC2?]
Comment 25•16 years ago
|
||
Brendan, even with the debug code in JS_SetPrototype() that does a GC commented out I still see GC happening inside of xpc_CloneFunctionObject(), the GC is coming from JS_CloneFunctionObject(), with this stack: js_GC() js_NewGCThing() js_NewObjectWithGivenProto() js_NewObject() js_CloneFunctionObject() JS_CloneFunctionObject() xpc_CloneJSFunction() XPCNativeMember::NewFunctionObject() I still stand by this patch being correct, the XPCNativeMember itself never actually dies here (until later), it's held alive by the interface it came from (XPCNativeInterface), which comes from the wrapper in question here, and that's all guarded against GC. It's just the value (mValue, and possibly its name) in the member that's dying, everything else is properly guarded against here it seems.
Comment 26•16 years ago
|
||
Comment on attachment 322704 [details] [diff] [review] Fix. Oh, sure -- the allocator itself hitting last ditch. It still seems like xpconnect should protect mVal in a consolidated fashion, but this will do for now. Followup bug on mVal rooting/tracing? /be
Attachment #322704 -
Flags: superreview?(brendan)
Attachment #322704 -
Flags: superreview+
Attachment #322704 -
Flags: review?(brendan)
Attachment #322704 -
Flags: review+
Reporter | ||
Comment 27•16 years ago
|
||
It looks like Johnny is confident that he's checked in a fix for this bug. I'll test the nightly tomorrow morning (Wed) and see if it's stable with our extension. Since the release builds are pulled off the nightlies is it safe to assume that the fix will go out when the next release of FF is pulled? My workaround for now is to lose some functionality (in exchange for a stable browser) by commenting out the offending code in our extension. That doesn't seem to be enough. Our tests with the workaround indicate the FF is a lot more stable but will still cause non-repeatable (non-reproducible) crashes in Gmail. I am beginning to suspect that the bug involves doing RegExp() calls. Does this sound reasonable? I'm having trouble following this thread because I'm not heavy into the FF source code. At this point in time I'm trying to determine if there's a core issue (no workaround) or a second bug that affects only Gmail. Let me know if there's anything else I can do to help.
This patch hasn't been committed yet, but it should be shortly I hope. It also fixes vlad's mystery crashes from bug 435502.
Comment on attachment 322704 [details] [diff] [review] Fix. a=shaver, please land on CVS trunk with all due haste. Thanks a ton!
Attachment #322704 -
Flags: approval1.9+
Comment 30•16 years ago
|
||
Fix checked in. This *should* be included in Wednesday's nightly builds now. What's likely to trigger this is if a page does a lot of JS allocation heavy work (I'd imagine heavy regexp usage could be enough) *and* there's code involved that makes *function calls* from chrome into content (property access shouldn't be enough), or calls through a cross origin wrapper (i.e. cross window/frame communication). The key here is that a JS garbage collection has to happen while the XPCWrapper code is cloning a function object.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 36•16 years ago
|
||
is bug 401097 another instance or is this bug limited to trunk?
OS: Mac OS X → All
Hardware: Macintosh → All
Comment 37•16 years ago
|
||
Warren this fix will be included in Firefox 3 RC2 and thus FF3 final. Thank you very much for your help here - much appreciate.
Updated•16 years ago
|
Flags: blocking1.9? → blocking1.9+
Reporter | ||
Comment 38•16 years ago
|
||
Mike, no problem. Thanks to you and your team for staying on top of this and getting it resolved. I was sweating bullets all this past week--cutting it close there. I found out about today's code freeze of RC2 just last night. We'll QA the nightly later today. Thanks again.
We only found out about RC2's code freeze Tuesday afternoon, so don't feel too bad. :)
Reporter | ||
Comment 40•16 years ago
|
||
I'd blog this but I need a quick answer. Our QA team has tested the nightly build dated 05-28-08. They've concluded that FF no longer crashes on our troubled sites: AOL mail, Yahoo AJAX mail, Gmail, monster.ca, etc. Now, however, several key features of our extension no longer work. They were working with the RC1 release. My understanding is that the release builds are pulled from the nightlies so are there any reasons beside new bugs getting into RC2 that would cause us to lose functionality? I'll trouble-shoot in the mean time to figure out what's wrong. Hopefully it's minor.
That's correct, nightlies are the release stream. The set of things in RC2 is quite small, and we had hoped very safe, fwiw.
Comment 42•16 years ago
|
||
Warren, can you please let us know what worked before and no longer works? It's crucial that we find out quickly (i.e. now :) for there to be any hope of us fixing it for RC2. Please file new bugs on new issues and cc me etc.
Reporter | ||
Comment 43•16 years ago
|
||
Sorry, didn't mean to leave you guys in suspense. :) Everything is fine. Our extension is not Minefield-compatible. We rely on finding "Firefox" in the user-agent but found "Minefield" and choked. Some of our JS code has to be IE-compatible. Our extension is now Minefield-friendly, all functionality is available and we had no crashes all day with 2 QA engineers testing.
Comment 44•16 years ago
|
||
Awesome, thanks for the update! I'm glad it was nothing more than that :)
Comment 46•16 years ago
|
||
I verified this with RC2 as well using the attached extension. No crashing. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052912 Firefox/3.0
Status: RESOLVED → VERIFIED
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ xpc_CloneJSFunction - XPCWrapper::GetOrSetNativeProperty]
You need to log in
before you can comment on or make changes to this bug.
Description
•