Closed Bug 482809 Opened 11 years ago Closed 11 years ago

Crash [@ jsds_SyncFilter(FilterRecord*, jsdIFilter*) ] when appendFilter() called with Console2 installed


(Other Applications Graveyard :: Venkman JS Debugger, defect, critical)

Windows XP
Not set


(Not tracked)



(Reporter: morac, Assigned: timeless)



(Keywords: crash, regression)

Crash Data


(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090311 Minefield/3.2a1pre

I installed Firebug 1.4X.0a12 and ChromeBug 0.5.0a1 in the 20090311 nightly of Minefield 3.2a1pre that had Console2 0.3.10 installed and found that I could only run Minefield once after that.  Any subsequent attempts to run would result in a crash.

I tracked the problem down to a number of calls to jsd.appendFilter().

I managed to reproduce the crash even after disabling Firebug and ChromeBug by calling appendFilter(), but if I disabled Console2 the crash went away.  I tried Console2 and 0.3.11a with the same results.  I looked at Console2 and I don't see why it would make a difference if it was installed or not, but it shouldn't cause a browser crash either way. 

Reproducible: Always

Steps to Reproduce:
1. Install Console2 add-on from or
2.  Enter the following line into the error console and click evaluate (sometimes you need to click it more than once):

var passDebuggerHalter = { globalObject: null, flags: Components.interfaces.jsdIFilter.FLAG_ENABLED | Components.interfaces.jsdIFilter.FLAG_PASS, urlPattern: "*/debuggerHalter.js", startLine: 0, endLine: 0 }; Components.classes[";1"].getService(Components.interfaces["jsdIDebuggerService"]).appendFilter(passDebuggerHalter);

Actual Results:  

Expected Results:  
No crash
Version: unspecified → Trunk
Uhh, so I suck at debugging crash stacks, but it sure looks to me like something called JSD on "something-other-than-the-main-thread". Which, unless something changed since this dogma was imbued on me, is bound to cause trouble. Timeless, got opinions?
Oh I forgot to mention that the crash does not occur in "Mozilla/5.0 (Windows;
U; Windows NT 5.1; en-US; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2".
(In reply to comment #2)
> Oh I forgot to mention that the crash does not occur in "Mozilla/5.0 (Windows;
> U; Windows NT 5.1; en-US; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2".

I don't suppose we could convince you to do a binary search for the crash? :-)

Historic trunk builds can be found at:

That'd be very useful!
I should be able to do so, though it might take a while.

I looked at the revision for js/jsd/jsd_xpc.cpp and there haven't been many changes, so I guess I can start there.
Turns out it took less time than I thought it would.  It broke in the 20090108 nightly.

So the following did not crash:

And the following did crash:

That would seem to imply that the fix for bug 136292 caused it.

1. Minefield in safe mode crashes as well.
2. I disabled Console2 in the Addons Manager and used the ExecuteJS extension to run the STR in Comment 0 and Minefield crashed again.
Ever confirmed: true
0|0|xul.dll|jsds_SyncFilter(FilterRecord *,jsdIFilter *)||322|0x4
0|1|xul.dll|jsdService::AppendFilter(jsdIFilter *)||2770|0x6
0|3|xul.dll|XPCWrappedNative::CallMethod(XPCCallContext &,XPCWrappedNative::CallMode)||2424|0x21

the crash is on thread 0 (main).

i suspect the reason for the partial backtrace is that JIT was on and is about to be Off (enabling the debugger should terminate JIT), however last I checked, JIT didn't provide enough info for stack backtraces to work.

(offtopic) the threadsafe stuff is addressed iirc in:


is the line that's crashing...

given that the line before it is:
    if (rec->filterObject != filter) {

rec isn't null. which means that filterObject is garbage.

This is odd...
2768     FilterRecord *rec = new FilterRecord;
2770     if (!jsds_SyncFilter (rec, filter)) {

afaict, we're using an uninitialized field.

this is from 36f4da6e262a, it looks like unrelated changes leaked in.
Assignee: rginda → timeless
Depends on: 136292
Attachment #367001 - Flags: superreview?(roc)
Attachment #367001 - Flags: review?(roc)
Comment on attachment 367001 [details] [diff] [review]
revert |new| to PR_NEWZAP

Attachment #367001 - Flags: superreview?(roc)
Attachment #367001 - Flags: superreview+
Attachment #367001 - Flags: review?(roc)
Attachment #367001 - Flags: review+
Closed: 11 years ago
Resolution: --- → FIXED
I can confirm that it's no longer crashing in the 20090312 nightly load.
Crash Signature: [@ jsds_SyncFilter(FilterRecord*, jsdIFilter*) ]
Product: Other Applications → Other Applications Graveyard
You need to log in before you can comment on or make changes to this bug.