Closed Bug 536074 Opened 12 years ago Closed 3 years ago

Crash [@ JS_ResumeRequest ]

Categories

(Core :: XPConnect, defect)

defect
Not set
critical

Tracking

()

RESOLVED INACTIVE

People

(Reporter: chofmann, Unassigned)

Details

(Keywords: crash, Whiteboard: [mobile-crash])

Crash Data

#57 top crash in early 3.6b5 data
#108 in 3.5.6

consistently about 200 crashes per day across all post 3.5 releases.

hecking --- 20091219-crashdata.csv JS_ResumeRequest
release total-crashes
              JS_ResumeRequest crashes
                         pct.
all     208220  210     0.00100855
3.0.15  8049            0
3.0.16  28224           0
3.5.5   21966   25      0.00113812
3.5.6   97104   124     0.00127698
3.6b5   14558   29      0.00199203
3.6b4   7097    16      0.00225447
3.6b3   701     2       0.00285307
3.6b2   752             0
3.6b1   2016    1       0.000496032

stack looks like
http://crash-stats.mozilla.com/report/index/6d8a7094-caa0-4a8f-bb53-234e52091220

Frame  	Module  	Signature [Expand]  	Source
0 	js3250.dll 	JS_ResumeRequest 	js/src/jsapi.cpp:1020
1 	xul.dll 	nsXPConnect::Pop 	js/src/xpconnect/src/nsXPConnect.cpp:2567
2 	xul.dll 	nsJSContext::ClearScope 	dom/base/nsJSEnvironment.cpp:3419
3 	xul.dll 	nsGlobalWindow::SetNewDocument 	dom/base/nsGlobalWindow.cpp:1748
4 	xul.dll 	nsGlobalWindow::SetNewDocument 	dom/base/nsGlobalWindow.cpp:1566
5 	xul.dll 	DocumentViewerImpl::InitInternal 	layout/base/nsDocumentViewer.cpp:958
6 	xul.dll 	DocumentViewerImpl::Init 	layout/base/nsDocumentViewer.cpp:698
7 	xul.dll 	nsGenericElement::BindToTree 	content/base/src/nsGenericElement.cpp:2661
8 	xul.dll 	nsContentUtils::RemoveScriptBlocker 	content/base/src/nsContentUtils.cpp:4474
9 	mozcrt19.dll 	malloc 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:5790
10 	mozcrt19.dll 	operator new 	obj-firefox/memory/jemalloc/crtsrc/new.cpp:54
11 	xul.dll 	nsACString_internal::Assign 	xpcom/string/src/nsTSubstring.cpp:362
12 	xul.dll 	nsSimpleURI::Internal::QueryInterface 	netwerk/base/src/nsSimpleURI.cpp:73
13 	xul.dll 	nsACString_internal::Assign 	xpcom/string/src/nsTSubstring.cpp:422
14 	xul.dll 	nsDocument::SetDocumentCharacterSet 	content/base/src/nsDocument.cpp:2802
15 	xul.dll 	nsCOMPtr_base::~nsCOMPtr_base 	obj-firefox/xpcom/build/nsCOMPtr.cpp:81
16 	xul.dll 	DocumentViewerImpl::SyncParentSubDocMap 	layout/base/nsDocumentViewer.cpp:660

more reports at http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=JS_ResumeRequest&version=Firefox%3A3.6b5
Keywords: crash
Looks like this is mostly another RelevantKnowledge issue, but some other plugins are probably doing bad stuff too:

  JS_ResumeRequest|EXCEPTION_ACCESS_VIOLATION (36 crashes)
     67% (24/36) vs.   2% (329/13600) {6E19037A-12E3-4295-8915-ED48BC341614} (*xg.dll (RelevantKnowledge), http://www.relevantknowledge.com/)
     25% (9/36) vs.   1% (115/13600) {8141440E-08F0-4339-9959-5C31C6A69F23}
     25% (9/36) vs.   1% (128/13600) {E889F097-B0BE-471B-89AD-B86B6F04B506}
     25% (9/36) vs.   1% (133/13600) {E63605FC-D583-4C81-867F-9457BDB3EA1B}
     17% (6/36) vs.   0% (17/13600) coc@ble.pl (NEW Glasser by SzymekPL, https://addons.mozilla.org/addon/12951)
     42% (15/36) vs.  29% (3955/13600) jqs@sun.com (Java Quick Starter, http://java.sun.com/javase/downloads/)
     14% (5/36) vs.   5% (694/13600) {3f963a5b-e555-4543-90e2-c3908898db71}
     19% (7/36) vs.  11% (1481/13600) mozilla_cc@internetdownloadmanager.com (IDM CC, https://addons.mozilla.org/addon/6973)
      8% (3/36) vs.   0% (26/13600) {40f1eb95-4de4-4f36-a826-054ee36bb905}
     14% (5/36) vs.   6% (868/13600) {3112ca9c-de6d-4884-a869-9855de68056c} (Google Toolbar, https://addons.mozilla.org/addon/6249)
From the minidump: 

- The proximate cause of the crash is that JS_ResumeRequest is called with a NULL cx argument.

- It turns out JS_ResumeRequest is being called with garbage arguments: cx is NULL and saveDepth is 1699388956. The caller of JS_ResumeRequest is XPCJSContextStack::Pop, which gets those arguments from the struct instance at the top of its mStack member. 

So, I'm guessing that some bad plugins pop the XPCJSContextStack too many times (however they do it--resuming or ending requests?) and crash that way.
Crash Signature: [@ JS_ResumeRequest ]
Severity: normal → critical
occurs in mobile as well.  see bug 698349
Whiteboard: [mobile-crash]
This crash occurred on the latest Nightly build (Native Fennec): https://crash-stats.mozilla.com/report/index/bp-f4f9632d-53b2-4e8b-b65d-0318c2111117

I'll provide more info about this crash when I will find out the reproducing steps for it.
It affects all platforms but stacks are various.
Assignee: general → nobody
Component: JavaScript Engine → XPConnect
OS: Windows XP → All
QA Contact: general → xpconnect
Hardware: x86 → All
The stack on Mac looks like:
Frame 	Module 	Signature 	Source
0 	XUL 	JS_ResumeRequest 	js/src/jscntxt.h:980
1 	XUL 	XPCJSContextStack::Pop 	js/xpconnect/src/XPCThreadContext.cpp:107
2 	XUL 	nsCxPusher::Pop 	content/base/src/nsContentUtils.cpp:2686
3 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:289
4 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:402
5 	XUL 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:681
6 	XUL 	nsEventDispatcher::DispatchDOMEvent 	content/events/src/nsEventDispatcher.cpp:744
7 	XUL 	nsGlobalWindow::DispatchEvent 	dom/base/nsGlobalWindow.cpp:7396
8 	XUL 	nsGlobalWindow::DispatchEvent 	dom/base/nsGlobalWindow.cpp:7379
9 	XUL 	nsContentUtils::DispatchTrustedEvent 	content/base/src/nsContentUtils.cpp:3065
10 	XUL 	nsFocusManager::WindowRaised 	dom/base/nsFocusManager.cpp:713
11 	XUL 	nsWebShellWindow::HandleEvent 	xpfe/appshell/src/nsWebShellWindow.cpp:447
12 	XUL 	nsCocoaWindow::DispatchEvent 	widget/src/cocoa/nsCocoaWindow.mm:1348
13 	XUL 	-[WindowDelegate sendFocusEvent:] 	widget/src/cocoa/nsCocoaWindow.mm:1920
14 	XUL 	-[WindowDelegate sendToplevelActivateEvents] 	widget/src/cocoa/nsCocoaWindow.mm:1955
15 	XUL 	+[TopLevelWindowData activateInWindow:] 	widget/src/cocoa/nsWindowMap.mm:221
16 	Foundation 	_nsnote_callback 	

Comments say:
"Disconnecting from a server while playing Quake Live"
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.