Last Comment Bug 674776 - (CVE-2011-3650) SIGSEGV while profiling page with many functions (JS debugging)
(CVE-2011-3650)
: SIGSEGV while profiling page with many functions (JS debugging)
Status: RESOLVED FIXED
[sg:critical?] exposed through Firebu...
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All Mac OS X
: -- normal (vote)
: mozilla9
Assigned To: Bill McCloskey (:billm)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-27 17:04 PDT by Marc Schoenefeld
Modified: 2014-06-26 09:49 PDT (History)
19 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wontfix
-
wontfix
+
fixed
+
fixed
fixed
.24+
.24-fixed


Attachments
Generator for reproducer (311 bytes, text/plain)
2011-07-27 17:04 PDT, Marc Schoenefeld
no flags Details
reproducer (833.83 KB, application/octet-stream)
2011-07-27 17:10 PDT, Marc Schoenefeld
no flags Details
Simplified testcase (zipped for resource constraints) (1010.83 KB, application/octet-stream)
2011-09-02 03:44 PDT, Marc Schoenefeld
no flags Details
fix (3.50 KB, patch)
2011-09-02 12:39 PDT, Bill McCloskey (:billm)
jorendorff: review+
asa: approval‑mozilla‑aurora+
asa: approval‑mozilla‑beta+
christian: approval1.9.2.24+
Details | Diff | Splinter Review

Description Marc Schoenefeld 2011-07-27 17:04:44 PDT
Created attachment 548978 [details]
Generator for reproducer

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30

Steps to reproduce:

open many66000.html
2) open firebug 
3) do while not crash (and press continue on long running script) 
3a) press "OK"   (in hello box) 
3b) press "profile" 


Actual results:

Process:         firefox-bin [6702]
Path:            /Applications/Firefox.app/Contents/MacOS/firefox-bin
Identifier:      org.mozilla.firefox
Version:         5.0.1 (5.0.1)
Code Type:       X86-64 (Native)
Parent Process:  launchd [185]

Date/Time:       2011-07-27 11:38:37.194 +0200
OS Version:      Mac OS X 10.6.8 (10K540)
Report Version:  6

Interval Since Last Report:          949111 sec
Crashes Since Last Report:           962
Per-App Interval Since Last Report:  12453 sec
Per-App Crashes Since Last Report:   9
Anonymous UUID:                      A20874EC-7280-445C-9882-755000F0127C

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000127a631ae
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   libSystem.B.dylib             	0x00007fff826d7514 tiny_free_list_add_ptr + 124
1   libSystem.B.dylib             	0x00007fff826d4c27 tiny_malloc_from_free_list + 1196
2   libSystem.B.dylib             	0x00007fff826d3abd szone_malloc_should_clear + 242
3   libSystem.B.dylib             	0x00007fff826d398a malloc_zone_malloc + 82
4   libSystem.B.dylib             	0x00007fff826d1c88 malloc + 44
5   libmozalloc.dylib             	0x0000000101ab39ac moz_xmalloc + 12
6   XUL                           	0x00000001009af604 xpc_LocalizeContext(JSContext*) + 75748
7   XUL                           	0x0000000100992f67 DumpJSValue + 81591
8   XUL                           	0x0000000100993826 DumpJSValue + 83830
9   XUL                           	0x00000001009a7639 xpc_LocalizeContext(JSContext*) + 43033
10  XUL                           	0x00000001009a1489 xpc_LocalizeContext(JSContext*) + 18025
11  XUL                           	0x0000000100e3c9c5 nsXPTCStubBase::Stub249() + 533
12  XUL                           	0x0000000100e3b84b NS_InvokeByIndex_P + 955
13  XUL                           	0x0000000100bc52bf JSD_DebuggerOnForUser + 49567
14  ???                           	0x0000000135b72a10 0 + 5196163600
15  ???                           	0x00000001279e5fb0 0 + 4959657904
16  ???                           	0x000000011dfc5a58 0 + 4798044760
17  ???                           	0x000000011fd464a0 0 + 4828980384
18  ???                           	0x000000011da79580 0 + 4792489344
19  ???                           	0x00000001029497d0 0 + 4338259920
20  ???                           	0x000000011fd59540 0 + 4829058368
21  ???                           	0x00000001029a58d0 0 + 4338637008
22  ???                           	0x00000001029a3d20 0 + 4338629920
23  ???                           	0x000000011fd68f10 0 + 4829122320
24  ???                           	0x000000011fd75b70 0 + 4829174640
25  ???                           	0x000000011fd7c6d0 0 + 4829202128
26  ???                           	0x000000011fd84390 0 + 4829234064
27  ???                           	0x000000011fd87550 0 + 4829246800
28  ???                           	0x000000011fd893e0 0 + 4829254624
29  ???                           	0x000000011fd8cee0 0 + 4829269728
30  ???                           	0x000000011fd91780 0 + 4829288320
31  ???                           	0x000000011fdcf590 0 + 4829541776
32  ???                           	0x000000011fdd3060 0 + 4829556832
33  ???                           	0x000000011fdd32f0 0 + 4829557488
34  ???                           	0x000000011fdd38b0 0 + 4829558960
35  ???                           	0x000000011fdd3930 0 + 4829559088
36  ???                           	0x000000011fdd39f0 0 + 4829559280
37  ???                           	0x000000011fdd3c90 0 + 4829559952
38  ???                           	0x000000011fdd3e50 0 + 4829560400
39  ???                           	0x000000011fdd41a0 0 + 4829561248
40  ???                           	0x000000011fdd4260 0 + 4829561440
41  ???                           	0x000000011fdd43a0 0 + 4829561760
42  ???                           	0x000000011fdd46f0 0 + 4829562608
43  ???                           	0x000000011fdd4af0 0 + 4829563632
44  ???                           	0x000000011fdd4d10 0 + 4829564176
45  ???                           	0x000000011fdc42a0 0 + 4829495968
46  ???                           	0x000000011fdd4ff0 0 + 4829564912
47  ???                           	0x000000011fdd5390 0 + 4829565840
48  ???                           	0x000000011fdd5450 0 + 4829566032
49  ???                           	0x000000011fdd57a0 0 + 4829566880
50  ???                           	0x000000011fdd5880 0 + 4829567104
51  ???                           	0x000000011fdd6290 0 + 4829569680
52  ???                           	0x000000011fdd60f0 0 + 4829569264
53  ???                           	0x000000011fdd61d0 0 + 4829569488
54  ???                           	0x000000011fdd6a70 0 + 4829571696
55  ???                           	0x000000011fdd6d20 0 + 4829572384
56  ???                           	0x000000011fdd7580 0 + 4829574528
57  ???                           	0x000000011fdd73f0 0 + 4829574128
58  ???                           	0x000000011fdd74f0 0 + 4829574384
59  ???                           	0x000000011fdd79a0 0 + 4829575584
60  ???                           	0x000000011fdd7d40 0 + 4829576512
61  ???                           	0x000000011fdd7e50 0 + 4829576784
62  ???                           	0x000000011fdd8090 0 + 4829577360
63  ???                           	0x000000011fdd83c0 0 + 4829578176
64  ???                           	0x000000011fdd8540 0 + 4829578560
65  ???                           	0x000000011fdd8670 0 + 4829578864
66  ???                           	0x000000011fdd8860 0 + 4829579360
67  ???                           	0x000000011fdd8f80 0 + 4829581184
68  ???                           	0x000000011fdd9420 0 + 4829582368
69  ???                           	0x000000011fdd8de0 0 + 4829580768
70  ???                           	0x000000011fdd93a0 0 + 4829582240
71  ???                           	0x000000011fdd9d90 0 + 4829584784
72  ???                           	0x000000011fdd9df0 0 + 4829584880
73  ???                           	0x000000011fdd9ed0 0 + 4829585104
74  ???                           	0x000000011fdd9f50 0 + 4829585232
75  ???                           	0x000000011fdda1f0 0 + 4829585904
76  ???                           	0x000000011fdda2d0 0 + 4829586128
77  ???                           	0x000000011fdda620 0 + 4829586976
78  ???                           	0x000000011fdda710 0 + 4829587216
79  ???                           	0x000000011fdda930 0 + 4829587760
80  ???                           	0x000000011fddabc0 0 + 4829588416
81  ???                           	0x000000011fddaf50 0 + 4829589328
82  ???                           	0x000000011fddb060 0 + 4829589600
83  ???                           	0x000000011fddb2b0 0 + 4829590192
84  ???                           	0x000000011fddb570 0 + 4829590896
85  ???                           	0x000000011fddbac0 0 + 4829592256
86  ???                           	0x000000011fddbb60 0 + 4829592416
87  ???                           	0x000000011fddbd60 0 + 4829592928
88  ???                           	0x000000011fddc0e0 0 + 4829593824
89  ???                           	0x000000011fddc370 0 + 4829594480
90  ???                           	0x000000011fddc410 0 + 4829594640
91  ???                           	0x000000011fddca80 0 + 4829596288
92  ???                           	0x000000011fddc830 0 + 4829595696
93  ???                           	0x000000011fddcd00 0 + 4829596928
94  ???                           	0x000000011fddcd60 0 + 4829597024
95  ???                           	0x000000011fddcf00 0 + 4829597440
96  ???                           	0x000000011fddd170 0 + 4829598064
97  ???                           	0x000000011fddda10 0 + 4829600272
98  ???                           	0x000000011fdddae0 0 + 4829600480
99  ???                           	0x000000011fddde00 0 + 4829601280
100 ???                           	0x000000011fdddef0 0 + 4829601520
101 ???                           	0x000000011fdde1c0 0 + 4829602240
102 ???                           	0x000000011fdde380 0 + 4829602688
103 ???                           	0x000000011fdde8b0 0 + 4829604016
104 ???                           	0x000000011fdded90 0 + 4829605264
105 ???                           	0x000000011fddee80 0 + 4829605504
106 ???                           	0x000000011fddf0d0 0 + 4829606096
107 ???                           	0x000000011fddf4c0 0 + 4829607104
108 ???                           	0x000000011fddfc00 0 + 4829608960
109 ???                           	0x000000011fddfd80 0 + 4829609344
110 ???                           	0x000000011fde00f0 0 + 4829610224
111 ???                           	0x000000011fde0200 0 + 4829610496
112 ???                           	0x000000011fde0500 0 + 4829611264
113 ???                           	0x000000011fde0760 0 + 4829611872
114 ???                           	0x000000011fde0a30 0 + 4829612592
115 ???                           	0x000000011fde0af0 0 + 4829612784
116 ???                           	0x0000000102964730 0 + 4338370352
117 ???                           	0x00000001029647d0 0 + 4338370512
118 ???                           	0x000000011fde15b0 0 + 4829615536
119 ???                           	0x000000011fde11a0 0 + 4829614496
120 ???                           	0x000000011e657710 0 + 4804933392
121 ???                           	0x000000011e644630 0 + 4804855344
122 ???                           	0x000000011e37fc30 0 + 4801952816
123 ???                           	0x000000011e39e240 0 + 4802077248
124 ???                           	0x000000011e397090 0 + 4802048144
125 ???                           	0x000000011ea80710 0 + 4809295632
126 ???                           	0x000000011eabb1a0 0 + 4809535904
127 ???                           	0x000000011e1c1c80 0 + 4800126080
128 ???                           	0x000000011e36a480 0 + 4801864832
129 ???                           	0x000000011e358fb0 0 + 4801793968
130 ???                           	0x000000011e359010 0 + 4801794064
131 ???                           	0x000000011e35bd90 0 + 4801805712
132 ???                           	0x000000011e35bdf0 0 + 4801805808
133 ???                           	0x000000011e35c4f0 0 + 4801807600
134 ???                           	0x000000011e35c550 0 + 4801807696
135 ???                           	0x000000011e35c8e0 0 + 4801808608
136 ???                           	0x000000011e35f3f0 0 + 4801819632
137 ???                           	0x000000011e3a0b10 0 + 4802087696
138 ???                           	0x000000011e351160 0 + 4801761632
139 ???                           	0x000000011e3511c0 0 + 4801761728
140 ???                           	0x000000011e352f50 0 + 4801769296
141 ???                           	0x000000011e353fa0 0 + 4801773472
142 ???                           	0x000000011e354050 0 + 4801773648
143 ???                           	0x000000011e356c70 0 + 4801784944
144 ???                           	0x000000011e3440a0 0 + 4801708192
145 ???                           	0x000000011e344140 0 + 4801708352
146 ???                           	0x000000011e3457b0 0 + 4801714096
147 ???                           	0x000000011e345810 0 + 4801714192
148 ???                           	0x000000011e346830 0 + 4801718320
149 ???                           	0x000000011e34d390 0 + 4801745808
150 ???                           	0x000000011e34d440 0 + 4801745984
151 ???                           	0x000000011e34e6a0 0 + 4801750688
152 ???                           	0x000000011e34f220 0 + 4801753632
153 ???                           	0x000000011e3501b0 0 + 4801757616
154 ???                           	0x000000011e6b6620 0 + 4805322272
155 ???                           	0x000000011e6b6680 0 + 4805322368
156 ???                           	0x0000000101e8f080 0 + 4327010432
157 ???                           	0x000000011e3ab570 0 + 4802131312
158 ???                           	0x000000011e68a5b0 0 + 4805141936
159 ???                           	0x000000011e68a610 0 + 4805142032
160 ???                           	0x000000011e3ab1c0 0 + 4802130368
161 ???                           	0x000000011e3b77e0 0 + 4802181088
162 ???                           	0x000000011e3a8430 0 + 4802118704
163 ???                           	0x000000011e3a8380 0 + 4802118528
164 ???                           	0x000000011e3b9730 0 + 4802189104
165 ???                           	0x000000011e3b6d50 0 + 4802178384
166 ???                           	0x000000011e3b65e0 0 + 4802176480
167 ???                           	0x000000011e3b6640 0 + 4802176576
168 ???                           	0x000000011e3b5d60 0 + 4802174304
169 ???                           	0x000000011e3b5dc0 0 + 4802174400
170 ???                           	0x000000011e3b6110 0 + 4802175248
171 ???                           	0x000000011e3b6170 0 + 4802175344
172 ???                           	0x000000011e3ae6d0 0 + 4802143952
173 ???                           	0x000000011e3be590 0 + 4802209168
174 ???                           	0x000000011e3bdb50 0 + 4802206544
175 ???                           	0x000000011e3bdaa0 0 + 4802206368
176 ???                           	0x000000011e3be4e0 0 + 4802208992
177 ???                           	0x000000011e622b50 0 + 4804717392
178 ???                           	0x000000011e622040 0 + 4804714560
179 ???                           	0x000000011e6220d0 0 + 4804714704
180 ???                           	0x000000011e61fac0 0 + 4804704960
181 ???                           	0x000000011e61f6e0 0 + 4804703968
182 ???                           	0x000000011e61f740 0 + 4804704064
183 ???                           	0x000000011e61ebd0 0 + 4804701136
184 ???                           	0x000000011e61ec60 0 + 4804701280
185 ???                           	0x000000011e61dd40 0 + 4804697408
186 ???                           	0x000000011e61dda0 0 + 4804697504
187 ???                           	0x000000011e61d9c0 0 + 4804696512
188 ???                           	0x000000011e62d660 0 + 4804761184
189 ???                           	0x000000011e62d6e0 0 + 4804761312
190 ???                           	0x000000011e62ba10 0 + 4804753936
191 ???                           	0x000000011e628700 0 + 4804740864
192 ???                           	0x000000011e628790 0 + 4804741008
193 ???                           	0x000000011e627fa0 0 + 4804738976
194 ???                           	0x000000011e625f20 0 + 4804730656
195 ???                           	0x000000011e625f80 0 + 4804730752
196 ???                           	0x000000011e6247b0 0 + 4804724656
197 ???                           	0x000000011e624850 0 + 4804724816
198 ???                           	0x000000011e63e490 0 + 4804830352
199 ???                           	0x000000011e63e520 0 + 4804830496
200 ???                           	0x000000011e650f80 0 + 4804906880
201 ???                           	0x000000011e6507f0 0 + 4804904944
202 ???                           	0x000000011e650850 0 + 4804905040
203 ???                           	0x000000011e64f560 0 + 4804900192
204 ???                           	0x000000011e64f5e0 0 + 4804900320
205 ???                           	0x000000011e64d070 0 + 4804890736
206 ???                           	0x000000011e64c270 0 + 4804887152
207 ???                           	0x000000011e64be80 0 + 4804886144
208 ???                           	0x000000011e64bf30 0 + 4804886320
209 ???                           	0x000000011e64b880 0 + 4804884608
210 ???                           	0x000000011e64a970 0 + 4804880752
211 ???                           	0x000000011e64aa00 0 + 4804880896
212 ???                           	0x000000011e659200 0 + 4804940288
213 ???                           	0x000000011e659290 0 + 4804940432
214 ???                           	0x000000011e658360 0 + 4804936544
215 ???                           	0x000000011e656ed0 0 + 4804931280
216 ???                           	0x000000011e656350 0 + 4804928336
217 ???                           	0x000000011e654c60 0 + 4804922464
218 ???                           	0x000000011e653270 0 + 4804915824
219 ???                           	0x000000011e653300 0 + 4804915968
220 ???                           	0x000000011e65ce30 0 + 4804955696
221 ???                           	0x000000011e65ca80 0 + 4804954752
222 ???                           	0x000000011e65cb10 0 + 4804954896
223 ???                           	0x000000011e65b6d0 0 + 4804949712
224 ???                           	0x000000011e65b2e0 0 + 4804948704
225 ???                           	0x000000011e65a7a0 0 + 4804945824
226 ???                           	0x000000011e65a800 0 + 4804945920
227 ???                           	0x000000011e659fc0 0 + 4804943808
228 ???                           	0x000000011e65a050 0 + 4804943952
229 ???                           	0x000000011e663e90 0 + 4804984464
230 ???                           	0x000000011e662090 0 + 4804976784
231 ???                           	0x000000011e6620f0 0 + 4804976880
232 ???                           	0x000000011e660cd0 0 + 4804971728
233 ???                           	0x000000011e6608f0 0 + 4804970736
234 ???                           	0x000000011e660950 0 + 4804970832
235 ???                           	0x000000011e660540 0 + 4804969792
236 ???                           	0x000000011e6605d0 0 + 4804969936
237 ???                           	0x000000011e6601c0 0 + 4804968896
238 ???                           	0x000000011e65f790 0 + 4804966288
239 ???                           	0x000000011e65f820 0 + 4804966432
240 ???                           	0x000000011e65e390 0 + 4804961168
241 ???                           	0x000000011e65dfe0 0 + 4804960224
242 ???                           	0x000000011e65e040 0 + 4804960320
243 ???                           	0x000000011e668ea0 0 + 4805004960
244 ???                           	0x000000011e668f00 0 + 4805005056
245 ???                           	0x000000011e6680f0 0 + 4805001456
246 ???                           	0x000000011e668180 0 + 4805001600
247 ???                           	0x000000011e667740 0 + 4804998976
248 ???                           	0x000000011e666be0 0 + 4804996064
249 ???                           	0x000000011e666c90 0 + 4804996240
250 ???                           	0x000000011e6668a0 0 + 4804995232
251 ???                           	0x000000011e665640 0 + 4804990528
252 ???                           	0x000000011e665260 0 + 4804989536
253 ???                           	0x000000011e665300 0 + 4804989696
254 ???                           	0x000000011e66e730 0 + 4805027632
255 ???                           	0x000000011e66dd40 0 + 4805025088
256 ???                           	0x000000011e66d300 0 + 4805022464
257 ???                           	0x000000011e66c8d0 0 + 4805019856
258 ???                           	0x000000011e66c930 0 + 4805019952
259 ???                           	0x000000011e66ba50 0 + 4805016144
260 ???                           	0x000000011e66b6e0 0 + 4805015264
261 ???                           	0x000000011e66af40 0 + 4805013312
262 ???                           	0x000000011e66b2b0 0 + 4805014192
263 ???                           	0x000000011e6733b0 0 + 4805047216
264 ???                           	0x000000011e672c50 0 + 4805045328
265 ???                           	0x000000011e672cb0 0 + 4805045424
266 ???                           	0x000000011e670ea0 0 + 4805037728
267 ???                           	0x000000011e66ea80 0 + 4805028480
268 ???                           	0x000000011e66eae0 0 + 4805028576
269 ???                           	0x000000011e66fcf0 0 + 4805033200
270 ???                           	0x000000011e6790e0 0 + 4805071072
271 ???                           	0x000000011e676bf0 0 + 4805061616
272 ???                           	0x000000011e676f60 0 + 4805062496
273 ???                           	0x000000011e676fc0 0 + 4805062592
274 ???                           	0x000000011e678d60 0 + 4805070176
275 ???                           	0x000000011e6786e0 0 + 4805068512
276 ???                           	0x000000011e678790 0 + 4805068688
277 ???                           	0x000000011e6767f0 0 + 4805060592
278 ???                           	0x000000011e675e20 0 + 4805058080
279 ???                           	0x000000011e674620 0 + 4805051936
280 ???                           	0x000000011e6746a0 0 + 4805052064
281 ???                           	0x000000011e673b70 0 + 4805049200
282 ???                           	0x000000011e67d9b0 0 + 4805089712
283 ???                           	0x000000011e67da10 0 + 4805089808
284 ???                           	0x000000011e67b640 0 + 4805080640
285 ???                           	0x000000011e67b290 0 + 4805079696
286 ???                           	0x000000011e67b2f0 0 + 4805079792
287 ???                           	0x000000011e6c2040 0 + 4805369920
288 ???                           	0x000000011ea3cc10 0 + 4809018384
289 ???                           	0x000000011ea3cc70 0 + 4809018480
290 ???                           	0x000000011e34acd0 0 + 4801735888
291 ???                           	0x000000011e36db40 0 + 4801878848
292 ???                           	0x000000011e3a7a50 0 + 4802116176
293 ???                           	0x000000011e3a7ae0 0 + 4802116320
294 ???                           	0x000000011e3f5fa0 0 + 4802437024
295 ???                           	0x000000011e3f6060 0 + 4802437216
296 ???                           	0x000000011e629890 0 + 4804745360
297 ???                           	0x000000011e64a5b0 0 + 4804879792
298 ???                           	0x000000011e35a090 0 + 4801798288
299 ???                           	0x000000011e64fed0 0 + 4804902608
300 ???                           	0x000000011e6847c0 0 + 4805117888
301 ???                           	0x000000011ea1bd40 0 + 4808883520
302 ???                           	0x000000011ea1bdf0 0 + 4808883696
303 ???                           	0x000000011e3555d0 0 + 4801779152
304 ???                           	0x000000011e3dba20 0 + 4802329120
305 ???                           	0x000000011e3dbab0 0 + 4802329264
306 ???                           	0x000000011e3dbd00 0 + 4802329856
307 ???                           	0x000000011e688970 0 + 4805134704
308 ???                           	0x000000011e6889d0 0 + 4805134800
309 ???                           	0x000000011e6c2900 0 + 4805372160
310 ???                           	0x000000011ea0dec0 0 + 4808826560
311 ???                           	0x000000011ea0df80 0 + 4808826752
312 ???                           	0x000000011e3629b0 0 + 4801833392
313 ???                           	0x000000011e364350 0 + 4801839952
314 ???                           	0x000000011e364420 0 + 4801840160
315 ???                           	0x000000011e369410 0 + 4801860624
316 ???                           	0x000000011e3739f0 0 + 4801903088
317 ???                           	0x000000011e372780 0 + 4801898368
318 ???                           	0x000000011e372810 0 + 4801898512
319 ???                           	0x000000011e377160 0 + 4801917280
320 ???                           	0x000000011e3771e0 0 + 4801917408
321 ???                           	0x000000011e3758f0 0 + 4801911024
322 ???                           	0x000000011e34b500 0 + 4801737984
323 ???                           	0x000000011e37d890 0 + 4801943696
324 ???                           	0x000000011e34b560 0 + 4801738080
325 ???                           	0x000000011e381fe0 0 + 4801961952
326 ???                           	0x000000011e3a4700 0 + 4802103040
327 ???                           	0x000000011e3aabb0 0 + 4802128816
328 ???                           	0x000000011e3aac10 0 + 4802128912
329 ???                           	0x000000011e3aac70 0 + 4802129008
330 ???                           	0x000000011e3c7020 0 + 4802244640
331 ???                           	0x000000011e3d8b40 0 + 4802317120
332 ???                           	0x000000011e3e4880 0 + 4802365568
333 ???                           	0x000000011e3e48e0 0 + 4802365664
334 ???                           	0x000000011e3f52d0 0 + 4802433744
335 ???                           	0x000000011e3f5330 0 + 4802433840
336 ???                           	0x000000011e604ae0 0 + 4804594400
337 ???                           	0x000000011e62bd60 0 + 4804754784
338 ???                           	0x000000011e62bdc0 0 + 4804754880
339 ???                           	0x000000011e634ae0 0 + 4804791008
340 ???                           	0x000000011e634bb0 0 + 4804791216
341 ???                           	0x000000011e63a430 0 + 4804813872
342 ???                           	0x000000011e64ba60 0 + 4804885088
343 ???                           	0x000000011e64ad70 0 + 4804881776
344 ???                           	0x000000011e64f1b0 0 + 4804899248
345 ???                           	0x000000011e64f210 0 + 4804899344
346 ???                           	0x000000011e6566f0 0 + 4804929264
347 ???                           	0x000000011e66a000 0 + 4805009408
348 ???                           	0x000000011e6663c0 0 + 4804993984
349 ???                           	0x000000011e666460 0 + 4804994144
350 ???                           	0x000000011e6742b0 0 + 4805051056
351 ???                           	0x000000011e67af30 0 + 4805078832
352 ???                           	0x000000011e67af90 0 + 4805078928
353 ???                           	0x000000011e38c210 0 + 4802003472
354 ???                           	0x000000011ea9b290 0 + 4809405072
355 ???                           	0x000000011ea9b2f0 0 + 4809405168
356 ???                           	0x000000011ea6e1e0 0 + 4809220576
357 ???                           	0x000000011e6788b0 0 + 4805068976
358 ???                           	0x000000011e3482b0 0 + 4801725104
359 ???                           	0x000000011e34e420 0 + 4801750048
360 ???                           	0x000000011e360fd0 0 + 4801826768
361 ???                           	0x000000011e348310 0 + 4801725200
362 ???                           	0x000000011ea59bf0 0 + 4809137136
363 ???                           	0x000000011e3dbff0 0 + 4802330608
364 ???                           	0x000000011ea9a330 0 + 4809401136
365 ???                           	0x000000011ea59b40 0 + 4809136960
366 ???                           	0x000000011ea9a250 0 + 4809400912
367 ???                           	0x0000000122169630 0 + 4866872880
368 ???                           	0x00000001221694e0 0 + 4866872544
369 ???                           	0x0000000122169590 0 + 4866872720
370 ???                           	0x0000000122169d70 0 + 4866874736
371 ???                           	0x0000000122169e40 0 + 4866874944
372 ???                           	0x000000012216a100 0 + 4866875648
373 ???                           	0x0000000122169fe0 0 + 4866875360
374 ???                           	0x000000012216a090 0 + 4866875536
375 ???                           	0x000000012216a550 0 + 4866876752
376 ???                           	0x000000012216a6a0 0 + 4866877088
377 ???                           	0x000000012216a750 0 + 4866877264
378 ???                           	0x000000012216a8d0 0 + 4866877648
379 ???                           	0x000000012216aa20 0 + 4866877984
380 ???                           	0x000000012216aba0 0 + 4866878368
381 ???                           	0x000000012216ad80 0 + 4866878848
382 ???                           	0x000000012216b1c0 0 + 4866879936
383 ???                           	0x000000012216b620 0 + 4866881056
384 ???                           	0x000000012216b680 0 + 4866881152
385 ???                           	0x000000012216b7a0 0 + 4866881440
386 ???                           	0x000000012216b970 0 + 4866881904
387 ???                           	0x000000012216ba20 0 + 4866882080
388 ???                           	0x000000012216c0c0 0 + 4866883776
389 ???                           	0x000000012216bfc0 0 + 4866883520
390 ???                           	0x000000012216c240 0 + 4866884160
391 ???                           	0x000000012216c370 0 + 4866884464
392 ???                           	0x000000012216c460 0 + 4866884704
393 ???                           	0x000000012216c9e0 0 + 4866886112
394 ???                           	0x000000012216cad0 0 + 4866886352
395 ???                           	0x000000012216cca0 0 + 4866886816
396 ???                           	0x000000012216d1a0 0 + 4866888096
397 ???                           	0x000000012216d600 0 + 4866889216
398 ???                           	0x000000012200a5b0 0 + 4865435056
399 ???                           	0x0000000122008850 0 + 4865427536
400 ???                           	0x000000012200aaf0 0 + 4865436400
401 ???                           	0x000000012200ab50 0 + 4865436496
402 ???                           	0x000000012200b4c0 0 + 4865438912
403 ???                           	0x000000012200b710 0 + 4865439504
404 ???                           	0x000000012200a970 0 + 4865436016
405 ???                           	0x000000012200aa50 0 + 4865436240
406 ???                           	0x000000012200a900 0 + 4865435904
407 ???                           	0x000000012200c360 0 + 4865442656
408 ???                           	0x000000012200c580 0 + 4865443200
409 ???                           	0x000000012200c880 0 + 4865443968
410 ???                           	0x000000012200c630 0 + 4865443376
411 ???                           	0x000000012200be00 0 + 4865441280
412 ???                           	0x000000012200d5c0 0 + 4865447360
413 ???                           	0x000000012200d710 0 + 4865447696
414 ???                           	0x000000012200d870 0 + 4865448048
415 ???                           	0x000000012200da20 0 + 4865448480
416 ???                           	0x000000012200dbd0 0 + 4865448912
417 ???                           	0x000000012200dd80 0 + 4865449344
418 ???                           	0x000000012200df30 0 + 4865449776
419 ???                           	0x000000012200e0a0 0 + 4865450144
420 ???                           	0x000000012200e210 0 + 4865450512
421 ???                           	0x000000012200e380 0 + 4865450880
422 ???                           	0x000000012200e4f0 0 + 4865451248
423 ???                           	0x000000012200e680 0 + 4865451648
424 ???                           	0x000000012200e860 0 + 4865452128
425 ???                           	0x000000012200ea70 0 + 4865452656
426 ???                           	0x000000012200edc0 0 + 4865453504
427 ???                           	0x000000012200f040 0 + 4865454144
428 ???                           	0x000000012200f250 0 + 4865454672
429 ???                           	0x000000012200f420 0 + 4865455136
430 ???                           	0x000000012200f590 0 + 4865455504
431 ???                           	0x000000012200f700 0 + 4865455872
432 ???                           	0x000000012200f870 0 + 4865456240
433 ???                           	0x000000012200f9e0 0 + 4865456608
434 ???                           	0x000000012200fb50 0 + 4865456976
435 ???                           	0x000000012200fcc0 0 + 4865457344
436 ???                           	0x000000012200fe30 0 + 4865457712
437 ???                           	0x0000000122038880 0 + 4865624192
438 ???                           	0x00000001220394b0 0 + 4865627312
439 ???                           	0x000000012202e430 0 + 4865582128
440 ???                           	0x000000012202ecf0 0 + 4865584368
441 ???                           	0x000000012202e810 0 + 4865583120
442 ???                           	0x000000012202efa0 0 + 4865585056
443 ???                           	0x000000012202f060 0 + 4865585248
444 ???                           	0x000000012202d7f0 0 + 4865578992
445 ???                           	0x000000012202d5b0 0 + 4865578416
446 ???                           	0x000000012202f790 0 + 4865587088
447 ???                           	0x000000012202f3d0 0 + 4865586128
448 ???                           	0x000000012202e060 0 + 4865581152
449 ???                           	0x000000012202df70 0 + 4865580912
450 ???                           	0x0000000122039430 0 + 4865627184
451 ???                           	0x000000012202f980 0 + 4865587584
452 ???                           	0x000000012202fa50 0 + 4865587792
453 ???                           	0x000000012202fb10 0 + 4865587984
454 ???                           	0x000000012202fbe0 0 + 4865588192
455 ???                           	0x000000012202fca0 0 + 4865588384
456 ???                           	0x000000012202fd50 0 + 4865588560
457 ???                           	0x000000012201c420 0 + 4865508384
458 ???                           	0x000000012203dcc0 0 + 4865645760
459 ???                           	0x000000012203ec80 0 + 4865649792
460 ???                           	0x00000001220400a0 0 + 4865654944
461 ???                           	0x00000001220350d0 0 + 4865609936
462 ???                           	0x00000001220351a0 0 + 4865610144
463 ???                           	0x0000000122035230 0 + 4865610288
464 ???                           	0x00000001220410c0 0 + 4865659072
465 ???                           	0x0000000122035650 0 + 4865611344
466 ???                           	0x00000001220412a0 0 + 4865659552
467 ???                           	0x0000000122041120 0 + 4865659168
468 ???                           	0x00000001220411d0 0 + 4865659344
469 ???                           	0x0000000122045930 0 + 4865677616
470 ???                           	0x00000001220540e0 0 + 4865736928
471 ???                           	0x00000001220541b0 0 + 4865737136
472 ???                           	0x000000011dfb10d0 0 + 4797960400
473 ???                           	0x000000011dfb1130 0 + 4797960496
474 ???                           	0x000000011fdf1030 0 + 4829679664
475 ???                           	0x000000011dfb6f90 0 + 4797984656
476 ???                           	0x000000011dfb6ff0 0 + 4797984752
477 ???                           	0x000000011fdec450 0 + 4829660240
478 ???                           	0x000000011fdf0fd0 0 + 4829679568
479 ???                           	0x000000011fded920 0 + 4829665568
480 ???                           	0x000000011dfbac10 0 + 4798000144
481 ???                           	0x000000011dfae290 0 + 4797948560
482 ???                           	0x000000011fded8b0 0 + 4829665456
483 ???                           	0x000000011fdf49e0 0 + 4829694432
484 ???                           	0x000000011fdf4c20 0 + 4829695008
485 ???                           	0x000000011dfbca90 0 + 4798007952
486 ???                           	0x000000011dfbc9e0 0 + 4798007776
487 ???                           	0x000000011fdefab0 0 + 4829674160
488 ???                           	0x000000011fdefc30 0 + 4829674544
489 ???                           	0x000000011dfadea0 0 + 4797947552
490 ???                           	0x000000011dfae030 0 + 4797947952
491 ???                           	0x000000011dfae1c0 0 + 4797948352
492 ???                           	0x0000000122054f90 0 + 4865740688
493 ???                           	0x000000011fdef280 0 + 4829672064
494 ???                           	0x0000000122055270 0 + 4865741424
495 ???                           	0x0000000122055330 0 + 4865741616
496 ???                           	0x000000011fdef1d0 0 + 4829671888
497 ???                           	0x000000011dfba720 0 + 4797998880
498 ???                           	0x000000011dfbab50 0 + 4797999952
499 ???                           	0x000000011dfba900 0 + 4797999360
500 ???                           	0x000000011fdf0140 0 + 4829675840
501 ???                           	0x000000011fdf0320 0 + 4829676320
502 ???                           	0x000000011fdf5070 0 + 4829696112
503 ???                           	0x000000011fdf4e20 0 + 4829695520
504 ???                           	0x000000011fdf4ee0 0 + 4829695712
505 ???                           	0x000000011fdf0010 0 + 4829675536
506 ???                           	0x000000011fdefec0 0 + 4829675200
507 ???                           	0x000000011dfbb0d0 0 + 4798001360
508 ???                           	0x000000011dfbb1c0 0 + 4798001600
509 ???                           	0x000000011dfbb330 0 + 4798001968
510 ???                           	0x000000011dfbb580 0 + 4798002560
511 ???                           	0x000000011dfbb4b0 0 + 4798002352



Process:         firefox-bin [6579]
Path:            /Applications/Firefox.app/Contents/MacOS/firefox-bin
Identifier:      org.mozilla.firefox
Version:         5.0.1 (5.0.1)
Code Type:       X86-64 (Native)
Parent Process:  launchd [185]

Date/Time:       2011-07-27 11:16:49.075 +0200
OS Version:      Mac OS X 10.6.8 (10K540)
Report Version:  6

Interval Since Last Report:          947802 sec
Crashes Since Last Report:           961
Per-App Interval Since Last Report:  11232 sec
Per-App Crashes Since Last Report:   8
Anonymous UUID:                      A20874EC-7280-445C-9882-755000F0127C

Exception Type:  EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Application Specific Information:
*** error for object 0x13f935ec0: incorrect checksum for freed object - object was probably modified after being freed.
 

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   libSystem.B.dylib             	0x00007fff8271e0b6 __kill + 10
1   libSystem.B.dylib             	0x00007fff827be9f6 abort + 83
2   libSystem.B.dylib             	0x00007fff827ad62d szone_error + 519
3   libSystem.B.dylib             	0x00007fff826d9723 tiny_free_list_remove_ptr + 251
4   libSystem.B.dylib             	0x00007fff826d7e35 szone_realloc + 637
5   libSystem.B.dylib             	0x00007fff826d7b7b malloc_zone_realloc + 92
6   libSystem.B.dylib             	0x00007fff826e3c16 realloc + 169
7   libmozalloc.dylib             	0x0000000101ab3b7f moz_xrealloc + 31
8   XUL                           	0x0000000100043fda catch_exception_raise + 116282
9   XUL                           	0x00000001001ec6eb mozilla::layers::LayerUserData::~LayerUserData() + 221755
10  XUL                           	0x00000001001ec60c mozilla::layers::LayerUserData::~LayerUserData() + 221532
11  XUL                           	0x00000001001ec60c mozilla::layers::LayerUserData::~LayerUserData() + 221532
12  XUL                           	0x00000001001ec60c mozilla::layers::LayerUserData::~LayerUserData() + 221532
13  XUL                           	0x00000001001ec60c mozilla::layers::LayerUserData::~LayerUserData() + 221532
14  XUL                           	0x00000001001ec60c mozilla::layers::LayerUserData::~LayerUserData() + 221532
15  XUL                           	0x0000000100201769 mozilla::layers::LayerUserData::~LayerUserData() + 307897
16  XUL                           	0x0000000100201d15 mozilla::layers::LayerUserData::~LayerUserData() + 309349
17  XUL                           	0x000000010021da6d mozilla::layers::LayerUserData::~LayerUserData() + 423357
18  XUL                           	0x0000000100604e66 mozilla::layers::ReadbackSink::~ReadbackSink() + 3566006
19  XUL                           	0x00000001005ff541 mozilla::layers::ReadbackSink::~ReadbackSink() + 3543185
20  XUL                           	0x0000000100ca07f5 JSD_DebuggerOnForUser + 947925
21  XUL                           	0x0000000100c9a852 JSD_DebuggerOnForUser + 923442
22  XUL                           	0x0000000100ca9c5d JSD_DebuggerOnForUser + 985917
23  com.apple.AppKit              	0x00007fff887380c7 -[NSWindow sendEvent:] + 8769
24  XUL                           	0x0000000100c933b2 JSD_DebuggerOnForUser + 893586
25  com.apple.AppKit              	0x00007fff8866c8f1 -[NSApplication sendEvent:] + 4198
26  com.apple.AppKit              	0x00007fff886036de -[NSApplication run] + 474
27  XUL                           	0x0000000100c907ad JSD_DebuggerOnForUser + 882317
28  XUL                           	0x0000000100b010b4 js::JSProxyHandler::isOuterWindow() + 609284
29  XUL                           	0x0000000100016940 XRE_main + 11984
30  org.mozilla.firefox           	0x0000000100000af7 start + 471
31  org.mozilla.firefox           	0x0000000100000954 start + 52

Process:         firefox-bin [7802]
Path:            /Applications/Firefox.app/Contents/MacOS/firefox-bin
Identifier:      org.mozilla.firefox
Version:         5.0.1 (5.0.1)
Code Type:       X86-64 (Native)
Parent Process:  launchd [185]

Date/Time:       2011-07-28 01:50:35.346 +0200
OS Version:      Mac OS X 10.6.8 (10K540)
Report Version:  6

Interval Since Last Report:          962749 sec
Crashes Since Last Report:           966
Per-App Interval Since Last Report:  13694 sec
Per-App Crashes Since Last Report:   10
Anonymous UUID:                      A20874EC-7280-445C-9882-755000F0127C

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000972b81dd8
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   XUL                           	0x0000000101142f09 js_fgets(char*, int, __sFILE*) + 61177
1   XUL                           	0x0000000100bbbc93 JSD_DebuggerOnForUser + 11123
2   XUL                           	0x0000000100bc1ff4 JSD_DebuggerOnForUser + 36564
3   XUL                           	0x0000000100bc69b3 JSD_DebuggerOnForUser + 55443
4   XUL                           	0x0000000100bba2d7 JSD_DebuggerOnForUser + 4535
5   XUL                           	0x0000000101051467 JS_HandleTrap + 135
6   XUL                           	0x00000001010951aa JS_HashTableRemove + 20282
7   XUL                           	0x00000001010ac7bf JS_HashTableRemove + 116047
8   XUL                           	0x00000001010b0b74 JS_HashTableRemove + 133380
9   XUL                           	0x0000000101020826 JS_CallFunction + 294
10  XUL                           	0x00000001010209d9 JS_EvaluateUCScriptForPrincipalsVersion + 105
11  XUL                           	0x0000000100614998 mozilla::layers::ReadbackSink::~ReadbackSink() + 3630312
12  XUL                           	0x000000010044f153 mozilla::layers::ReadbackSink::~ReadbackSink() + 1772707
13  XUL                           	0x000000010044fdbf mozilla::layers::ReadbackSink::~ReadbackSink() + 1775887



Expected results:

non-crashing OOM message and safe garbage-collection
Comment 1 Marc Schoenefeld 2011-07-27 17:10:06 PDT
Created attachment 548979 [details]
reproducer

reproducer created with "python manyvars.py 66000 >many66000.html"

Note: gzipped to fly under size-check radar
Comment 2 Daniel Veditz [:dveditz] 2011-08-17 16:30:31 PDT
Is there a way to expose the JSD interfaces with a stock Firefox (e.g. do the new dev tools do anything like that?)? Is it possible Firebug is abusing the interfaces, or just exposing a bug in core code?
Comment 3 Johnny Stenback (:jst, jst@mozilla.com) 2011-08-18 13:06:55 PDT
David, who should own this sg:critical bug?
Comment 4 Rob Campbell [:rc] (:robcee) 2011-08-19 12:23:07 PDT
(In reply to Daniel Veditz from comment #2)
> Is there a way to expose the JSD interfaces with a stock Firefox (e.g. do
> the new dev tools do anything like that?)? Is it possible Firebug is abusing
> the interfaces, or just exposing a bug in core code?

not currently, no. We've just landed the first pieces of JSD2 but they're currently inaccessible from XPCOM.

It's possible Firebug is doing something funky in its profiler, but we'd need to investigate. CCing dcamp and honza.
Comment 5 Jan Honza Odvarko [:Honza] 2011-08-22 10:34:55 PDT
I was able to crash Firefox once:
https://crash-stats.mozilla.com/report/index/bp-810f9385-48f3-4568-a56b-1671f2110822

The second time: I repeated the scenario from comment #0 10-15 times -> no crash.

I am always seeing "no activity to profile" in Firebug Console panels since no function on the page is actually executed.

> Is it possible Firebug is abusing the interfaces, or just exposing
> a bug in core code?
I don't understand how should I test this. Are there any symptoms I could observe?

Honza
Comment 6 Marc Schoenefeld 2011-08-25 15:09:07 PDT
Hmm, 

it's crashing all the time, this time on windows. 

eax=646e6130 ebx=01e371a0 ecx=00000000 edx=3c6dc47c esi=3c7aa679 edi=3c600000
eip=0057612b esp=0012cafc ebp=0012cb38 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210286
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Mozilla Firefox\mozjs.dll - 
mozjs!js_CallNewScriptHook+0x1cb:
0057612b 8b483c          mov     ecx,dword ptr [eax+3Ch] ds:0023:646e616c=????????
0:000> kp
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Mozilla Firefox\xul.dll - 
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012cb38 106b0670 mozjs!js_CallNewScriptHook+0x1cb
0012cbb4 10994f2b xul!gfxFontTestItem::gfxFontTestItem+0x134c
0012cbe4 10567273 xul!XRE_LockProfileDirectory+0xd6a7
0012cc0c 105c09c7 xul!gfxUnknownSurface::operator=+0x3abb
0012cc38 0050219e xul!mozilla::layers::SwapChainD3D9::Release+0x2f84
0012cc68 0052a741 mozjs!JS_HandleTrap+0xae
0012cd08 0055cd91 mozjs!JS_CompareValues+0x8341
0012cd20 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1
0012cd38 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1
0012cd50 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1
0012cd68 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1
0012cd80 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1
0012cd98 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1
0012cd9c 00000000 mozjs!js::ParseJSONWithReviver+0x16fc1


AdapterDeviceID: 95c4
AdapterVendorID: 1002
Add-ons: firebug@software.joehewitt.com:1.8.1,{972ce4c6-7e08-4474-a285-3208198ce6fd}:6.0
AvailableVirtualMemory: 1277558784
BuildID: 20110811165603
CrashTime: 1314309151
EMCheckCompatibility: true
FramePoisonBase: 00000000f0de0000
FramePoisonSize: 65536
InstallTime: 1314308451
Notes: AdapterVendorID: 1002, AdapterDeviceID: 95c4, AdapterDriverVersion: 8.771.0.0
D3D10 Layers? D3D10 Layers-
D3D9 Layers? D3D9 Layers+

ProductName: Firefox
ReleaseChannel: release
StartupTime: 1314309020
SystemMemoryUsePercentage: 92
Theme: classic/1.0
Throttleable: 1
TotalVirtualMemory: 2147352576
URL: file:///C:/Documents%20and%20Settings/xxxxx/My%20Documents/Downloads/many80000.html
Vendor: Mozilla
Version: 6.0
Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 1 : %SystemRoot%\system32\mswsock.dll 
 MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD Tcpip [RAW/IP] : 2 : 3 : %SystemRoot%\system32\mswsock.dll 
 RSVP UDP Service Provider : 6 : 2 : %SystemRoot%\system32\rsvpsp.dll 
 RSVP TCP Service Provider : 6 : 1 : %SystemRoot%\system32\rsvpsp.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{B8F9EEE1-6314-47EE-911C-9348CA08F7DD}] SEQPACKET 5 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{B8F9EEE1-6314-47EE-911C-9348CA08F7DD}] DATAGRAM 5 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9261A52-2EFF-42D1-8D4B-8912983EBA20}] SEQPACKET 4 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9261A52-2EFF-42D1-8D4B-8912983EBA20}] DATAGRAM 4 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{4F8D2818-151D-4D7E-9C92-D837C14F66EF}] SEQPACKET 3 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{4F8D2818-151D-4D7E-9C92-D837C14F66EF}] DATAGRAM 3 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{5F3968C3-09FB-41D7-9F74-9A4EC98A8B50}] SEQPACKET 0 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{5F3968C3-09FB-41D7-9F74-9A4EC98A8B50}] DATAGRAM 0 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{7DA11467-4540-4F3D-AB9B-215F637FE578}] SEQPACKET 1 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{7DA11467-4540-4F3D-AB9B-215F637FE578}] DATAGRAM 1 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{24670179-8EFE-4C09-B51E-C22D48656518}] SEQPACKET 2 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{24670179-8EFE-4C09-B51E-C22D48656518}] DATAGRAM 2 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{6758F470-A2D1-480B-BAEE-40EE0E56D338}] SEQPACKET 6 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{6758F470-A2D1-480B-BAEE-40EE0E56D338}] DATAGRAM 6 : 2 : 2 : %SystemRoot%\system32\mswsock.dll

This report also contains technical information about the state of the application when it crashed.
Comment 7 Marc Schoenefeld 2011-08-25 15:53:28 PDT
And crashing on Linux (Firefox 6 from mozilla bz2 distro on Fedora 14): 

Program received signal SIGSEGV, Segmentation fault.
0x01b1045b in ?? () from /home/schonef/Downloads/firefox/libxul.so

(gdb) disass $pc,$pc+1
Dump of assembler code from 0x1b1045b to 0x1b1045c:
=> 0x01b1045b:	mov    (%edi,%eax,4),%esi
End of assembler dump.
(gdb) i r 
eax            0xff7e0000	-8519680
ecx            0x3	3
edx            0x0	0
ebx            0x1f299c4	32676292
esp            0xbfadf220	0xbfadf220
ebp            0x86100000	0x86100000
esi            0xaafec920	-1426142944
edi            0x861dc47c	-2044869508
eip            0x1b1045b	0x1b1045b
eflags         0x210282	[ SF IF RF ID ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51
(gdb) bt
#0  0x01b1045b in ?? () from /home/schonef/Downloads/firefox/libxul.so
#1  0x880ed920 in ?? ()
#2  0x86100000 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Comment 8 David Mandelin [:dmandelin] 2011-08-25 15:57:38 PDT
(In reply to Marc Schoenefeld from comment #6)
> Hmm, 
> 
> it's crashing all the time, this time on windows. 

By 'crashing all the time', do you mean, even when you don't do something in Firebug? 

I was poking at this briefly the other day, and it crashed for me on Windows without Firebug. I had it down to an NPE. I was waiting for the chance to check out the Firebug angle before posting, because if that was an NPE too, then it's not sg:critical.
Comment 9 David Mandelin [:dmandelin] 2011-09-01 14:08:01 PDT
Bill, were you able to reproduce this?
Comment 10 Bill McCloskey (:billm) 2011-09-01 14:10:06 PDT
No. I tried it on Windows with Firefox 6 and Firebug, but it didn't crash.
Comment 11 Marc Schoenefeld 2011-09-02 03:38:20 PDT
You did follow this procedure? 

1) open many66000.html (depending on your setup it may be necessary to generate  a reproducer with more functions)
2) open firebug 
3) do while not crash (and press continue on long running script) 
3a) press "OK"   (in hello box) 
3b) press "profile" 


how many times did you try to loop the "profile" 3a,3b steps  ? in my experiments it often took only 1-3 times to crash
Comment 12 Marc Schoenefeld 2011-09-02 03:44:05 PDT
Created attachment 557794 [details]
Simplified testcase (zipped for resource constraints)

Simplified testcase (MacBook Air 4GB, OSX 10.6.7, Ffx6) 

i) get firebug installed
ii) open -a "Firefox" many80000.html
iii) get crash, without any clicks


Process:         firefox-bin [4053]
Path:            /Applications/Firefox.app/Contents/MacOS/firefox-bin
Identifier:      org.mozilla.firefox
Version:         6.0 (6.0)
Code Type:       X86-64 (Native)
Parent Process:  launchd [187]

Date/Time:       2011-09-02 12:40:21.914 +0200
OS Version:      Mac OS X 10.6.8 (10K549)
Report Version:  6

Interval Since Last Report:          920607 sec
Crashes Since Last Report:           282
Per-App Interval Since Last Report:  179952 sec
Per-App Crashes Since Last Report:   5
Anonymous UUID:                      A20874EC-7280-445C-9882-755000F0127C

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000093d9b88d8
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   XUL                           	0x0000000101179b19 js_fgets(char*, int, __sFILE*) + 56889
1   XUL                           	0x0000000100bde113 JSD_DebuggerOnForUser + 11123
2   XUL                           	0x0000000100be4474 JSD_DebuggerOnForUser + 36564
3   XUL                           	0x0000000100be8e33 JSD_DebuggerOnForUser + 55443
4   XUL                           	0x0000000100bdc757 JSD_DebuggerOnForUser + 4535
5   XUL                           	0x000000010108fa37 JS_HandleTrap + 135
6   XUL                           	0x00000001010d423a JS_HashTableRemove + 29466
7   XUL                           	0x00000001010ed5ef JS_HashTableRemove + 132815
8   XUL                           	0x00000001010ed923 JS_HashTableRemove + 133635
9   XUL                           	0x0000000101064f16 JS_CallFunction + 294
10  XUL                           	0x00000001010650d9 JS_EvaluateUCScriptForPrincipalsVersion + 105
11  XUL                           	0x0000000100631888 mozilla::layers::ReadbackSink::~ReadbackSink() + 3659704
12  XUL                           	0x000000010046a643 mozilla::layers::ReadbackSink::~ReadbackSink() + 1795443
13  XUL                           	0x000000010046b2af mozilla::layers::ReadbackSink::~ReadbackSink() + 1798623
14  XUL                           	0x000000010046c475 mozilla::layers::ReadbackSink::~ReadbackSink() + 1803173
15  XUL                           	0x0000000100469111 mozilla::layers::ReadbackSink::~ReadbackSink() + 1790017
16  XUL                           	0x0000000100554565 mozilla::layers::ReadbackSink::~ReadbackSink() + 2753685
17  XUL                           	0x00000001005533a3 mozilla::layers::ReadbackSink::~ReadbackSink() + 2749139
18  XUL                           	0x0000000100754419 mozilla::layers::ReadbackSink::~ReadbackSink() + 4850505
19  XUL                           	0x0000000100756265 mozilla::layers::ReadbackSink::~ReadbackSink() + 4858261
20  XUL                           	0x000000010075989d mozilla::layers::ReadbackSink::~ReadbackSink() + 4872141
21  XUL                           	0x0000000100e5a2a3 XRE_AddStaticComponent + 27043
22  XUL                           	0x0000000100e1642e mac_plugin_interposing_child_OnSetCursor + 678126
23  XUL                           	0x0000000100ced5dd JSD_DebuggerOnForUser + 1122365
24  XUL                           	0x0000000100cb7207 JSD_DebuggerOnForUser + 900199
25  com.apple.CoreFoundation      	0x00007fff83644401 __CFRunLoopDoSources0 + 1361
26  com.apple.CoreFoundation      	0x00007fff836425f9 __CFRunLoopRun + 873
27  com.apple.CoreFoundation      	0x00007fff83641dbf CFRunLoopRunSpecific + 575
28  com.apple.HIToolbox           	0x00007fff8379c7ee RunCurrentEventLoopInMode + 333
29  com.apple.HIToolbox           	0x00007fff8379c5f3 ReceiveNextEventCommon + 310
30  com.apple.HIToolbox           	0x00007fff8379c4ac BlockUntilNextEventMatchingListInMode + 59
31  com.apple.AppKit              	0x00007fff8849beb2 _DPSNextEvent + 708
32  com.apple.AppKit              	0x00007fff8849b801 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155
33  com.apple.AppKit              	0x00007fff8846168f -[NSApplication run] + 395
34  XUL                           	0x0000000100cb6b9d JSD_DebuggerOnForUser + 898557
35  XUL                           	0x0000000100b23164 js::JSProxyHandler::isOuterWindow() + 602612
36  XUL                           	0x00000001000169ef XRE_main + 12015
37  org.mozilla.firefox           	0x0000000100000af7 start + 471
38  org.mozilla.firefox           	0x0000000100000954 start + 52
Comment 13 Bill McCloskey (:billm) 2011-09-02 12:39:41 PDT
Created attachment 557918 [details] [diff] [review]
fix

This should fix it. It was one of those trap things. I added a few more js_GetOpcode calls to take care of it. I have a 2MB testcase that triggers every time in the shell and the patch fixes it. I'll check the testcase in along with the patch. I'm guessing it's too big to attach here.
Comment 15 Bill McCloskey (:billm) 2011-09-21 08:41:20 PDT
https://hg.mozilla.org/mozilla-central/rev/c207eea54777
Comment 16 Bill McCloskey (:billm) 2011-09-22 10:26:06 PDT
This is to convert the big test case into a smaller one that generates the code and then calls evaluate. Suggested by jorendorff.

https://hg.mozilla.org/integration/mozilla-inbound/rev/267250a4595e
Comment 17 :Gavin Sharp [email: gavin@gavinsharp.com] 2011-09-22 18:01:32 PDT
https://hg.mozilla.org/mozilla-central/rev/267250a4595e
Comment 18 Johnny Stenback (:jst, jst@mozilla.com) 2011-09-29 13:19:29 PDT
Is this fix good for aurora and beta? If so, please request approval, if not, can this fix be backported w/o tons of work?
Comment 19 Bill McCloskey (:billm) 2011-09-30 15:32:05 PDT
Comment on attachment 557918 [details] [diff] [review]
fix

I don't think any of this code has changed in a while, so the patch should apply to aurora and beta. I think the risk should be pretty low, and it avoids a crash.
Comment 20 Asa Dotzler [:asa] 2011-10-03 14:40:25 PDT
billm, thanks for the preliminary risk analysis. Could you tell us what could go wrong or what to look out for if something did go wrong?
Comment 21 Bill McCloskey (:billm) 2011-10-05 14:41:40 PDT
I'm not sure how likely it is that this will be hit by accident. It requires a really huge JS script. I'm mainly worried about security. The bug causes to create a bad JS object pointer (since it's basically an array-out-of-bounds error). From there, you can do lots of bad things. I think sg:crit is the right designation.
Comment 22 christian 2011-10-06 14:25:03 PDT
Sorry, we meant risk of regressions / way this patch can go wrong if we do take it.
Comment 23 Bill McCloskey (:billm) 2011-10-06 14:33:54 PDT
This patch won't alter behavior aside from fixing the bug. There's a chance that the patch itself is buggy, but it's pretty small so that doesn't seem too likely.
Comment 24 Bill McCloskey (:billm) 2011-10-10 16:17:05 PDT
https://hg.mozilla.org/releases/mozilla-beta/rev/9844fb4852ee

I forgot that this already went to Aurora in the last merge, so I only had to land it on beta.
Comment 25 Johnny Stenback (:jst, jst@mozilla.com) 2011-10-10 17:03:31 PDT
I verified that this got merged to aurora already, so marking this fixed for 8 and 9 (and 10 too, while I'm at it)!
Comment 26 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-10-13 10:43:45 PDT
qa+ for verification with the testcase in comment 0.
Comment 27 Daniel Veditz [:dveditz] 2011-10-19 17:17:00 PDT
Does this affect 3.6.x?
Comment 28 Bill McCloskey (:billm) 2011-10-26 18:57:51 PDT
Comment on attachment 557918 [details] [diff] [review]
fix

This applies to 1.9.2. I don't see any reason not to take it. This code hasn't changed much.
Comment 29 christian 2011-10-27 09:58:03 PDT
Comment on attachment 557918 [details] [diff] [review]
fix

Approved for 1.9.2.24. Please land on releases/mozilla-1.9.2 on the default branch ASAP.
Comment 30 Bill McCloskey (:billm) 2011-10-27 15:16:14 PDT
https://hg.mozilla.org/releases/mozilla-1.9.2/rev/60d2c636b778
Comment 31 Al Billings [:abillings] 2011-11-01 12:42:56 PDT
I can't reproduce the crash with Firebug 1.7.3, Firefox 3.6.23, and Windows XP. I've been unable to verify the fix in 3.6.24 because of that.
Comment 32 Huzaifa Sidhpurwala 2011-11-07 20:23:13 PST
Does this issue get a CVE id?
Comment 34 Henrik Skupin (:whimboo) 2011-12-06 02:47:34 PST
With Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111204 Firefox/11.0a1 and Firebug 1.9.0b3 installed the browser totally freezes when using the testcase from comment 12. Why don't we abort the script execution? Should this be filed as a new bug?

Bill, can you please give us a response so we can continue to verity this patch? Thanks.
Comment 35 Bill McCloskey (:billm) 2011-12-12 11:00:12 PST
(In reply to Henrik Skupin (:whimboo) from comment #34)
> With Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111204
> Firefox/11.0a1 and Firebug 1.9.0b3 installed the browser totally freezes
> when using the testcase from comment 12. Why don't we abort the script
> execution? Should this be filed as a new bug?
> 
> Bill, can you please give us a response so we can continue to verity this
> patch? Thanks.

I loaded the page from comment 12. It freezes for about a second for me. Is that what you're talking about? This isn't really unexpected, since we have to parse 5.6MB of JS code, and parsing happens atomically. We have future plans to make parsing be resumable, but I don't think that's relevant to this bug. As long as it doesn't crash, this bug is not being triggered.
Comment 36 Raymond Forbes[:rforbes] 2013-07-19 18:12:45 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.