Infinite recursion loop crashes Firefox when Firebug is installed

RESOLVED WONTFIX

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WONTFIX
7 years ago
9 months ago

People

(Reporter: Sebastian Zartner, Unassigned)

Tracking

({crash})

9 Branch
x86
Windows 7
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
See https://crash-stats.mozilla.com/report/index/bp-911001c0-b0b5-4703-a737-0299a2110829

I used Firebug's Command Editor to execute the following lines of code:

function test() {
  return test();
}

test();
Stack overflow, this could be a dupe
Assignee: nobody → general
Severity: normal → critical
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
(Reporter)

Comment 2

7 years ago
> this could be a dupe
Probably yes. I don't think I am the only one that experienced that problem, because it's that easy to reproduce.

Btw. since Bugzilla changed its issue report system the "Report this Crash" link doesn't prefill the issue title anymore. I think that was possible before, though I just posted one or two bugs to crash reports yet.
This works in general, no (in that recursion protection kicks in).  What's special about the Firebug command editor?
(Reporter)

Comment 4

7 years ago
Well, I just tested this on another PC and just used the new Scratchpad of Firefox.
Result: Firefox doesn't crash, but it gets completely unresponsive. The message for unresponsive scripts appears after a while (~3 minutes). Clicking "Stop script" doesn't stop it. Instead I get the message again after waiting a bit longer.

The Firebug Command Editor works by eval()ing the entered code. Honza can surely explain this in more detail.
(In reply to Boris Zbarsky (:bz) from comment #3)
> This works in general, no (in that recursion protection kicks in).  What's
> special about the Firebug command editor?

Not an answer, but: bug 643360 showed that there are ways to trigger infinite recursion "underneath" the JS engine, within JSD. In fact, that patch never landed, but the details of this bug and the stack make it sound dissimilar.
(Reporter)

Comment 6

7 years ago
I can't reproduce the test case of bug 643360 with FF 6.0 + FB 1.8.1 and FF 9.0a1 + FB 1.9.0a1 under Windows 7.
Whiteboard: js-triage-needed
(In reply to Sebastian Zartner from comment #4)
> The Firebug Command Editor works by eval()ing the entered code. Honza can
> surely explain this in more detail.

0) The user executes an expression on Firebug's command line.
1) Firebug uses win.document.setUserData to pass the expression into the page.
2) Firebug sends an event to the page (using win.document.dispatchEvent)
3) The page catches the event gets the expression and calls: window.eval(expr)

Honza

Updated

7 years ago
Crash Signature: [@ XPCJSStackFrame::Release() ]
Created attachment 576126 [details]
Simple debugger - test extension

(In reply to Boris Zbarsky (:bz) from comment #3)
> This works in general, no (in that recursion protection kicks in).  What's
> special about the Firebug command editor?
I think that the special thing is that JSD is activated 

STR:
1) Install the attached extension (activates JSD and hooks jsd.debugHook, jsd.errorHook)
2) load following page (the timeout is probably not necessary, just helpful for me when debugging):

<html><body>
<script type="application/javascript;version=1.8">
    setTimeout(function()
    {
        function hello() { hello(); }
        hello();
    }, 5000);
</script>
</body></html><h2></h2>

3) Wait for Firefox crash

Honza
Mozilla/5.0 (Windows NT 6.1; rv:11.0a1) Gecko/20111127 Firefox/11.0a1

I have run the tests from comment #8 and comment #9 and no crash occured. Firebug is not compatible with Firefox 11 (Nightly).

Sebastian, Jan - are you able to reproduce the crash on latest Nightly, with a clean profile?

Thank you!
(Reporter)

Comment 11

7 years ago
I didn't run the test of comment 8, but of comment 0 and comment 9 using FF 11.0a1 + FB 1.9.0b2 (SVN) and Firefox doesn't crash anymore.
That's the good news. The bad one is, that it still freezes (without showing the Unresponsive Script message).

Sebastian
So is this basically a duplicate of bug 643360?  I guess this one has better str (e.g. a test extension).
Blocks: 643360
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Infinite recursion loop crashes Firefox → Infinite recursion loop crashes Firefox when Firebug is installed
Duplicate of this bug: 715080
Duplicate of this bug: 723844
(Reporter)

Comment 15

6 years ago
I'm unsure, if both issues are caused by the same problem.
I can still reproduce the crash of bug 643360 (see https://crash-stats.mozilla.com/report/index/bp-c4a6f554-43e3-44e3-ad1a-c529c2120228 and https://crash-stats.mozilla.com/report/index/a6826e2a-c7e1-40de-920a-227532120228).
Though trying the test case here causes Firefox to freeze (no unresponsive script message, no crash reporter).
This issue seems more like a duplicate of bug 647636.

Sebastian
Another test:

http://users.skumleren.net/cers/test/mrjones.html

I think it is JSD since using the Firefox native debugger doesn't have the same effect, and I'm guessing it uses JSD2.

Updated

6 years ago
Depends on: 749981
(Assignee)

Updated

4 years ago
Assignee: general → nobody

Updated

3 years ago
Crash Signature: [@ XPCJSStackFrame::Release() ] → [@ XPCJSStackFrame::Release() ] [@ XPCJSStackFrame::Release ]
Firebug is going away, so closing this.

Sebastian
Status: NEW → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.