Crash in JS_ReportError caused by unbounded recursion

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: jrmuizel, Assigned: dmandelin)

Tracking

({crash, regression, reproducible})

13 Branch
crash, regression, reproducible
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

(Reporter)

Description

6 years ago
Caused by this page:
http://people.mozilla.org/~jmuizelaar/cnn.html

Started with today's nightly. Was fine yesterday.

#21839 0x0000000102292e89 in InitExnPrivate ()
#21840 0x000000010229381e in js_ErrorToException ()
#21841 0x00000001022763c4 in ReportError ()
#21842 0x00000001022768ac in js_ReportErrorVA ()
#21843 0x0000000102247960 in JS_ReportError ()
#21844 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl ()
#21845 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess ()
#21846 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess ()
#21847 0x0000000102292e89 in InitExnPrivate ()
#21848 0x000000010229381e in js_ErrorToException ()
#21849 0x00000001022763c4 in ReportError ()
#21850 0x00000001022768ac in js_ReportErrorVA ()
#21851 0x0000000102247960 in JS_ReportError ()
#21852 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl ()
#21853 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess ()
#21854 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess ()
#21855 0x0000000102292e89 in InitExnPrivate ()
#21856 0x000000010229381e in js_ErrorToException ()
#21857 0x00000001022763c4 in ReportError ()
#21858 0x00000001022768ac in js_ReportErrorVA ()
#21859 0x0000000102247960 in JS_ReportError ()
#21860 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl ()
#21861 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess ()
#21862 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess ()
#21863 0x0000000102292e89 in InitExnPrivate ()
#21864 0x000000010229381e in js_ErrorToException ()
#21865 0x00000001022763c4 in ReportError ()
#21866 0x00000001022768ac in js_ReportErrorVA ()
#21867 0x0000000102247960 in JS_ReportError ()
#21868 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl ()
#21869 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess ()
#21870 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess ()
#21871 0x0000000102292e89 in InitExnPrivate ()
#21872 0x000000010229381e in js_ErrorToException ()
#21873 0x00000001022763c4 in ReportError ()
#21874 0x00000001022768ac in js_ReportErrorVA ()
#21875 0x0000000102247960 in JS_ReportError ()
#21876 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl ()
#21877 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess ()
#21878 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess ()
#21879 0x0000000102292e89 in InitExnPrivate ()
#21880 0x000000010229381e in js_ErrorToException ()
#21881 0x00000001022763c4 in ReportError ()
#21882 0x00000001022768ac in js_ReportErrorVA ()
#21883 0x0000000102247960 in JS_ReportError ()
#21884 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl ()
#21885 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess ()
#21886 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess ()
#21887 0x0000000102292e89 in InitExnPrivate ()
#21888 0x000000010229381e in js_ErrorToException ()
#21889 0x00000001022763c4 in ReportError ()
#21890 0x0000000102278685 in js_ReportErrorNumberVA ()
#21891 0x0000000102247695 in JS_ReportErrorNumber ()
#21892 0x00000001022e13f6 in js::Interpret ()
#21893 0x00000001022e1775 in js::RunScript ()
#21894 0x00000001022e1dd2 in js::InvokeKernel ()
#21895 0x00000001022e23a4 in js::Invoke ()
#21896 0x00000001022567b2 in JS_CallFunctionValue ()
#21897 0x00000001016f686f in nsJSContext::CallEventHandler ()
#21898 0x0000000101762850 in nsJSEventListener::HandleEvent ()
#21899 0x0000000101566d95 in nsEventListenerManager::HandleEventInternal ()
#21900 0x0000000101586b93 in nsEventTargetChainItem::HandleEventTargetChain ()
#21901 0x00000001015878bf in nsEventDispatcher::Dispatch ()
#21902 0x000000010122d83c in DocumentViewerImpl::LoadComplete ()
#21903 0x0000000101b5f676 in nsDocShell::EndPageLoad ()
#21904 0x0000000101b633f8 in nsDocShell::OnStateChange ()
#21905 0x0000000101b7879a in nsDocLoader::DoFireOnStateChange ()
#21906 0x0000000101b79688 in nsDocLoader::doStopDocumentLoad ()
#21907 0x0000000101b7afd1 in nsDocLoader::DocLoaderIsEmpty ()
#21908 0x0000000101b7b357 in nsDocLoader::OnStopRequest ()
#21909 0x0000000101049670 in nsLoadGroup::RemoveRequest ()
#21910 0x000000010147fdd5 in nsDocument::DoUnblockOnload ()
#21911 0x000000010158590d in nsLoadBlockingAsyncDOMEvent::~nsLoadBlockingAsyncDOMEvent ()
#21912 0x0000000101f09e2e in nsRunnable::Release ()
#21913 0x0000000101f49bb6 in nsThread::ProcessNextEvent ()
#21914 0x000000010100af0d in NS_ProcessNextEvent_P ()
#21915 0x00000001014f97c7 in nsXMLHttpRequest::Send ()
#21916 0x0000000101b07cc1 in nsIXMLHttpRequest_Send ()
#21917 0x00000001022e1d9d in js::InvokeKernel ()
#21918 0x00000001022d4166 in js::Interpret ()
#21919 0x00000001022e1775 in js::RunScript ()
#21920 0x00000001022e1939 in js::ExecuteKernel ()
#21921 0x00000001022e1b48 in js::Execute ()
#21922 0x0000000102256b67 in EvaluateUCScriptForPrincipalsCommon ()
#21923 0x0000000102256c81 in JS_EvaluateUCScriptForPrincipalsVersionOrigin ()
#21924 0x00000001016f5acb in nsJSContext::EvaluateString ()
#21925 0x00000001014d741f in nsScriptLoader::EvaluateScript ()
#21926 0x00000001014d8984 in nsScriptLoader::ProcessRequest ()
#21927 0x00000001014da44e in nsScriptLoader::ProcessPendingRequests ()
#21928 0x00000001014da816 in nsScriptLoader::OnStreamComplete ()
#21929 0x00000001010649ba in nsStreamLoader::OnStopRequest ()
#21930 0x0000000101064442 in nsStreamListenerTee::OnStopRequest ()
#21931 0x00000001010e354c in nsHttpChannel::OnStopRequest ()
#21932 0x0000000101042ff0 in nsInputStreamPump::OnStateStop ()
#21933 0x0000000101043a18 in nsInputStreamPump::OnInputStreamReady ()
#21934 0x0000000101f35854 in nsInputStreamReadyEvent::Run ()
#21935 0x0000000101f49bab in nsThread::ProcessNextEvent ()
#21936 0x0000000101f0a02e in NS_ProcessPendingEvents_P ()
#21937 0x0000000101db5d2b in nsBaseAppShell::NativeEventCallback ()
#21938 0x0000000101d7c715 in nsAppShell::ProcessGeckoEvents ()
#21939 0x00007fff80ef6401 in __CFRunLoopDoSources0 ()
#21940 0x00007fff80ef45f9 in __CFRunLoopRun ()
#21941 0x00007fff80ef3dbf in CFRunLoopRunSpecific ()
#21942 0x00007fff8553a74e in RunCurrentEventLoopInMode ()
#21943 0x00007fff8553a553 in ReceiveNextEventCommon ()
#21944 0x00007fff8553a40c in BlockUntilNextEventMatchingListInMode ()
#21945 0x00007fff837f5eb2 in _DPSNextEvent ()
#21946 0x00007fff837f5801 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#21947 0x0000000101d7bb21 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#21948 0x00007fff837bb68f in -[NSApplication run] ()
#21949 0x0000000101d7bf3d in nsAppShell::Run ()
#21950 0x0000000101bdc2a4 in nsAppStartup::Run ()
#21951 0x00000001010190f0 in XRE_main ()
#21952 0x0000000100001e13 in main ()
(Reporter)

Updated

6 years ago
(Reporter)

Comment 1

6 years ago
Regression window:
http://hg.mozilla.org/projects/profiling/pushloghtml?fromchange=826a3a489c1c&tochange=289d9f1e6ca6
(Reporter)

Comment 2

6 years ago
Wild guessing at bug 734167

Updated

6 years ago
Severity: normal → critical
Crash Signature: ClassInfoData&, int, unsigned int, ClassPolicy**, SecurityLevel*)] [@ nsStandardURL::GetScheme(nsACString_internal&)] [@ NS_SecurityCompareURIs(nsIURI*, nsIURI*, bool)] [@ dosprintf] void**)] [@ nsScriptSecurityManager::CheckPropertyAccessImpl(…
tracking-firefox13: --- → ?
Keywords: crash, regression, reproducible, topcrash
OS: Mac OS X → All
Hardware: x86 → All
Version: unspecified → 13 Branch

Comment 3

6 years ago
(In reply to Jeff Muizelaar [:jrmuizel] from comment #1)
> Regression window:
> http://hg.mozilla.org/projects/profiling/
> pushloghtml?fromchange=826a3a489c1c&tochange=289d9f1e6ca6
I'd say bug 704259.
Blocks: 704259
Crash Signature: ClassInfoData&, int, unsigned int, ClassPolicy**, SecurityLevel*)] [@ nsStandardURL::GetScheme(nsACString_internal&)] [@ NS_SecurityCompareURIs(nsIURI*, nsIURI*, bool)] [@ dosprintf] void**)] [@ nsScriptSecurityManager::CheckPropertyAccessImpl(… → nsIURI*, bool)] [@ dosprintf] SecurityLevel*)] [@ PL_DHashTableOperate | nsScriptSecurityManager::LookupPolicy(nsIPrincipal*, ClassInfoData&, int, unsigned int, ClassPolicy**, SecurityLevel*)] [@ nsStandardURL::GetScheme(nsACString_internal&)] …

Updated

6 years ago
Duplicate of this bug: 734428
(Assignee)

Updated

6 years ago
Assignee: general → dmandelin

Updated

6 years ago
Crash Signature: ClassInfoData&, int, unsigned int, ClassPolicy**, SecurityLevel*)] [@ nsScriptSecurityManager::LookupPolicy(nsIPrincipal*, ClassInfoData&, __int64, unsigned int, ClassPolicy** nsIURI*, bool)] [@ dosprintf] SecurityLevel*)] [@ PL_DHashTableOperat… → ClassInfoData&, int, unsigned int, ClassPolicy**, SecurityLevel*)] [@ nsScriptSecurityManager::LookupPolicy(nsIPrincipal*, ClassInfoData&, __int64, unsigned int, ClassPolicy** nsIURI*, bool)] [@ dosprintf] [@ choose_arena] [@ JS_FrameIterator] …

Comment 5

6 years ago
Based on crash stats and the test case in comment 0, it seems to be fixed in 13.0a1/20120309. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2f6368ca605e&tochange=08809a43e082
It's fixed by the backout of the first patch in bug 704259.
tracking-firefox13: ? → ---
Keywords: topcrash
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.