Closed Bug 734167 Opened 14 years ago Closed 14 years ago

Crash in JS_ReportError caused by unbounded recursion

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
13 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jrmuizel, Assigned: dmandelin)

References

(
URL
)

Details

(Keywords: crash, regression, reproducible)

Crash Data

Caused by this page: http://people.mozilla.org/~jmuizelaar/cnn.html Started with today's nightly. Was fine yesterday. #21839 0x0000000102292e89 in InitExnPrivate () #21840 0x000000010229381e in js_ErrorToException () #21841 0x00000001022763c4 in ReportError () #21842 0x00000001022768ac in js_ReportErrorVA () #21843 0x0000000102247960 in JS_ReportError () #21844 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl () #21845 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess () #21846 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess () #21847 0x0000000102292e89 in InitExnPrivate () #21848 0x000000010229381e in js_ErrorToException () #21849 0x00000001022763c4 in ReportError () #21850 0x00000001022768ac in js_ReportErrorVA () #21851 0x0000000102247960 in JS_ReportError () #21852 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl () #21853 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess () #21854 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess () #21855 0x0000000102292e89 in InitExnPrivate () #21856 0x000000010229381e in js_ErrorToException () #21857 0x00000001022763c4 in ReportError () #21858 0x00000001022768ac in js_ReportErrorVA () #21859 0x0000000102247960 in JS_ReportError () #21860 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl () #21861 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess () #21862 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess () #21863 0x0000000102292e89 in InitExnPrivate () #21864 0x000000010229381e in js_ErrorToException () #21865 0x00000001022763c4 in ReportError () #21866 0x00000001022768ac in js_ReportErrorVA () #21867 0x0000000102247960 in JS_ReportError () #21868 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl () #21869 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess () #21870 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess () #21871 0x0000000102292e89 in InitExnPrivate () #21872 0x000000010229381e in js_ErrorToException () #21873 0x00000001022763c4 in ReportError () #21874 0x00000001022768ac in js_ReportErrorVA () #21875 0x0000000102247960 in JS_ReportError () #21876 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl () #21877 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess () #21878 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess () #21879 0x0000000102292e89 in InitExnPrivate () #21880 0x000000010229381e in js_ErrorToException () #21881 0x00000001022763c4 in ReportError () #21882 0x00000001022768ac in js_ReportErrorVA () #21883 0x0000000102247960 in JS_ReportError () #21884 0x00000001018645d2 in nsScriptSecurityManager::CheckPropertyAccessImpl () #21885 0x0000000101864862 in nsScriptSecurityManager::CheckPropertyAccess () #21886 0x000000010185e5c6 in nsScriptSecurityManager::CheckObjectAccess () #21887 0x0000000102292e89 in InitExnPrivate () #21888 0x000000010229381e in js_ErrorToException () #21889 0x00000001022763c4 in ReportError () #21890 0x0000000102278685 in js_ReportErrorNumberVA () #21891 0x0000000102247695 in JS_ReportErrorNumber () #21892 0x00000001022e13f6 in js::Interpret () #21893 0x00000001022e1775 in js::RunScript () #21894 0x00000001022e1dd2 in js::InvokeKernel () #21895 0x00000001022e23a4 in js::Invoke () #21896 0x00000001022567b2 in JS_CallFunctionValue () #21897 0x00000001016f686f in nsJSContext::CallEventHandler () #21898 0x0000000101762850 in nsJSEventListener::HandleEvent () #21899 0x0000000101566d95 in nsEventListenerManager::HandleEventInternal () #21900 0x0000000101586b93 in nsEventTargetChainItem::HandleEventTargetChain () #21901 0x00000001015878bf in nsEventDispatcher::Dispatch () #21902 0x000000010122d83c in DocumentViewerImpl::LoadComplete () #21903 0x0000000101b5f676 in nsDocShell::EndPageLoad () #21904 0x0000000101b633f8 in nsDocShell::OnStateChange () #21905 0x0000000101b7879a in nsDocLoader::DoFireOnStateChange () #21906 0x0000000101b79688 in nsDocLoader::doStopDocumentLoad () #21907 0x0000000101b7afd1 in nsDocLoader::DocLoaderIsEmpty () #21908 0x0000000101b7b357 in nsDocLoader::OnStopRequest () #21909 0x0000000101049670 in nsLoadGroup::RemoveRequest () #21910 0x000000010147fdd5 in nsDocument::DoUnblockOnload () #21911 0x000000010158590d in nsLoadBlockingAsyncDOMEvent::~nsLoadBlockingAsyncDOMEvent () #21912 0x0000000101f09e2e in nsRunnable::Release () #21913 0x0000000101f49bb6 in nsThread::ProcessNextEvent () #21914 0x000000010100af0d in NS_ProcessNextEvent_P () #21915 0x00000001014f97c7 in nsXMLHttpRequest::Send () #21916 0x0000000101b07cc1 in nsIXMLHttpRequest_Send () #21917 0x00000001022e1d9d in js::InvokeKernel () #21918 0x00000001022d4166 in js::Interpret () #21919 0x00000001022e1775 in js::RunScript () #21920 0x00000001022e1939 in js::ExecuteKernel () #21921 0x00000001022e1b48 in js::Execute () #21922 0x0000000102256b67 in EvaluateUCScriptForPrincipalsCommon () #21923 0x0000000102256c81 in JS_EvaluateUCScriptForPrincipalsVersionOrigin () #21924 0x00000001016f5acb in nsJSContext::EvaluateString () #21925 0x00000001014d741f in nsScriptLoader::EvaluateScript () #21926 0x00000001014d8984 in nsScriptLoader::ProcessRequest () #21927 0x00000001014da44e in nsScriptLoader::ProcessPendingRequests () #21928 0x00000001014da816 in nsScriptLoader::OnStreamComplete () #21929 0x00000001010649ba in nsStreamLoader::OnStopRequest () #21930 0x0000000101064442 in nsStreamListenerTee::OnStopRequest () #21931 0x00000001010e354c in nsHttpChannel::OnStopRequest () #21932 0x0000000101042ff0 in nsInputStreamPump::OnStateStop () #21933 0x0000000101043a18 in nsInputStreamPump::OnInputStreamReady () #21934 0x0000000101f35854 in nsInputStreamReadyEvent::Run () #21935 0x0000000101f49bab in nsThread::ProcessNextEvent () #21936 0x0000000101f0a02e in NS_ProcessPendingEvents_P () #21937 0x0000000101db5d2b in nsBaseAppShell::NativeEventCallback () #21938 0x0000000101d7c715 in nsAppShell::ProcessGeckoEvents () #21939 0x00007fff80ef6401 in __CFRunLoopDoSources0 () #21940 0x00007fff80ef45f9 in __CFRunLoopRun () #21941 0x00007fff80ef3dbf in CFRunLoopRunSpecific () #21942 0x00007fff8553a74e in RunCurrentEventLoopInMode () #21943 0x00007fff8553a553 in ReceiveNextEventCommon () #21944 0x00007fff8553a40c in BlockUntilNextEventMatchingListInMode () #21945 0x00007fff837f5eb2 in _DPSNextEvent () #21946 0x00007fff837f5801 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #21947 0x0000000101d7bb21 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #21948 0x00007fff837bb68f in -[NSApplication run] () #21949 0x0000000101d7bf3d in nsAppShell::Run () #21950 0x0000000101bdc2a4 in nsAppStartup::Run () #21951 0x00000001010190f0 in XRE_main () #21952 0x0000000100001e13 in main ()
Wild guessing at bug 734167
Severity: normal → critical
Crash Signature: ClassInfoData&, int, unsigned int, ClassPolicy**, SecurityLevel*)] [@ nsStandardURL::GetScheme(nsACString_internal&)] [@ NS_SecurityCompareURIs(nsIURI*, nsIURI*, bool)] [@ dosprintf] void**)] [@ nsScriptSecurityManager::CheckPropertyAccessImpl(unsigne…
tracking-firefox13: --- → ?
Keywords: crash, regression, reproducible, topcrash
OS: Mac OS X → All
Hardware: x86 → All
Version: unspecified → 13 Branch
(In reply to Jeff Muizelaar [:jrmuizel] from comment #1) > Regression window: > http://hg.mozilla.org/projects/profiling/ > pushloghtml?fromchange=826a3a489c1c&tochange=289d9f1e6ca6 I'd say bug 704259.
Blocks: 704259
Crash Signature: ClassInfoData&, int, unsigned int, ClassPolicy**, SecurityLevel*)] [@ nsStandardURL::GetScheme(nsACString_internal&)] [@ NS_SecurityCompareURIs(nsIURI*, nsIURI*, bool)] [@ dosprintf] → nsIURI*, bool)] [@ dosprintf] SecurityLevel*)] [@ PL_DHashTableOperate | nsScriptSecurityManager::LookupPolicy(nsIPrincipal*, ClassInfoData&, int, unsigned int, ClassPolicy**, SecurityLevel*)] [@ nsStandardURL::GetScheme(nsACString_internal&)] [@ NS_S…
Assignee: general → dmandelin
Crash Signature: nsIURI*, bool)] [@ dosprintf] → nsIURI*, bool)] [@ dosprintf] [@ choose_arena] [@ JS_FrameIterator]
Based on crash stats and the test case in comment 0, it seems to be fixed in 13.0a1/20120309. The working range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2f6368ca605e&tochange=08809a43e082 It's fixed by the backout of the first patch in bug 704259.
tracking-firefox13: ? → ---
Keywords: topcrash
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.