crash in nsJSContext::ExecuteScript @ JS_ExecuteScript mainly with Free Download Manager

NEW
Unassigned

Status

()

Core
JavaScript Engine
--
critical
6 years ago
4 years ago

People

(Reporter: nhirata, Unassigned)

Tracking

({crash})

Trunk
All
Windows 7
crash
Points:
---

Firefox Tracking Flags

(firefox18 affected, firefox19- affected, firefox20 unaffected, firefox21 unaffected, fennec-)

Details

(Whiteboard: [js:t][startupcrash], crash signature)

This bug was filed from the Socorro interface and is 
report bp-b7ea8f86-4a04-4432-96ec-1e8692120610 .
============================================================= 
Frame 	Module 	Signature 	Source
0 	libxul.so 	JS_ExecuteScript 	js/src/jsapi.cpp:5298
1 	libxul.so 	nsFrameScriptExecutor::LoadFrameScriptInternal 	content/base/src/nsFrameMessageManager.cpp:732
2 	libxul.so 	nsInProcessTabChildGlobal::LoadFrameScript 	content/base/src/nsInProcessTabChildGlobal.cpp:326
3 	libxul.so 	LoadScript 	content/base/src/nsFrameLoader.cpp:2035
4 	libxul.so 	nsFrameMessageManager::LoadFrameScript 	content/base/src/nsFrameMessageManager.cpp:142
5 	libxul.so 	nsFrameMessageManager::LoadFrameScript 	content/base/src/nsFrameMessageManager.cpp:151
6 	libxul.so 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160
7 	libxul.so 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:3107
8 	libxul.so 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1500
9 	libxul.so 	js::InvokeKernel 	js/src/jscntxtinlines.h:395
10 	libxul.so 	js::Interpret 	js/src/jsinterp.cpp:2456
11 	libxul.so 	js::RunScript 	js/src/jsinterp.cpp:267
12 	libxul.so 	js::Invoke 	js/src/jsinterp.cpp:322
13 	libxul.so 	JS_CallFunctionValue 	js/src/jsapi.cpp:5481
14 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1474
15 	libxul.so 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:579
16 	libxul.so 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105
17 	libxul.so 	libxul.so@0xa6edd7 	
18 	libxul.so 	nsObserverList::NotifyObservers 	xpcom/ds/nsObserverList.cpp:99
19 	libxul.so 	nsObserverService::NotifyObservers 	xpcom/ds/nsObserverService.cpp:149
20 	libxul.so 	nsGlobalWindow::DispatchDOMWindowCreated 	dom/base/nsGlobalWindow.cpp:2139
21 	libxul.so 	nsRunnableMethodImpl<void , true>::Run 	nsThreadUtils.h:313
22 	libxul.so 	nsContentUtils::RemoveScriptBlocker 	content/base/src/nsContentUtils.cpp:4883
23 	libxul.so 	DocumentViewerImpl::InitInternal 	nsContentUtils.h:2189
24 	libxul.so 	DocumentViewerImpl::Init 	layout/base/nsDocumentViewer.cpp:676
25 	libxul.so 	nsDocShell::SetupNewViewer 	docshell/base/nsDocShell.cpp:7801
26 	libxul.so 	nsDocShell::Embed 	docshell/base/nsDocShell.cpp:5880
27 	libxul.so 	nsDocShell::CreateAboutBlankContentViewer 	docshell/base/nsDocShell.cpp:6615
28 	libxul.so 	nsDocShell::EnsureContentViewer 	docshell/base/nsDocShell.cpp:6508
29 	libxul.so 	nsDocShell::GetInterface 	docshell/base/nsDocShell.cpp:941
30 	libxul.so 	nsGetInterface::operator 	obj-firefox/xpcom/build/nsIInterfaceRequestorUtils.cpp:19
31 	libxul.so 	nsCOMPtr_base::assign_from_helper 	obj-firefox/xpcom/build/nsCOMPtr.cpp:117
32 	libxul.so 	nsGlobalWindow::GetDocument 	nsCOMPtr.h:598
33 	libxul.so 	nsGlobalWindow::WrapObject 	dom/base/nsPIDOMWindow.h:325
34 	libxul.so 	XPCConvert::NativeInterface2JSObject 	js/xpconnect/src/XPCConvert.cpp:875
35 	libxul.so 	XPCConvert::NativeData2JS 	js/xpconnect/src/XPCConvert.cpp:323
36 	libxul.so 	XPCWrappedNative::CallMethod 	js/xpconnect/src/xpcprivate.h:3247
37 	libxul.so 	XPC_WN_GetterSetter 	js/xpconnect/src/xpcprivate.h:2754
38 	libxul.so 	js::InvokeGetterOrSetter 	js/src/jscntxtinlines.h:395
39 	libxul.so 	js_NativeGet 	js/src/jsscopeinlines.h:274
40 	libxul.so 	js::NativeGet 	js/src/jsinterpinlines.h:135
41 	libxul.so 	js::Interpret 	js/src/jsinterpinlines.h:374
42 	libxul.so 	js::RunScript 	js/src/jsinterp.cpp:267
43 	libxul.so 	js::Execute 	js/src/jsinterp.cpp:455
44 	libxul.so 	JS_ExecuteScript 	js/src/jsapi.cpp:5320
45 	libxul.so 	nsFrameScriptExecutor::LoadFrameScriptInternal 	content/base/src/nsFrameMessageManager.cpp:732
46 	libxul.so 	nsInProcessTabChildGlobal::LoadFrameScript 	content/base/src/nsInProcessTabChildGlobal.cpp:326
47 	libxul.so 	nsAsyncScriptLoad::Run 	content/base/src/nsInProcessTabChildGlobal.cpp:306
48 	libxul.so 	nsContentUtils::RemoveScriptBlocker 	content/base/src/nsContentUtils.cpp:4883
49 	libxul.so 	nsDocument::EndUpdate 	content/base/src/nsDocument.cpp:3994
50 	libxul.so 	nsXULDocument::EndUpdate 	content/xul/document/src/nsXULDocument.cpp:3303
51 	libxul.so 	mozAutoDocUpdate::~mozAutoDocUpdate 	content/base/src/mozAutoDocUpdate.h:35
52 	libxul.so 	nsINode::ReplaceOrInsertBefore 	content/base/src/nsGenericElement.cpp:4352
53 	libxul.so 	nsINode::ReplaceOrInsertBefore 	nsINode.h:1438
54 	libxul.so 	nsIDOMNode_AppendChild 	nsINode.h:476
55 	libxul.so 	js::InvokeKernel 	js/src/jscntxtinlines.h:395
56 	libxul.so 	js::Interpret 	js/src/jsinterp.cpp:2456
57 	libxul.so 	js::RunScript 	js/src/jsinterp.cpp:267
58 	libxul.so 	js::Invoke 	js/src/jsinterp.cpp:322
59 	libxul.so 	JS_CallFunctionValue 	js/src/jsapi.cpp:5481
60 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1474
61 	libxul.so 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:579
62 	libxul.so 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105
63 	libxul.so 	libxul.so@0xa6edd7 	
64 	libxul.so 	nsObserverList::NotifyObservers 	xpcom/ds/nsObserverList.cpp:99
65 	libxul.so 	nsObserverService::NotifyObservers 	xpcom/ds/nsObserverService.cpp:149
66 	libxul.so 	nsAppShell::ProcessNextNativeEvent 	widget/android/nsAppShell.cpp:493
67 	libxul.so 	nsBaseAppShell::DoProcessNextNativeEvent 	widget/xpwidgets/nsBaseAppShell.cpp:139
68 	libxul.so 	nsBaseAppShell::OnProcessNextEvent 	widget/xpwidgets/nsBaseAppShell.cpp:280
69 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:586
70 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:213
71 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:82
72 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
73 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
74 	libxul.so 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:163
75 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:256
76 	libxul.so 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3781
77 	libxul.so 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3858
78 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3934
79 	libxul.so 	GeckoStart 	toolkit/xre/nsAndroidStartup.cpp:73
80 	libmozglue.so 	libmozglue.so@0x10899 	
81 	dalvik-LinearAlloc (deleted) 	dalvik-LinearAlloc @0x28c3f6 	
82 	libdvm.so 	libdvm.so@0x1ec72 	
83 	dalvik-heap (deleted) 	dalvik-heap @0xe1d6de 	
84 	libdvm.so 	libdvm.so@0x5906b 	
85 	data@app@org.mozilla.fennec-1.apk@classes.dex 	data@app@org.mozilla.fennec-1.apk@classes.dex@0x11fa05 	
86 	libmozglue.so 	libmozglue.so@0x10847 	
87 	data@app@org.mozilla.fennec-1.apk@classes.dex 	data@app@org.mozilla.fennec-1.apk@classes.dex@0x1097ba 	
88 	libc.so 	libc.so@0x14a13 	
89 	libdvm.so 	libdvm.so@0x98f4d 	
90 	libc.so 	libc.so@0x15877 	
91 	libmozglue.so 	libmozglue.so@0x10847 	
92 	data@app@org.mozilla.fennec-1.apk@classes.dex 	data@app@org.mozilla.fennec-1.apk@classes.dex@0x1097ba 	
93 	libc.so 	libc.so@0x15877 	
94 	libmozglue.so 	libmozglue.so@0x10847 	
95 	data@app@org.mozilla.fennec-1.apk@classes.dex 	data@app@org.mozilla.fennec-1.apk@classes.dex@0x1097ba 	
96 	libc.so 	libc.so@0x15ed9 	
97 	libdvm.so 	libdvm.so@0x5b009 	
98 	core.odex 	core.odex@0x1e46b6 	
99 	dalvik-LinearAlloc (deleted) 	dalvik-LinearAlloc @0x347e 	
100 	dalvik-mark-stack (deleted) 	dalvik-mark-stack @0x36009c2 	
133 	libdvm.so 	libdvm.so@0x5fb3f 	
134 	libdvm.so 	libdvm.so@0x6cabb 	
135 	libdvm.so 	libdvm.so@0xb7c56 	
136 	libdvm.so 	libdvm.so@0x5fb3f 	
137 	libdvm.so 	libdvm.so@0xb2f8e 	
138 	libdvm.so 	libdvm.so@0x5fbef 	
139 	dalvik-mark-stack (deleted) 	dalvik-mark-stack @0x36009c2 	
140 	libdvm.so 	libdvm.so@0x5fb3f 	
141 	libc.so 	libc.so@0x12c1e 	
142 	libc.so 	libc.so@0x12772


Only 1 URL listed : about:blank

Note: not listing as a top crash because of the sheer amount of dups in the crash.  See signature listings for more details : 
https://crash-stats.mozilla.com/report/list?range_value=3&range_unit=days&date=2012-06-12&signature=JS_ExecuteScript&version=FennecAndroid%3A16.0a1
The crash in question happens on a line added in bug 746036, so CC'ing dmandelin.

Updated

6 years ago
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Fennec Native → Core
QA Contact: general → general
Whiteboard: [native-crash], startupcrash → [native-crash][startupcrash]
Version: Firefox 16 → Trunk
This is the #3 topcrash for Fennec 16, but does not appear in Fennec 14 or 15 crash stats.
tracking-fennec: --- → ?
status-firefox14: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → affected

Comment 4

6 years ago
(In reply to Naoki Hirata :nhirata from comment #3)
> Placing in as topcrash
with only 2 users that hit this crash?
Whiteboard: [native-crash][startupcrash] → [js:t][native-crash][startupcrash]

Updated

6 years ago
Keywords: topcrash
tracking-fennec: ? → +

Updated

6 years ago
OS: All → Windows 7
Summary: crash in [@ JS_ExecuteScript] → crash in nsJSContext::ExecuteScript @ JS_ExecuteScript
Whiteboard: [js:t][native-crash][startupcrash] → [js:t][startupcrash]

Updated

6 years ago
tracking-fennec: + → ?
status-firefox14: unaffected → ---
status-firefox15: unaffected → ---
status-firefox16: affected → ---
I don't see this crash in any of the top crash lists. Not tracking.
tracking-fennec: ? → -

Comment 6

5 years ago
The stack trace now looks like:
Frame 	Module 	Signature 	Source
0 	mozjs.dll 	JS_ExecuteScript 	js/src/jsapi.cpp:5531
1 	xul.dll 	nsJSContext::ExecuteScript 	dom/base/nsJSEnvironment.cpp:1661
2 	xul.dll 	nsXULDocument::ExecuteScript 	content/xul/document/src/nsXULDocument.cpp:3552
3 	xul.dll 	nsXULDocument::ExecuteScript 	content/xul/document/src/nsXULDocument.cpp:3572
4 	xul.dll 	nsXULDocument::OnStreamComplete 	content/xul/document/src/nsXULDocument.cpp:3451
5 	xul.dll 	nsStreamLoader::OnStopRequest 	netwerk/base/src/nsStreamLoader.cpp:101
6 	xul.dll 	nsStreamListenerWrapper::OnStopRequest 	obj-firefox/dist/include/nsStreamListenerWrapper.h:25
7 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
8 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2400
9 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
10 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:369
11 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2338
12 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:326
13 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:381
14 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:414
15 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5771
16 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1432

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JS_ExecuteScript
https://crash-stats.mozilla.com/report/list?signature=JS_ExecuteScript%28JSContext*%2C+JSObject*%2C+JSScript*%2C+JS%3A%3AValue*%29
Crash Signature: [@ JS_ExecuteScript] → [@ JS_ExecuteScript] [@ JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*)]
status-firefox18: --- → affected
status-firefox19: --- → affected

Comment 7

5 years ago
It's #18 top browser crasher in 19.0b5.
status-firefox20: --- → unaffected
status-firefox21: --- → unaffected
tracking-firefox19: --- → ?
Keywords: topcrash

Comment 8

5 years ago
It's correlated to Free Download Manager 1.5.7.6 and above:
* 18.0.2:
     92% (196/212) vs.   0% (668/137733) fdm_ffext@freedownloadmanager.org
          0% (1/212) vs.   0% (7/137733) 1.5.5
          0% (0/212) vs.   0% (1/137733) 1.5.7.4
         34% (72/212) vs.   0% (290/137733) 1.5.7.6
          2% (4/212) vs.   0% (7/137733) 1.5.7.7
         56% (119/212) vs.   0% (363/137733) 1.5.7.9
* 19.0 Beta:
     88% (123/139) vs.   0% (409/87231) fdm_ffext@freedownloadmanager.org
          0% (0/139) vs.   0% (1/87231) 1.5.5
          0% (0/139) vs.   0% (3/87231) 1.5.7.4
         32% (45/139) vs.   0% (128/87231) 1.5.7.6
          0% (0/139) vs.   0% (5/87231) 1.5.7.7
         56% (78/139) vs.   0% (272/87231) 1.5.7.9
Summary: crash in nsJSContext::ExecuteScript @ JS_ExecuteScript → crash in nsJSContext::ExecuteScript @ JS_ExecuteScript mainly with Free Download Manager

Updated

5 years ago
tracking-firefox19: ? → +

Comment 9

5 years ago
CC'ing somebody from FDM (blind guess), and also leaving them a note at http://www.freedownloadmanager.org/support.htm
This is now #55, so dropping it off the tracking list.
tracking-firefox19: + → -

Updated

5 years ago
Keywords: topcrash

Comment 11

5 years ago
I don't think there is something to do with FDM here.

Comment 12

5 years ago
(In reply to Alervd from comment #11)
> I don't think there is something to do with FDM here.
It's a startup crash in 19.0 correlated to FDM:
     95% (254/266) vs.   0% (906/192123) fdm_ffext@freedownloadmanager.org
         30% (79/266) vs.   0% (398/192123) 1.5.7.6
         66% (175/266) vs.   0% (498/192123) 1.5.7.9
I don't know how easy it's reproducible.

Comment 13

5 years ago
OK, why don't I see the code related to FDM in the stack trace then?
I'll try to explain. It seems - FDM extension's js code uses Firefox objects by some incorrect way. Maybe. But it's Firefox component which must correctly behave on incorrect things.

The only suspicion I have is on this code:

fdm_brcache.js.


function freeDldMgr_brCacheRegisterObserver ()
{
  var observerService = Components.classes["@mozilla.org/observer-service;1"]
              .getService(Components.interfaces.nsIObserverService);
  observerService.addObserver(freeDldMgr_brCacheListener, "http-on-modify-request", false);
  observerService.addObserver(freeDldMgr_brCacheListener, "http-on-examine-response", false);
  observerService.addObserver(freeDldMgr_brCacheListener, "http-on-examine-cached-response", false);
  //observerService.addObserver(freeDldMgr_brCacheListener, "http-on-examine-merged-response", false);
  window.addEventListener("unload",  freeDldMgr_brCache_unload, false);
}


THEN:

var freeDldMgr_brCacheListener = { 
 observe: function (subject, topic, data) {
   if (false == (subject instanceof Components.interfaces.nsIHttpChannel))
     return;
   subject.QueryInterface(Components.interfaces.nsIHttpChannel);
   var url = freeDldMgr_ExtractUrlFromHttpChannel (subject);

   if (topic == "http-on-modify-request")
   {
     freeDldMgr_FDM1.onHttpActivity (url);
     var wndSrc = freeDldMgr_findChannelWindow (subject);
     if (wndSrc)
     {
       wndSrc = wndSrc.top;
       if (wndSrc)
         freeDldMgr_FDM1.OnNewHttpRequest (url, wndSrc.location.href);
     }
     return;
   }

   var newListener = new freeDldMgr_TracingListener();
   newListener.Url = url;
   newListener.bJustNotify = topic != "http-on-examine-cached-response";
   if (newListener.bJustNotify)
     freeDldMgr_FDM1.onHttpActivity (url);
   
   var hdrs = freeDldMgr_ExtractHttpHeadersFromHttpChannel (subject);
   if (!newListener.bJustNotify)
     newListener.httpDlgUID = freeDldMgr_CacheMon.OnNewHttpDialog (url, hdrs.reqH, hdrs.respH);
   subject.QueryInterface(Components.interfaces.nsITraceableChannel);
   newListener.originalListener = subject.setNewListener(newListener);
 },

etc...


AND THE MAIN THING IS HERE (MAYBE):

function freeDldMgr_TracingListener() {

}

freeDldMgr_TracingListener.prototype =
{
    originalListener: null,
    httpDlgUID : 0,
    bJustNotify : false,
    Url : "",
    bDontCallOriginalListener : false,

    onStartRequest: function(request, context) {
      try{
       	this.originalListener.onStartRequest(request, context);
      }catch(e){this.bDontCallOriginalListener = true;}
    },

    onDataAvailable: function(request, context, inputStream, offset, count)
    {
    	if (!this.bJustNotify)
    	{
        	//fix for firebug error
            if (typeof Cc == "undefined") {
              	var Cc = Components.classes;
            }
            if (typeof Ci == "undefined") {
        		var Ci = Components.interfaces;
            }
            if (typeof CCIN == "undefined") {
               	function CCIN(cName, ifaceName){
		          return Cc[cName].createInstance(Ci[ifaceName]);
				}
            }
            if (typeof CCSV == "undefined") {
                function CCSV(cName, ifaceName){
					if (Cc[cName])
                        // if fbs fails to load, the error can be _CC[cName] has no properties
                        return Cc[cName].getService(Ci[ifaceName]);
					else
                        dumpError("CCSV fails for cName:" + cName);
				}
            }

			var binaryInputStream = CCIN("@mozilla.org/binaryinputstream;1",
                "nsIBinaryInputStream");
			var storageStream = CCIN("@mozilla.org/storagestream;1", "nsIStorageStream");
			var binaryOutputStream = CCIN("@mozilla.org/binaryoutputstream;1","nsIBinaryOutputStream");

			binaryInputStream.setInputStream(inputStream);
			storageStream.init(8192, count, null);
			binaryOutputStream.setOutputStream(storageStream.getOutputStream(0));

			// Copy received data as they come.
			var data = binaryInputStream.readByteArray (count);
        
			freeDldMgr_CacheMon.OnDataReceived (this.httpDlgUID, count, data);

			binaryOutputStream.writeByteArray(data, count);

			if (!this.bDontCallOriginalListener)
			  this.originalListener.onDataAvailable (request, context,
				storageStream.newInputStream(0), offset, count);
		}
		else // bJustNotify is true
		{
			try {
			  freeDldMgr_FDM1.onHttpActivity (this.Url);
			  if (!this.bDontCallOriginalListener)
			    this.originalListener.onDataAvailable (request, context, inputStream, offset, count);
			}catch(e){this.bDontCallOriginalListener = true;}
		}
    },

    onStopRequest: function(request, context, statusCode)
    {
        if (!this.bJustNotify)
	  freeDldMgr_CacheMon.OnDialogClosed (this.httpDlgUID);
        this.originalListener.onStopRequest(request, context, statusCode);
    },

    QueryInterface: function (aIID) {
        if (aIID.equals(Components.interfaces.nsIStreamListener) || aIID.equals(Components.interfaces.nsISupports))
        {
            return this;
        }
        throw Components.results.NS_NOINTERFACE;
    }
};

P.S. Sorry, I don't know how to use formatting (if it's available here).

Comment 14

5 years ago
Maybe somebody from Firefox dev team could check this code....

Comment 15

5 years ago
(In reply to Alervd from comment #14)
> Maybe somebody from Firefox dev team could check this code....
Firefox 20 and above are unaffected so it's already fixed.
(Assignee)

Updated

4 years ago
Assignee: general → nobody
You need to log in before you can comment on or make changes to this bug.