Closed Bug 763912 Opened 13 years ago Closed 6 years ago

crash in nsJSContext::ExecuteScript @ JS_ExecuteScript mainly with Free Download Manager

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox18 --- affected
firefox19 - affected
firefox20 --- unaffected
firefox21 --- unaffected
fennec - ---

People

(Reporter: nhirata, Unassigned)

Details

(Keywords: crash, Whiteboard: [js:t][startupcrash])

Crash Data

This bug was filed from the Socorro interface and is report bp-b7ea8f86-4a04-4432-96ec-1e8692120610 . ============================================================= Frame Module Signature Source 0 libxul.so JS_ExecuteScript js/src/jsapi.cpp:5298 1 libxul.so nsFrameScriptExecutor::LoadFrameScriptInternal content/base/src/nsFrameMessageManager.cpp:732 2 libxul.so nsInProcessTabChildGlobal::LoadFrameScript content/base/src/nsInProcessTabChildGlobal.cpp:326 3 libxul.so LoadScript content/base/src/nsFrameLoader.cpp:2035 4 libxul.so nsFrameMessageManager::LoadFrameScript content/base/src/nsFrameMessageManager.cpp:142 5 libxul.so nsFrameMessageManager::LoadFrameScript content/base/src/nsFrameMessageManager.cpp:151 6 libxul.so NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160 7 libxul.so XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:3107 8 libxul.so XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1500 9 libxul.so js::InvokeKernel js/src/jscntxtinlines.h:395 10 libxul.so js::Interpret js/src/jsinterp.cpp:2456 11 libxul.so js::RunScript js/src/jsinterp.cpp:267 12 libxul.so js::Invoke js/src/jsinterp.cpp:322 13 libxul.so JS_CallFunctionValue js/src/jsapi.cpp:5481 14 libxul.so nsXPCWrappedJSClass::CallMethod js/xpconnect/src/XPCWrappedJSClass.cpp:1474 15 libxul.so nsXPCWrappedJS::CallMethod js/xpconnect/src/XPCWrappedJS.cpp:579 16 libxul.so PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105 17 libxul.so libxul.so@0xa6edd7 18 libxul.so nsObserverList::NotifyObservers xpcom/ds/nsObserverList.cpp:99 19 libxul.so nsObserverService::NotifyObservers xpcom/ds/nsObserverService.cpp:149 20 libxul.so nsGlobalWindow::DispatchDOMWindowCreated dom/base/nsGlobalWindow.cpp:2139 21 libxul.so nsRunnableMethodImpl<void , true>::Run nsThreadUtils.h:313 22 libxul.so nsContentUtils::RemoveScriptBlocker content/base/src/nsContentUtils.cpp:4883 23 libxul.so DocumentViewerImpl::InitInternal nsContentUtils.h:2189 24 libxul.so DocumentViewerImpl::Init layout/base/nsDocumentViewer.cpp:676 25 libxul.so nsDocShell::SetupNewViewer docshell/base/nsDocShell.cpp:7801 26 libxul.so nsDocShell::Embed docshell/base/nsDocShell.cpp:5880 27 libxul.so nsDocShell::CreateAboutBlankContentViewer docshell/base/nsDocShell.cpp:6615 28 libxul.so nsDocShell::EnsureContentViewer docshell/base/nsDocShell.cpp:6508 29 libxul.so nsDocShell::GetInterface docshell/base/nsDocShell.cpp:941 30 libxul.so nsGetInterface::operator obj-firefox/xpcom/build/nsIInterfaceRequestorUtils.cpp:19 31 libxul.so nsCOMPtr_base::assign_from_helper obj-firefox/xpcom/build/nsCOMPtr.cpp:117 32 libxul.so nsGlobalWindow::GetDocument nsCOMPtr.h:598 33 libxul.so nsGlobalWindow::WrapObject dom/base/nsPIDOMWindow.h:325 34 libxul.so XPCConvert::NativeInterface2JSObject js/xpconnect/src/XPCConvert.cpp:875 35 libxul.so XPCConvert::NativeData2JS js/xpconnect/src/XPCConvert.cpp:323 36 libxul.so XPCWrappedNative::CallMethod js/xpconnect/src/xpcprivate.h:3247 37 libxul.so XPC_WN_GetterSetter js/xpconnect/src/xpcprivate.h:2754 38 libxul.so js::InvokeGetterOrSetter js/src/jscntxtinlines.h:395 39 libxul.so js_NativeGet js/src/jsscopeinlines.h:274 40 libxul.so js::NativeGet js/src/jsinterpinlines.h:135 41 libxul.so js::Interpret js/src/jsinterpinlines.h:374 42 libxul.so js::RunScript js/src/jsinterp.cpp:267 43 libxul.so js::Execute js/src/jsinterp.cpp:455 44 libxul.so JS_ExecuteScript js/src/jsapi.cpp:5320 45 libxul.so nsFrameScriptExecutor::LoadFrameScriptInternal content/base/src/nsFrameMessageManager.cpp:732 46 libxul.so nsInProcessTabChildGlobal::LoadFrameScript content/base/src/nsInProcessTabChildGlobal.cpp:326 47 libxul.so nsAsyncScriptLoad::Run content/base/src/nsInProcessTabChildGlobal.cpp:306 48 libxul.so nsContentUtils::RemoveScriptBlocker content/base/src/nsContentUtils.cpp:4883 49 libxul.so nsDocument::EndUpdate content/base/src/nsDocument.cpp:3994 50 libxul.so nsXULDocument::EndUpdate content/xul/document/src/nsXULDocument.cpp:3303 51 libxul.so mozAutoDocUpdate::~mozAutoDocUpdate content/base/src/mozAutoDocUpdate.h:35 52 libxul.so nsINode::ReplaceOrInsertBefore content/base/src/nsGenericElement.cpp:4352 53 libxul.so nsINode::ReplaceOrInsertBefore nsINode.h:1438 54 libxul.so nsIDOMNode_AppendChild nsINode.h:476 55 libxul.so js::InvokeKernel js/src/jscntxtinlines.h:395 56 libxul.so js::Interpret js/src/jsinterp.cpp:2456 57 libxul.so js::RunScript js/src/jsinterp.cpp:267 58 libxul.so js::Invoke js/src/jsinterp.cpp:322 59 libxul.so JS_CallFunctionValue js/src/jsapi.cpp:5481 60 libxul.so nsXPCWrappedJSClass::CallMethod js/xpconnect/src/XPCWrappedJSClass.cpp:1474 61 libxul.so nsXPCWrappedJS::CallMethod js/xpconnect/src/XPCWrappedJS.cpp:579 62 libxul.so PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105 63 libxul.so libxul.so@0xa6edd7 64 libxul.so nsObserverList::NotifyObservers xpcom/ds/nsObserverList.cpp:99 65 libxul.so nsObserverService::NotifyObservers xpcom/ds/nsObserverService.cpp:149 66 libxul.so nsAppShell::ProcessNextNativeEvent widget/android/nsAppShell.cpp:493 67 libxul.so nsBaseAppShell::DoProcessNextNativeEvent widget/xpwidgets/nsBaseAppShell.cpp:139 68 libxul.so nsBaseAppShell::OnProcessNextEvent widget/xpwidgets/nsBaseAppShell.cpp:280 69 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:586 70 libxul.so NS_ProcessNextEvent_P obj-firefox/xpcom/build/nsThreadUtils.cpp:213 71 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:82 72 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:208 73 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:201 74 libxul.so nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:163 75 libxul.so nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:256 76 libxul.so XREMain::XRE_mainRun toolkit/xre/nsAppRunner.cpp:3781 77 libxul.so XREMain::XRE_main toolkit/xre/nsAppRunner.cpp:3858 78 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp:3934 79 libxul.so GeckoStart toolkit/xre/nsAndroidStartup.cpp:73 80 libmozglue.so libmozglue.so@0x10899 81 dalvik-LinearAlloc (deleted) dalvik-LinearAlloc @0x28c3f6 82 libdvm.so libdvm.so@0x1ec72 83 dalvik-heap (deleted) dalvik-heap @0xe1d6de 84 libdvm.so libdvm.so@0x5906b 85 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x11fa05 86 libmozglue.so libmozglue.so@0x10847 87 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x1097ba 88 libc.so libc.so@0x14a13 89 libdvm.so libdvm.so@0x98f4d 90 libc.so libc.so@0x15877 91 libmozglue.so libmozglue.so@0x10847 92 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x1097ba 93 libc.so libc.so@0x15877 94 libmozglue.so libmozglue.so@0x10847 95 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x1097ba 96 libc.so libc.so@0x15ed9 97 libdvm.so libdvm.so@0x5b009 98 core.odex core.odex@0x1e46b6 99 dalvik-LinearAlloc (deleted) dalvik-LinearAlloc @0x347e 100 dalvik-mark-stack (deleted) dalvik-mark-stack @0x36009c2 133 libdvm.so libdvm.so@0x5fb3f 134 libdvm.so libdvm.so@0x6cabb 135 libdvm.so libdvm.so@0xb7c56 136 libdvm.so libdvm.so@0x5fb3f 137 libdvm.so libdvm.so@0xb2f8e 138 libdvm.so libdvm.so@0x5fbef 139 dalvik-mark-stack (deleted) dalvik-mark-stack @0x36009c2 140 libdvm.so libdvm.so@0x5fb3f 141 libc.so libc.so@0x12c1e 142 libc.so libc.so@0x12772 Only 1 URL listed : about:blank Note: not listing as a top crash because of the sheer amount of dups in the crash. See signature listings for more details : https://crash-stats.mozilla.com/report/list?range_value=3&range_unit=days&date=2012-06-12&signature=JS_ExecuteScript&version=FennecAndroid%3A16.0a1
The crash in question happens on a line added in bug 746036, so CC'ing dmandelin.
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Fennec Native → Core
QA Contact: general → general
Whiteboard: [native-crash], startupcrash → [native-crash][startupcrash]
Version: Firefox 16 → Trunk
This is the #3 topcrash for Fennec 16, but does not appear in Fennec 14 or 15 crash stats.
tracking-fennec: --- → ?
(In reply to Naoki Hirata :nhirata from comment #3) > Placing in as topcrash with only 2 users that hit this crash?
Whiteboard: [native-crash][startupcrash] → [js:t][native-crash][startupcrash]
Keywords: topcrash
tracking-fennec: ? → +
OS: All → Windows 7
Summary: crash in [@ JS_ExecuteScript] → crash in nsJSContext::ExecuteScript @ JS_ExecuteScript
Whiteboard: [js:t][native-crash][startupcrash] → [js:t][startupcrash]
tracking-fennec: + → ?
status-firefox14: unaffected → ---
status-firefox15: unaffected → ---
status-firefox16: affected → ---
I don't see this crash in any of the top crash lists. Not tracking.
tracking-fennec: ? → -
The stack trace now looks like: Frame Module Signature Source 0 mozjs.dll JS_ExecuteScript js/src/jsapi.cpp:5531 1 xul.dll nsJSContext::ExecuteScript dom/base/nsJSEnvironment.cpp:1661 2 xul.dll nsXULDocument::ExecuteScript content/xul/document/src/nsXULDocument.cpp:3552 3 xul.dll nsXULDocument::ExecuteScript content/xul/document/src/nsXULDocument.cpp:3572 4 xul.dll nsXULDocument::OnStreamComplete content/xul/document/src/nsXULDocument.cpp:3451 5 xul.dll nsStreamLoader::OnStopRequest netwerk/base/src/nsStreamLoader.cpp:101 6 xul.dll nsStreamListenerWrapper::OnStopRequest obj-firefox/dist/include/nsStreamListenerWrapper.h:25 7 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70 8 xul.dll XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:2400 9 xul.dll XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488 10 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:369 11 mozjs.dll js::Interpret js/src/jsinterp.cpp:2338 12 mozjs.dll js::RunScript js/src/jsinterp.cpp:326 13 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:381 14 mozjs.dll js::Invoke js/src/jsinterp.cpp:414 15 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5771 16 xul.dll nsXPCWrappedJSClass::CallMethod js/xpconnect/src/XPCWrappedJSClass.cpp:1432 More reports at: https://crash-stats.mozilla.com/report/list?signature=JS_ExecuteScript https://crash-stats.mozilla.com/report/list?signature=JS_ExecuteScript%28JSContext*%2C+JSObject*%2C+JSScript*%2C+JS%3A%3AValue*%29
Crash Signature: [@ JS_ExecuteScript] → [@ JS_ExecuteScript] [@ JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*)]
status-firefox18: --- → affected
status-firefox19: --- → affected
It's #18 top browser crasher in 19.0b5.
status-firefox20: --- → unaffected
status-firefox21: --- → unaffected
tracking-firefox19: --- → ?
Keywords: topcrash
It's correlated to Free Download Manager 1.5.7.6 and above: * 18.0.2: 92% (196/212) vs. 0% (668/137733) fdm_ffext@freedownloadmanager.org 0% (1/212) vs. 0% (7/137733) 1.5.5 0% (0/212) vs. 0% (1/137733) 1.5.7.4 34% (72/212) vs. 0% (290/137733) 1.5.7.6 2% (4/212) vs. 0% (7/137733) 1.5.7.7 56% (119/212) vs. 0% (363/137733) 1.5.7.9 * 19.0 Beta: 88% (123/139) vs. 0% (409/87231) fdm_ffext@freedownloadmanager.org 0% (0/139) vs. 0% (1/87231) 1.5.5 0% (0/139) vs. 0% (3/87231) 1.5.7.4 32% (45/139) vs. 0% (128/87231) 1.5.7.6 0% (0/139) vs. 0% (5/87231) 1.5.7.7 56% (78/139) vs. 0% (272/87231) 1.5.7.9
Summary: crash in nsJSContext::ExecuteScript @ JS_ExecuteScript → crash in nsJSContext::ExecuteScript @ JS_ExecuteScript mainly with Free Download Manager
CC'ing somebody from FDM (blind guess), and also leaving them a note at http://www.freedownloadmanager.org/support.htm
This is now #55, so dropping it off the tracking list.
tracking-firefox19: +-
Keywords: topcrash
I don't think there is something to do with FDM here.
(In reply to Alervd from comment #11) > I don't think there is something to do with FDM here. It's a startup crash in 19.0 correlated to FDM: 95% (254/266) vs. 0% (906/192123) fdm_ffext@freedownloadmanager.org 30% (79/266) vs. 0% (398/192123) 1.5.7.6 66% (175/266) vs. 0% (498/192123) 1.5.7.9 I don't know how easy it's reproducible.
OK, why don't I see the code related to FDM in the stack trace then? I'll try to explain. It seems - FDM extension's js code uses Firefox objects by some incorrect way. Maybe. But it's Firefox component which must correctly behave on incorrect things. The only suspicion I have is on this code: fdm_brcache.js. function freeDldMgr_brCacheRegisterObserver () { var observerService = Components.classes["@mozilla.org/observer-service;1"] .getService(Components.interfaces.nsIObserverService); observerService.addObserver(freeDldMgr_brCacheListener, "http-on-modify-request", false); observerService.addObserver(freeDldMgr_brCacheListener, "http-on-examine-response", false); observerService.addObserver(freeDldMgr_brCacheListener, "http-on-examine-cached-response", false); //observerService.addObserver(freeDldMgr_brCacheListener, "http-on-examine-merged-response", false); window.addEventListener("unload", freeDldMgr_brCache_unload, false); } THEN: var freeDldMgr_brCacheListener = { observe: function (subject, topic, data) { if (false == (subject instanceof Components.interfaces.nsIHttpChannel)) return; subject.QueryInterface(Components.interfaces.nsIHttpChannel); var url = freeDldMgr_ExtractUrlFromHttpChannel (subject); if (topic == "http-on-modify-request") { freeDldMgr_FDM1.onHttpActivity (url); var wndSrc = freeDldMgr_findChannelWindow (subject); if (wndSrc) { wndSrc = wndSrc.top; if (wndSrc) freeDldMgr_FDM1.OnNewHttpRequest (url, wndSrc.location.href); } return; } var newListener = new freeDldMgr_TracingListener(); newListener.Url = url; newListener.bJustNotify = topic != "http-on-examine-cached-response"; if (newListener.bJustNotify) freeDldMgr_FDM1.onHttpActivity (url); var hdrs = freeDldMgr_ExtractHttpHeadersFromHttpChannel (subject); if (!newListener.bJustNotify) newListener.httpDlgUID = freeDldMgr_CacheMon.OnNewHttpDialog (url, hdrs.reqH, hdrs.respH); subject.QueryInterface(Components.interfaces.nsITraceableChannel); newListener.originalListener = subject.setNewListener(newListener); }, etc... AND THE MAIN THING IS HERE (MAYBE): function freeDldMgr_TracingListener() { } freeDldMgr_TracingListener.prototype = { originalListener: null, httpDlgUID : 0, bJustNotify : false, Url : "", bDontCallOriginalListener : false, onStartRequest: function(request, context) { try{ this.originalListener.onStartRequest(request, context); }catch(e){this.bDontCallOriginalListener = true;} }, onDataAvailable: function(request, context, inputStream, offset, count) { if (!this.bJustNotify) { //fix for firebug error if (typeof Cc == "undefined") { var Cc = Components.classes; } if (typeof Ci == "undefined") { var Ci = Components.interfaces; } if (typeof CCIN == "undefined") { function CCIN(cName, ifaceName){ return Cc[cName].createInstance(Ci[ifaceName]); } } if (typeof CCSV == "undefined") { function CCSV(cName, ifaceName){ if (Cc[cName]) // if fbs fails to load, the error can be _CC[cName] has no properties return Cc[cName].getService(Ci[ifaceName]); else dumpError("CCSV fails for cName:" + cName); } } var binaryInputStream = CCIN("@mozilla.org/binaryinputstream;1", "nsIBinaryInputStream"); var storageStream = CCIN("@mozilla.org/storagestream;1", "nsIStorageStream"); var binaryOutputStream = CCIN("@mozilla.org/binaryoutputstream;1","nsIBinaryOutputStream"); binaryInputStream.setInputStream(inputStream); storageStream.init(8192, count, null); binaryOutputStream.setOutputStream(storageStream.getOutputStream(0)); // Copy received data as they come. var data = binaryInputStream.readByteArray (count); freeDldMgr_CacheMon.OnDataReceived (this.httpDlgUID, count, data); binaryOutputStream.writeByteArray(data, count); if (!this.bDontCallOriginalListener) this.originalListener.onDataAvailable (request, context, storageStream.newInputStream(0), offset, count); } else // bJustNotify is true { try { freeDldMgr_FDM1.onHttpActivity (this.Url); if (!this.bDontCallOriginalListener) this.originalListener.onDataAvailable (request, context, inputStream, offset, count); }catch(e){this.bDontCallOriginalListener = true;} } }, onStopRequest: function(request, context, statusCode) { if (!this.bJustNotify) freeDldMgr_CacheMon.OnDialogClosed (this.httpDlgUID); this.originalListener.onStopRequest(request, context, statusCode); }, QueryInterface: function (aIID) { if (aIID.equals(Components.interfaces.nsIStreamListener) || aIID.equals(Components.interfaces.nsISupports)) { return this; } throw Components.results.NS_NOINTERFACE; } }; P.S. Sorry, I don't know how to use formatting (if it's available here).
Maybe somebody from Firefox dev team could check this code....
(In reply to Alervd from comment #14) > Maybe somebody from Firefox dev team could check this code.... Firefox 20 and above are unaffected so it's already fixed.
Assignee: general → nobody
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Closing because no crashes reported for 12 weeks.
You need to log in before you can comment on or make changes to this bug.