Closed Bug 799830 Opened 12 years ago Closed 9 years ago

crash in js::PropertyCache::fullTest (Correlation to Norton Confidential Toolbar)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox16 + ---
firefox17 - ---

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, reproducible)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-45531e71-ae32-4d60-99de-371522121009 .
============================================================= 

Seen while looking at crash stats. This is not a huge volume crash, but has a 100% correlation to Norton Confidential Toolbar 2.3.1r14 and there are some early crashes in Firefox 16. It affects Mac and Linux. There have been previous bugs filed about Firefox 15.0.1 not supporting Norton Confidential.

Reports are here: https://crash-stats.mozilla.com/report/list?signature=js::PropertyCache::fullTest

Frame 	Module 	Signature 	Source
0 	XUL 	js::PropertyCache::fullTest 	js/src/vm/String.h:828
1 	XUL 	js::Interpret 	js/src/jspropertycacheinlines.h:58
2 	XUL 	js::RunScript 	js/src/jsinterp.cpp:301
3 	XUL 	js::InvokeKernel 	js/src/jsinterp.cpp:355
4 	XUL 	js::Invoke 	js/src/jsinterp.h:119
5 	XUL 	JS_CallFunctionName 	js/src/jsapi.cpp:5591
6 	libnortonconfidential16.dylib 	libnortonconfidential16.dylib@0x263a3 	
7 	libnortonconfidential16.dylib 	libnortonconfidential16.dylib@0xfd5c 	
8 	XUL 	nsDocLoader::FireOnLocationChange 	uriloader/base/nsDocLoader.cpp:1391
9 	XUL 	nsDocLoader::FireOnLocationChange 	uriloader/base/nsDocLoader.cpp:1398
10 	XUL 	nsDocLoader::FireOnLocationChange 	uriloader/base/nsDocLoader.cpp:1398
11 	XUL 	nsDocShell::SetCurrentURI 	docshell/base/nsDocShell.cpp:1887
12 	XUL 	nsDocShell::OnNewURI 	docshell/base/nsDocShell.cpp:9698
13 	XUL 	nsDocShell::InternalLoad 	docshell/base/nsDocShell.cpp:8598
14 	XUL 	nsDocShell::LoadURI 	docshell/base/nsDocShell.cpp:1520
15 	XUL 	nsLocation::SetURI 	dom/base/nsLocation.cpp:336
16 	XUL 	nsLocation::SetHrefWithBase 	dom/base/nsLocation.cpp:618
17 	XUL 	nsLocation::SetHrefWithContext 	dom/base/nsLocation.cpp:565
18 	XUL 	nsLocation::SetHref 	dom/base/nsLocation.cpp:534
19 	XUL 	XUL@0x125dd9f 	
20 	XUL 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:3118
21 	XUL 	XPC_WN_GetterSetter 	js/xpconnect/src/xpcprivate.h:2819
22 	XUL 	js::InvokeKernel 	js/src/jscntxtinlines.h:382
23 	XUL 	js::Invoke 	js/src/jsinterp.h:119
24 	XUL 	js::InvokeGetterOrSetter 	js/src/jsinterp.cpp:460
25 	XUL 	js::BaseProxyHandler::set 	js/src/jscntxtinlines.h:450
26 	XUL 	xpc::XrayWrapper<js::SecurityWrapper<js::CrossCompartmentWrapper>,xpc::XPCWrappe 	js/xpconnect/wrappers/XrayWrapper.cpp:1507
27 	XUL 	proxy_SetGeneric 	js/src/jsproxy.cpp:1119
28 	XUL 	JSObject::nonNativeSetProperty 	js/src/jsobj.cpp:2723
29 	XUL 	js::Interpret 	js/src/jsobjinlines.h:98
30 	XUL 	js::RunScript 	js/src/jsinterp.cpp:301
31 	XUL 	js::InvokeKernel 	js/src/jsinterp.cpp:355
32 	XUL 	js_fun_call 	js/src/jsinterp.h:119
33 	XUL 	js::InvokeKernel 	js/src/jscntxtinlines.h:382
34 	XUL 	js::Interpret 	js/src/jsinterp.cpp:2442
35 	XUL 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:327
36 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:410
37 	XUL 	js::mjit::CallCompiler::update 	js/src/methodjit/MonoIC.cpp:934
38 	XUL 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:996
39 		@0x98f374f 	
40 		@0x98f2873 	
41 	libmozglue.dylib 	double_conversion::BignumDtoa 	mfbt/double-conversion/bignum-dtoa.cc:493
42 	Foundation 	Foundation@0xbf1fc 	
43 	CoreFoundation 	CoreFoundation@0x33082 	
44 	XUL 	nsDisplayBackground::nsDisplayBackground 	layout/base/nsDisplayList.cpp:966
45 		@0x7a1fff4f 	
46 	XUL 	XUL@0x167579f 	
47 	XUL 	js::RunScript 	js/src/jsinterp.cpp:301
48 	XUL 	js::InvokeKernel 	js/src/jsinterp.cpp:355
49 	XUL 	js::mjit::stubs::SlowCall 	js/src/methodjit/InvokeHelpers.cpp:133
50 	XUL 	SlowCallFromIC 	js/src/methodjit/MonoIC.cpp:379
51 		@0xb2f5f81 	
52 		@0xb2f556b 	
53 	libmozglue.dylib 	double_conversion::BignumDtoa 	mfbt/double-conversion/bignum-dtoa.cc:493
54 		@0x8000fffe 	
55 	XUL 	nsHttpsHandler::QueryInterface 	netwerk/protocol/http/nsHttpHandler.cpp:1659
56 	XUL 	nsComponentManagerImpl::GetServiceByContractID 	
57 	XUL 	CallGetService 	obj-firefox/i386/xpcom/build/nsComponentManagerUtils.cpp:62
58 	XUL 	nsIOService::GetProtocolHandler 	nsCOMPtr.h:408
59 	XUL 	NS_SecurityCompareURIs 	
60 	XUL 	NS_IsMainThread_P 	obj-firefox/i386/xpcom/build/nsThreadUtils.cpp:113
It's #2 top browser crasher on Mac in 16.0.
Crash Signature: [@ js::PropertyCache::fullTest] → [@ js::PropertyCache::fullTest ]
Marcia - can you try to reproduce with Norton Confidential Toolbar? Jorge has reached out to people at Norton to get their eyes on as well.
tracking-firefox16: ?+
tracking-firefox17: ?+
Keywords: qawanted, steps-wanted
QA Contact: mozillamarcia.knous
I can reproduce this crash easily using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:16.0) Gecko/20100101 Firefox/16.0

STR:
1. Install Norton Security Suite for Mac
2  Allow the installation of the Norton Identify Toolbar Version 2.3.1r14
3. Load your Gmail account
4. After selecting some messages to read and deleting some others, I generated a crash.

https://crash-stats.mozilla.com/report/index/bp-9ea15f71-5f0e-471f-a60a-0b72b2121011
Keywords: qawanted, steps-wantedreproducible
Benjamin can you help figure out next steps here now that we have STR?
Assignee: nobody → benjamin
fwiw, there's no sign of this crashing in 17.0b1 (yet) so if someone can try to reproduce on 17 and later that will help us determine if this is still needing to be tracked.
Keywords: qawanted
(In reply to Scoobidiver from comment #1)
> It's #2 top browser crasher on Mac in 16.0.
It's now #34 on Mac in 16.0.1.
From the stack it appears that libnortonconfidential16.dylib is calling directly into the JSAPI, which is incredibly fragile. I'd be willing to blame the crash on that fact alone...
Those exact signatures seem to not be present in 17 or higher.
Crash Signature: [@ js::PropertyCache::fullTest ] → [@ js::PropertyCache::fullTest ] [@ js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) ]
According to email from Benjamin: "This appears to be entirely a bug in Norton using the JSAPI and is not something we can fix in-browser."

Untracking for 17 as due to the low volume it's not something we'd spend a lot of resources reaching out to Norton on.
Assignee: benjamin → nobody
tracking-firefox17: +-
I can reproduce this on Linux, without the Norton toolbar. See crash report (and correlations): https://crash-stats.mozilla.com/report/index/bp-fa5b4754-603a-4fb8-b56f-ab2412130212

Usually, when this happens, I'm editing the wiki page for XPIDL. But, it doesn't happen every time. Roughly, here are STR:

1) Load https://developer.mozilla.org/en-US/docs/XPIDL
2) Click "Edit".
3) Make some edits and wait for crash.

Usually, the crash happens in about 2 or 3 minutes, but it's not consistent. Sometimes I can edit the page for quite a while before it crashes, but it will eventually crash.
Assignee: nobody → general
Component: Extension Compatibility → JavaScript Engine
OS: Mac OS X → Linux
Product: Firefox → Core
Version: 16 Branch → Trunk
I could not reproduce the crash following the STR from Comment 3 on Mac 10.8 with Firefox 22 (the first version of Firefox the toolbar is compatible with)having the Norton Identity Toolbar for Firefox 2.5.2f4 installed. 

I also tried to reproduce the issue on Ubuntu 13.10 following the STR from Comment 10 or playing with other text editors but I didn't had any luck.

I'm removing the qawanted keyword since QA can't reproduce this locally. Please re-add it if you have more details about how the crash can be reproduced.
Keywords: qawanted
Assignee: general → nobody
Per Comment 11
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.