94127 - applescript causes crash

Status: VERIFIED FIXED

(SeaMonkey :: UI Design, defect, P3)

Description

[Bill McGonigle (not currently reading bugmail; please contact directly)]

tested on 2001080613

example:

--
tell application "Mozilla"
     get name
end tell
--

Date/Time: 2001-08-07 12:49:13 -0400

PID:       490
Command:   Mozilla

Exception: EXC_BAD_ACCESS (0x0001)
Codes:     KERN_PROTECTION_FAILURE (0x0002) at 0x000aaa1a

Thread 0:
 #0   0x7000ab10 in _bcopy ()
 #1   0xbffff188 in 0xbffff188 ()
 #2   0x00094ed4 in CopyPascalString ()
 #3   0x00094ff8 in GetShortVersionString ()
 #4   0x0009dd34 in
GetDataFromObject__18AEApplicationClassFPC6AEDescP6AEDescP6AED ()
 #5   0x000a2f68 in
GetDataFromListOrObject__14AEGenericClassFPC6AEDescP6AEDescP6A ()
 #6   0x000a23d0 in HandleGetData__14AEGenericClassFP6AEDescPC6AEDescP6AEDesc ()
 #7   0x000a1d4c in DispatchEvent__14AEGenericClassFP6AEDescPC6AEDescP6AEDesc ()
 #8   0x0009b6c4 in DispatchEvent__17AEDispatchHandlerFP6AEDescPC6AEDescP6AEDesc ()
 #9   0x00099db8 in HandleCoreSuiteEvent__11AECoreClassFPC6AEDescP6AEDesc ()
 #10  0x0009a528 in CoreSuiteHandler__11AECoreClassFPC6AEDescP6AEDescUl ()
 #11  0x73f2452c in _InvokeAEEventHandlerUPP ()
 #12  0x73f24744 in _TryEventTable ()
 #13  0x73f24578 in _AEMDispatcher ()
 #14  0x73f2452c in _InvokeAEEventHandlerUPP ()
 #15  0x73f241c0 in _aeResumeTheCurrentEvent ()
 #16  0x73f22010 in _aeReallyProcessAppleEvent ()
 #17  0x73f21ae8 in _aeProcessAppleEvent ()
 #18  0x737dd600 in _AEProcessAppleEvent ()
 #19  0x01b3dee8 in DispatchEvent__16nsMacMessagePumpFiP11EventRecord ()
 #20  0x01b3d858 in DoMessagePump__16nsMacMessagePumpFv ()
 #21  0x01b3d0e8 in Run__10nsAppShellFv ()
 #22  0x018cf1f4 in Run__17nsAppShellServiceFv ()
 #23  0x00091dfc in main1__FiPPcP11nsISupports ()
 #24  0x00092b6c in main ()

Thread 1:
 #0   0x7000424c in _syscall ()
 #1   0x706584b8 in _ProcessReadyEvent ()
 #2   0x706582b0 in _CarbonSelectThreadFunc ()
 #3   0x70014f04 in __pthread_body ()

Thread 2:
 #0   0x70059b68 in _semaphore_wait_signal_trap ()
 #1   0x70016110 in _semaphore_wait_signal ()
 #2   0x70015f78 in __pthread_cond_wait ()
 #3   0x70015d18 in _pthread_cond_wait ()
 #4   0x70653be0 in _BSD_pthread_cond_wait ()
 #5   0x70653bc0 in _CarbonConditionWait ()
 #6   0x7065557c in _CarbonOperationThreadFunc ()
 #7   0x70014f04 in __pthread_body ()

Thread 3:
 #0   0x70059b48 in _semaphore_timedwait_signal_trap ()
 #1   0x7003f7f8 in _semaphore_timedwait_signal ()
 #2   0x70015f68 in __pthread_cond_wait ()
 #3   0x7003f7c4 in _pthread_cond_timedwait_relative_np ()
 #4   0x7029b590 in _TSWaitOnConditionTimedRelative ()
 #5   0x7029cdac in _TSWaitOnSemaphoreCommon ()
 #6   0x702e5f98 in _TSWaitOnSemaphoreRelative ()
 #7   0x702e7208 in _TimerThread ()
 #8   0x70014f04 in __pthread_body ()

Thread 4:
 #0   0x70059b68 in _semaphore_wait_signal_trap ()
 #1   0x70016110 in _semaphore_wait_signal ()
 #2   0x70015f78 in __pthread_cond_wait ()
 #3   0x70015d18 in _pthread_cond_wait ()
 #4   0x7029b550 in _TSWaitOnCondition ()
 #5   0x7029cd94 in _TSWaitOnSemaphoreCommon ()
 #6   0x7029cce4 in _TSWaitOnSemaphore ()
 #7   0x7029cba8 in _AsyncFileThread ()
 #8   0x70014f04 in __pthread_body ()

Thread 5:
 #0   0x70059b68 in _semaphore_wait_signal_trap ()
 #1   0x70016110 in _semaphore_wait_signal ()
 #2   0x70015f78 in __pthread_cond_wait ()
 #3   0x70015d18 in _pthread_cond_wait ()
 #4   0x70653be0 in _BSD_pthread_cond_wait ()
 #5   0x70653bc0 in _CarbonConditionWait ()
 #6   0x70653ab4 in _CarbonInetOperThreadFunc ()
 #7   0x70014f04 in __pthread_body ()

PPC Thread State:
  srr0: 0x7000ab10 srr1: 0x0000f030                vrsave: 0x00000000
   xer: 0x00000014   lr: 0x702620d8  ctr: 0x7000a940   mq: 0x00000000
    r0: 0x00000000   r1: 0xbfffe8d0   r2: 0x70268e14   r3: 0xbfffeaa8
    r4: 0x000aaa1a   r5: 0x00000002   r6: 0xbfffeaaa   r7: 0x000001c2
    r8: 0x00000001   r9: 0x400abf72  r10: 0x00000000  r11: 0x00000000
   r12: 0x400abf72  r13: 0x00000000  r14: 0x00000000  r15: 0x00000000
   r16: 0x00000000  r17: 0x00000000  r18: 0x00000000  r19: 0x002bbf64
   r20: 0x00000000  r21: 0x00000000  r22: 0x00000000  r23: 0x00000001
   r24: 0x00000001  r25: 0xbffff188  r26: 0x0170a6d0  r27: 0xbfffeee0
   r28: 0xbfffed4c  r29: 0xbfffeaa8  r30: 0xffffff40  r31: 0x00000000

**********

Comment 1

[Bill McGonigle (not currently reading bugmail; please contact directly)]

My bad on the original summary line of "bad applescripts causes crash" - I
wasn't as senile as I thought with the above example.  I do get the proper
return value ("Mozilla"), then it crashes.

Comment 2

[Simon Fraser [no longer active]]

Does this crash on Mac OS 9 in a non-carbon build?

Comment 3

[hirata masakazu]

The script caused crash with my trunk build (2001080608) for MacOS9.
This can be a browser crasher?

Comment 4

[Greg K.]

Works for me under Mac/2001080214 (0.9.3) on 9.1

Comment 5

[Greg K.]

Confirmed under Fizzilla/2001080316 on Mac OS X 10.0.4. Testcase AppleScript was executed 
and "Mozilla" returned, but Mozilla "unexpectedly quit."

The message, "CFM failed to set the stack limit because requested limit is lower than current" 
was displayed on the Console.

Comment 6

[Steve Dagley]

the stack limit message is just a warning, not an error

Comment 7

[Paul Chen]

nav triage team:

marking p3, mozilla1.0.1 and nsbeta1+, it's either some apple bug or bug in our
appleevent code with os x

Comment 8

[Simon Fraser [no longer active]]

The code that is crashing is:

  versionH = (VersRecHndl)Get1Resource('vers', 2);		
  if (versionH) {
    CopyPascalString(version, (**versionH).shortVersion);

so maybe this resource has a different format on X.

This will fix the crash, but probaby result in garbage being returned by the 
event:

Index: mozilla/xpfe/bootstrap/appleevents/nsMacUtils.cpp
===================================================================
RCS file: /cvsroot/mozilla/xpfe/bootstrap/appleevents/nsMacUtils.cpp,v
retrieving revision 1.1
diff -b -u -2 -r1.1 nsMacUtils.cpp
--- nsMacUtils.cpp	2000/02/11 22:05:59	1.1
+++ nsMacUtils.cpp	2001/08/08 22:08:28
@@ -101,5 +101,8 @@
 void CopyPascalString (StringPtr to, const StringPtr from)
 {
-	BlockMoveData(from, to, *from+1);
+	short		len = from[0] + 1;
+	if (len > 256)
+		len = 256;
+	BlockMoveData(from, to, len);
 }
 

Comment 9

[Tim Jarrett]

For what it's worth, calling GetURL seems to function fine--Mozilla opens a new
browser window.  But trying anything more advanced (see below)seems to crash
_and restart_ the browser.  Testing on Mac OS X 10.1.1, build 2001111405.

--working example--
tell application "Mozilla"
        getURL "http://jarretthousenorth.editthispage.com"
end tell

--crashing example--
tell application "Mozilla"
	try
		set theURL to the URL of window 1
		
		set theSelection to the selection
		set error_msg to ""
	on error error_message
		set error_msg to error_message
		return
	end try
	
end tell

if error_msg is not "" then
	display dialog error_msg
	return
end if

display dialog theURL & return & return & theSelection
--

Comment 10

[Bill McGonigle (not currently reading bugmail; please contact directly)]

The restart is almost certainly called by Applescript being persistent and
launching Mozilla so that it can continue to feed it AppleEvents.  Sending an
AppleEvent to a non-running app (like a crashed mozilla) does an implicit open.

Comment 11

[Simon Fraser [no longer active]]

Mine.

Comment 12

[Simon Fraser [no longer active]]

The "crashing" apple script above does not crash for me in a current build.

Comment 13

[Bill McGonigle (not currently reading bugmail; please contact directly)]

I downloaded today's trunk-latest and tried my original example and get a crash
very similar to the one I submitted way back when:

Date/Time:  2001-11-16 16:02:31 -0500
OS Version: 10.1 (Build 5L17b)

Command:    Mozilla
PID:        1025

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x004d3072

Thread 0:
 #0   0x7000456c in memcpy
 #1   0x70244fe8 in BlockMoveData
 #2   0x004be588 in CopyPascalString
 #3   0x004be6ac in GetShortVersionString
 #4   0x004c76d8 in GetDataFromObject__18AEApplicationClassFPC6AEDescP6AEDescP6AED
 #5   0x004cc90c in GetDataFromListOrObject__14AEGenericClassFPC6AEDescP6AEDescP6A
 #6   0x004cbd74 in AEGenericClass::HandleGetData(AEDesc *, AEDesc const *,
AEDesc *)
 #7   0x004cb6f0 in AEGenericClass::DispatchEvent(AEDesc *, AEDesc const *,
AEDesc *)
 #8   0x004c5068 in AEDispatchHandler::DispatchEvent(AEDesc *, AEDesc const *,
AEDesc *)
 #9   0x004c375c in AECoreClass::HandleCoreSuiteEvent(AEDesc const *, AEDesc *)
 #10  0x004c3ecc in AECoreClass::CoreSuiteHandler(AEDesc const *, AEDesc *,
unsigned long)
 #11  0x735fbe74 in TryEventTable
 #12  0x735f1e2c in AEMDispatcher
 #13  0x735f2fec in aeResumeTheCurrentEvent
 #14  0x735fbbb0 in aeReallyProcessAppleEvent
 #15  0x735f5fe8 in aeProcessAppleEvent
 #16  0x01da98b0 in nsMacMessagePump::DispatchEvent(int, EventRecord *)
 #17  0x01da94cc in nsMacMessagePump::DoMessagePump(void)
 #18  0x01da8e28 in nsAppShell::Run(void)
 #19  0x01b63354 in nsAppShellService::Run(void)
 #20  0x004bb510 in main1(int, char **, nsISupports *)
 #21  0x004bc0b8 in main

Thread 1:
 #0   0x7000530c in syscall
 #1   0x70557590 in BSD_waitevent
 #2   0x70554a30 in CarbonSelectThreadFunc
 #3   0x70020efc in _pthread_body

Thread 2:
 #0   0x7003fe48 in semaphore_wait_signal_trap
 #1   0x7003fc48 in _pthread_cond_wait
 #2   0x705594ac in CarbonOperationThreadFunc
 #3   0x70020efc in _pthread_body

Thread 3:
 #0   0x70043988 in semaphore_timedwait_signal_trap
 #1   0x70043968 in semaphore_timedwait_signal
 #2   0x7003fc38 in _pthread_cond_wait
 #3   0x7028366c in TSWaitOnConditionTimedRelative
 #4   0x7027cf10 in TSWaitOnSemaphoreCommon
 #5   0x702c14c8 in TimerThread
 #6   0x70020efc in _pthread_body

Thread 4:
 #0   0x7003fe48 in semaphore_wait_signal_trap
 #1   0x7003fc48 in _pthread_cond_wait
 #2   0x702505cc in TSWaitOnCondition
 #3   0x7027cef8 in TSWaitOnSemaphoreCommon
 #4   0x7024386c in AsyncFileThread
 #5   0x70020efc in _pthread_body

Thread 5:
 #0   0x70001308 in mach_msg_overwrite_trap
 #1   0x70006394 in mach_msg
 #2   0x700273dc in _pthread_become_available
 #3   0x700270d4 in pthread_exit
 #4   0x70020f00 in _pthread_body


PPC Thread State:
  srr0: 0x7000456c srr1: 0x0200f030                vrsave: 0x00000000
   xer: 0x2000001c   lr: 0x70244fe8  ctr: 0x70004384   mq: 0x00000000
    r0: 0x00000000   r1: 0xbfffeaf0   r2: 0x004d3072   r3: 0x004d3072
    r4: 0xbfffecc9   r5: 0x00000000   r6: 0x00000000   r7: 0xffffffff
    r8: 0x00ab0e1e   r9: 0x8023f950  r10: 0x00000012  r11: 0x80241528
   r12: 0x70004384  r13: 0x00000000  r14: 0x00000036  r15: 0xbfffee58
   r16: 0xbfffee70  r17: 0x00000001  r18: 0x000597e8  r19: 0x00000e07
   r20: 0x00000000  r21: 0x0000001c  r22: 0x70004bc4  r23: 0x70004c58
   r24: 0x00000001  r25: 0x000006eb  r26: 0x8081ab5c  r27: 0x0005e0d0
   r28: 0x00000000  r29: 0xbfffef00  r30: 0x8081d1cc  r31: 0x00000001

**********

Comment 14

[Steve Dagley]

Bill/Simon, any current word on this?

Comment 15

[Simon Fraser [no longer active]]

Attachment: Fix parameter order to avoid crashing

Note that it only crashes when we fail to get a 'vers' resource handle, which
probably happens because our resource chain is messed up.

Comment 16

[Mike Pinkerton (not reading bugmail)]

Comment on attachment 70121 [details] [diff] [review]
Fix parameter order to avoid crashing

yup, i'd see this before. it actually causes gcc to barf.

r=pink.

Comment 17

[Mike Pinkerton (not reading bugmail)]

Comment on attachment 70121 [details] [diff] [review]
Fix parameter order to avoid crashing

yup, i'd see this before. it actually causes gcc to barf.

r=pink.

Comment 18

[Blake Ross]

Comment on attachment 70121 [details] [diff] [review]
Fix parameter order to avoid crashing

sr=blake

Comment 19

[Simon Fraser [no longer active]]

Patch checked in.

Comment 20

[Bill McGonigle (not currently reading bugmail; please contact directly)]

Verifying fixed on Mozilla 1.0 for OSX, OSX 10.1.5.

tell application "Mozilla"
	get name
		--> "Mozilla"
end tell