Closed Bug 682793 Opened 13 years ago Closed 7 years ago

Infinite recursion loop crashes Firefox when Firebug is installed

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
9 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: sebo, Unassigned)

References

Details

(Keywords: crash, Whiteboard: js-triage-needed)

Crash Data

Attachments

(1 file)

Simple debugger - test extension
2.01 KB, application/x-xpinstall
Details 
See https://crash-stats.mozilla.com/report/index/bp-911001c0-b0b5-4703-a737-0299a2110829

I used Firebug's Command Editor to execute the following lines of code:

function test() {
  return test();
}

test();
Stack overflow, this could be a dupe
Assignee: nobody → general
Severity: normal → critical
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
> this could be a dupe
Probably yes. I don't think I am the only one that experienced that problem, because it's that easy to reproduce.

Btw. since Bugzilla changed its issue report system the "Report this Crash" link doesn't prefill the issue title anymore. I think that was possible before, though I just posted one or two bugs to crash reports yet.
This works in general, no (in that recursion protection kicks in).  What's special about the Firebug command editor?
Well, I just tested this on another PC and just used the new Scratchpad of Firefox.
Result: Firefox doesn't crash, but it gets completely unresponsive. The message for unresponsive scripts appears after a while (~3 minutes). Clicking "Stop script" doesn't stop it. Instead I get the message again after waiting a bit longer.

The Firebug Command Editor works by eval()ing the entered code. Honza can surely explain this in more detail.
(In reply to Boris Zbarsky (:bz) from comment #3)
> This works in general, no (in that recursion protection kicks in).  What's
> special about the Firebug command editor?

Not an answer, but: bug 643360 showed that there are ways to trigger infinite recursion "underneath" the JS engine, within JSD. In fact, that patch never landed, but the details of this bug and the stack make it sound dissimilar.
I can't reproduce the test case of bug 643360 with FF 6.0 + FB 1.8.1 and FF 9.0a1 + FB 1.9.0a1 under Windows 7.
Whiteboard: js-triage-needed
(In reply to Sebastian Zartner from comment #4)
> The Firebug Command Editor works by eval()ing the entered code. Honza can
> surely explain this in more detail.

0) The user executes an expression on Firebug's command line.
1) Firebug uses win.document.setUserData to pass the expression into the page.
2) Firebug sends an event to the page (using win.document.dispatchEvent)
3) The page catches the event gets the expression and calls: window.eval(expr)

Honza
Crash Signature: [@ XPCJSStackFrame::Release() ]
(In reply to Boris Zbarsky (:bz) from comment #3)
> This works in general, no (in that recursion protection kicks in).  What's
> special about the Firebug command editor?
I think that the special thing is that JSD is activated 

STR:
1) Install the attached extension (activates JSD and hooks jsd.debugHook, jsd.errorHook)
2) load following page (the timeout is probably not necessary, just helpful for me when debugging):

<html><body>
<script type="application/javascript;version=1.8">
    setTimeout(function()
    {
        function hello() { hello(); }
        hello();
    }, 5000);
</script>
</body></html><h2></h2>

3) Wait for Firefox crash

Honza
Mozilla/5.0 (Windows NT 6.1; rv:11.0a1) Gecko/20111127 Firefox/11.0a1

I have run the tests from comment #8 and comment #9 and no crash occured. Firebug is not compatible with Firefox 11 (Nightly).

Sebastian, Jan - are you able to reproduce the crash on latest Nightly, with a clean profile?

Thank you!
I didn't run the test of comment 8, but of comment 0 and comment 9 using FF 11.0a1 + FB 1.9.0b2 (SVN) and Firefox doesn't crash anymore.
That's the good news. The bad one is, that it still freezes (without showing the Unresponsive Script message).

Sebastian
So is this basically a duplicate of bug 643360?  I guess this one has better str (e.g. a test extension).
Blocks: 643360
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Infinite recursion loop crashes Firefox → Infinite recursion loop crashes Firefox when Firebug is installed
I'm unsure, if both issues are caused by the same problem.
I can still reproduce the crash of bug 643360 (see https://crash-stats.mozilla.com/report/index/bp-c4a6f554-43e3-44e3-ad1a-c529c2120228 and https://crash-stats.mozilla.com/report/index/a6826e2a-c7e1-40de-920a-227532120228).
Though trying the test case here causes Firefox to freeze (no unresponsive script message, no crash reporter).
This issue seems more like a duplicate of bug 647636.

Sebastian
Another test:

http://users.skumleren.net/cers/test/mrjones.html

I think it is JSD since using the Firefox native debugger doesn't have the same effect, and I'm guessing it uses JSD2.
Depends on: 749981
Blocks: 975611
Assignee: general → nobody
Crash Signature: [@ XPCJSStackFrame::Release() ] → [@ XPCJSStackFrame::Release() ] [@ XPCJSStackFrame::Release ]
Firebug is going away, so closing this.

Sebastian
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: