[Greasemonkey] GM_xmlhttpRequest-induced Firefox crash

Mihai Parparita mihai.parparita at gmail.com
Sun Apr 24 22:52:07 EDT 2005


I'm able to make Firefox crash consistently when using
GM_xmlhttpRequest with an onerror handler on a URl that Firefox thinks
needs downloading (in my case http://perversiontracker.com/index.rdf).

I've attached a test case, to invoke it, install the user script and
then run javascript:window.crasher() from the location bar. The
attached stack trace shows where the stacktrace occurs.

My guess is that GM is trying to fill out the response object, but
since the HTTP request is in some zombie state (if a user had clicked
on the URL, a "what do you want to do with this file" dialog would be
presented) it can't get the character set and other data. Note that
this only happens if an onerror handler is present, while the onload
handler never gets called.

You may say, "don't do that" (use GM_xmlhttpRequest with URIs that
Firefox tries to download), but in my particular case, I don't have
complete control over the URIs that I request.

Mihai
-------------- next part --------------
A non-text attachment was scrubbed...
Name: crasher.user.js
Type: application/x-javascript
Size: 482 bytes
Desc: not available
Url : http://mozdev.org/pipermail/greasemonkey/attachments/20050424/97f79caa/crasher.user.js
-------------- next part --------------
Date/Time:      2005-04-24 21:45:31 -0700
OS Version:     10.3.9 (Build 7W98)
Report Version: 2

Command: firefox-bin
Path:    /Applications/Internet/firefox.app/Contents/MacOS/firefox-bin
Version: 1.0 (1.0)
PID:     3263
Thread:  0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   org.mozilla.firefox 	0x007abcb4 nsXMLHttpRequest::DetectCharset(nsACString&) + 0xb4
1   org.mozilla.firefox 	0x007abcb0 nsXMLHttpRequest::DetectCharset(nsACString&) + 0xb0
2   org.mozilla.firefox 	0x007abea4 nsXMLHttpRequest::ConvertBodyToText(nsAString&) + 0xe4
3   org.mozilla.firefox 	0x007ac234 nsXMLHttpRequest::GetResponseText(nsAString&) + 0x44
4   libxpcom.dylib      	0xefd1d09c _XPTC_InvokeByIndex + 0xd8
5   org.mozilla.firefox 	0x00033fc0 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) + 0xa10
6   org.mozilla.firefox 	0x00027964 XPC_WN_GetterSetter(JSContext*, JSObject*, unsigned int, long*, long*) + 0x160
7   libmozjs.dylib      	0xeff30218 js_Invoke + 0x860
8   libmozjs.dylib      	0xeff304dc js_InternalInvoke + 0xe0
9   libmozjs.dylib      	0xeff3a338 js_InternalGetOrSet + 0x160
10  libmozjs.dylib      	0xeff427d0 js_GetProperty + 0x418
11  libmozjs.dylib      	0xeff3692c js_Interpret + 0x5e04
12  libmozjs.dylib      	0xeff30258 js_Invoke + 0x8a0
13  libmozjs.dylib      	0xeff304dc js_InternalInvoke + 0xe0
14  libmozjs.dylib      	0xefef7950 JS_CallFunctionValue + 0x2c
15  org.mozilla.firefox 	0x00473a84 nsJSContext::CallEventHandler(JSObject*, JSObject*, unsigned int, long*, long*) + 0x188
16  org.mozilla.firefox 	0x00341814 GlobalWindowImpl::RunTimeout(nsTimeoutImpl*) + 0x394
17  org.mozilla.firefox 	0x00342034 GlobalWindowImpl::TimerCallback(nsITimer*, void*) + 0x2c
18  libxpcom.dylib      	0xefd066e0 nsTimerImpl::Fire() + 0xbc
19  libxpcom.dylib      	0xefd06834 handleTimerEvent(TimerEventType*) + 0x90
20  libxpcom.dylib      	0xefd01b90 PL_HandleEvent + 0x2c
21  libxpcom.dylib      	0xefd01ad0 PL_ProcessPendingEvents + 0x84
22  libxpcom.dylib      	0xefd026f0 PL_IsQueueNative + 0x394
23  com.apple.HIToolbox 	0x92881fa0 DispatchEventToHandlers + 0x150
24  com.apple.HIToolbox 	0x92882214 SendEventToEventTargetInternal + 0x174
25  com.apple.HIToolbox 	0x92886694 SendEventToEventTargetWithOptions + 0x28
26  com.apple.HIToolbox 	0x92892d2c ToolboxEventDispatcherHandler(OpaqueEventHandlerCallRef*, OpaqueEventRef*, void*) + 0x2b8
27  com.apple.HIToolbox 	0x9288205c DispatchEventToHandlers + 0x20c
28  com.apple.HIToolbox 	0x92882214 SendEventToEventTargetInternal + 0x174
29  com.apple.HIToolbox 	0x928946bc SendEventToEventTarget + 0x28
30  com.apple.HIToolbox 	0x928985d8 ToolboxEventDispatcher + 0x5c
31  com.apple.HIToolbox 	0x928a8718 TryEventDispatcher + 0x6c
32  com.apple.HIToolbox 	0x92888d88 GetOrPeekEvent + 0x134
33  com.apple.HIToolbox 	0x92889064 GetNextEventMatchingMask + 0x1c8
34  com.apple.HIToolbox 	0x9289c9f0 WNEInternal + 0xa0
35  com.apple.HIToolbox 	0x928ad708 WaitNextEvent + 0x4c
36  org.mozilla.firefox 	0x00203c90 nsMacMessagePump::GetEvent(EventRecord&) + 0x7c
37  org.mozilla.firefox 	0x00203b6c nsMacMessagePump::DoMessagePump() + 0x30
38  org.mozilla.firefox 	0x001e93a4 nsAppShell::Run() + 0x38
39  org.mozilla.firefox 	0x0089f6ac xre_main(int, char**, nsXREAppData const*) + 0xff0
40  org.mozilla.firefox 	0x0000f54c start + 0x1b0
41  org.mozilla.firefox 	0x0000f3cc start + 0x30


More information about the Greasemonkey mailing list