Closed
Bug 103087
Opened 23 years ago
Closed 23 years ago
The RegExps MarkupSPE, XML_SPE in the demo crash Mozilla
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: bedney, Assigned: rogerl)
References
()
Details
(Keywords: crash, js1.5, Whiteboard: [Does Rhino need same fix?])
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
BuildID: 2001091303
This page has multiple RegExps used for XML parsing. By selecting the MarkupSPE
RegExp and parsing some XML text, when the browser window is closed the browser
crashes.
Reproducible: Always
Steps to Reproduce:
1.Go to the URL, select the MarkupSPE RegExp and paste in some XML text. I have
included what I used below, but I've tried it on a number of XML texts, and
always get the same results.
2. Click the "Match!" button to get the first match in the parsed text.
3. Click the "Next!" button to get the next match.
4. Close the browser window.
Actual Results: Bye bye Mozilla.
Expected Results: Stayed running.
This bug also occurs in Navigator 4.76, so I have a feeling its been around
awhile ;-).
Also, here is the XML text I used. Note that it is extracted from XML In A
Nutshell, by OReilly & Associates:
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:xlink="http://www.w3.org/XML/XLink/0.9">
<head><title>Three Namespaces</title></head>
<body>
<h1 align="center">An Ellipse and a Rectangle</h1>
<svg xmlns="http://www.w3.org/Graphics/SVG/SVG-19991203.dtd"
width="12cm" height="10cm">
<ellipse rx="110" ry="130" />
<rect x="4cm" y="1cm" width="3cm" height="6cm" />
</svg>
<p xlink:type="simple" xlink:href="ellipses.html">
More about ellipses
</p>
<p xlink:type="simple" xlink:href="rectangles.html">
More about rectangles
</p>
<hr/>
<p>Last Modified February 13, 2000</p>
</body>
</html>
|
||
Comment 1•23 years ago
|
||
I was unable to reproduce the crash on windows 95 with build 2001100403
The regex test worked fine, and there was no crash when I closed the browser
|
||
Comment 2•23 years ago
|
||
Using Mozilla trunk binaries 20011004xx on WinNT, Linux, and Mac 9.1.
Confirming crash on Mac 9.1 exactly as the reporter describes. And with
the Linux binary, I crash as soon as I hit the "Match" button (with the
MarkupSPE RegExp and the given XML text above). I don't have to hit
the "Next" button and close the browser, I crash right away on Linux.
Compare: with the WinNT binary, I cannot crash no matter what I do -
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 2000 → All
|
|
||
Comment 3•23 years ago
|
||
Testcase added to JS testsuite -
mozilla/js/tests/ecma_3/RegExp/regress-103087.js
Currently crashing on my Linux box, but not my WinNT box or Mac 9.1.
|
|
||
Comment 4•23 years ago
|
||
Linux stack trace of testcase crash:
#0 0x4008eee9 in ?? () from /lib/libc.so.6
#1 0x4008f8a5 in ?? () from /lib/libc.so.6
#2 0x4008f344 in ?? () from /lib/libc.so.6
#3 0x804fbfe in JS_realloc (cx=0x80d72b0, p=0x80fddb0, nbytes=160)
at
jsapi.c:1420
#4 0x80abaf2 in js_ExecuteRegExp (cx=0x80d72b0, re=0x80fd1f0, str=0x80d9940,
indexp=0xbfffe368, test=0, rval=0xbfffe460) at jsregexp.c:2181
#5 0x80acb11 in regexp_exec_sub (cx=0x80d72b0, obj=0x80d9d80,
argc=1, argv=0x80e0bf4, test=0, rval=0xbfffe460)
at jsregexp.c:2750
#6 0x80acb80 in regexp_exec (cx=0x80d72b0, obj=0x80d9d80,
argc=1, argv=0x80e0bf4,
rval=0xbfffe460) at jsregexp.c:2764
#7 0x8079bd6 in js_Invoke (cx=0x80d72b0, argc=1, flags=0) at jsinterp.c:807
#8 0x8085679 in js_Interpret (cx=0x80d72b0, result=0xbfffe750)
at jsinterp.c:2719
#9 0x807a203 in js_Execute (cx=0x80d72b0, chain=0x80d8b40, script=0x80ed750,
down=0x0, special=0, result=0xbfffe750)
at jsinterp.c:989
#10 0x80535a6 in JS_ExecuteScript (cx=0x80d72b0,
obj=0x80d8b40, script=0x80ed750,
rval=0xbfffe750) at jsapi.c:3229
#11 0x8049f95 in Load (cx=0x80d72b0, obj=0x80d8b40, argc=1,
argv=0x80e0b2c,
rval=0xbfffe820) at js.c:637
#12 0x8079bd6 in js_Invoke (cx=0x80d72b0, argc=1, flags=0) at jsinterp.c:807
#13 0x8085679 in js_Interpret (cx=0x80d72b0, result=0xbffffb28)
at
jsinterp.c:2719
#14 0x807a203 in js_Execute (cx=0x80d72b0, chain=0x80d8b40,
script=0x80de388, down=0x0, special=0,
result=0xbffffb28) at jsinterp.c:989
#15 0x80535a6 in JS_ExecuteScript (cx=0x80d72b0, obj=0x80d8b40,
script=0x80de388, rval=0xbffffb28) at jsapi.c:3229
#16 0x80496bb in Process (cx=0x80d72b0, obj=0x80d8b40, filename=0x0) at js.c:371
#17 0x8049bc4 in ProcessArgs (cx=0x80d72b0, obj=0x80d8b40,
argv=0xbffffc08,
argc=0) at js.c:529
#18 0x804c3b5 in main (argc=0, argv=0xbffffc08) at js.c:2108
|
|
||
Comment 5•23 years ago
|
||
Easier-to-read version, with top three frames resolved:
#0 0x4008eee9 in chunk_free () at malloc.c:3047
#1 0x4008f8a5 in chunk_realloc () at malloc.c:3351
#2 0x4008f344 in __libc_realloc () at malloc.c:3190
#3 0x804fbfe in JS_realloc () at jsapi.c:1420
#4 0x80abaf2 in js_ExecuteRegExp () at jsregexp.c:2181
#5 0x80acb11 in regexp_exec_sub () at jsregexp.c:2750
#6 0x80acb80 in regexp_exec () at jsregexp.c:2764
#7 0x8079bd6 in js_Invoke () at jsinterp.c:807
#8 0x8085679 in js_Interpret () at jsinterp.c:2719
#9 0x807a203 in js_Execute () at jsinterp.c:989
#10 0x80535a6 in JS_ExecuteScript () at jsapi.c:3229
#11 0x8049f95 in Load () at js.c:637
#12 0x8079bd6 in js_Invoke () at jsinterp.c:807
#13 0x8085679 in js_Interpret () at jsinterp.c:2719
#14 0x807a203 in js_Execute () at jsinterp.c:989
#15 0x80535a6 in JS_ExecuteScript () at jsapi.c:3229
#16 0x80496bb in Process () at js.c:371
#17 0x8049bc4 in ProcessArgs () at js.c:529
#18 0x804c3b5 in main () at js.c:2108
|
|
||
Comment 6•23 years ago
|
||
Note: at the given URL, I am also crashing on another regexp: "XML_SPE".
This is the last choice in the RegExp combobox.
Again, on my Linux box I crash as soon as I hit the "Match" button.
On Mac 9.1, I crash after hitting "Match", "Next", then quitting Mozilla.
On my WinNT box I do not crash at all.
|
|
||
Comment 7•23 years ago
|
||
I find the same to be true in the JS shell testcase crash on Linux.
The problem regexps seem to be "MarkupSPE" and "XML_SPE". These are
very large patterns, involving lots of subexpressions -
|
|
||
Updated•23 years ago
|
|
|
||
Updated•23 years ago
|
Summary: The RegExp MarkupSPE in the demo crashes Mozilla → The RegExps MarkupSPE, XML_SPE in the demo crash Mozilla
|
|
||
Updated•23 years ago
|
Whiteboard: [Does Rhino need same fix?]
|
Reporter | |
Comment 8•23 years ago
|
||
Note that Markup_SPE is part of XML_SPE. I messed around with it long enough to
determine that it was the Markup_SPE part of XML_SPE that was causing the crash.
|
||
Comment 9•23 years ago
|
||
Phil, how do these testcases do with the regexp rewrite that brings back the
bytecoded NFA of old JSRef, plus rogerl's sweet heap-based backtrack stack?
/be
|
|
||
Comment 10•23 years ago
|
||
The testcase passes in the JS shell with Roger's patch applied.
But something seems to have already fixed this. When I run the test
in the JS shell without the patch applied, the testcase also passes.
Using Mozilla trunk binary 20020701xx on Linux, Mac9, I have no problems
whatsoever at the given URL. I used to crash on Linux on the regexps "MarkupSPE"
and "XML_SPE" as soon as I hit "Match". On Mac9 I used to crash
on exit. I no longer crash, and I exit the site cleanly.
So I'm going to mark this as Fixed.
bedney@technicalpursuit.com: could you confirm this for me? If an
up-to-date build works for you now, could you mark this bug "Verified"?
If not, please reopen this bug; thanks -
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 11•23 years ago
|
||
Works great now fellas! Thanks!
- Bill
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•