Closed
Bug 243174
Opened 21 years ago
Closed 21 years ago
browser crashes when searching at de.selfhtml.org [@ FreeArenaList ]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.7final
People
(Reporter: stefan.brandner, Assigned: brendan)
References
()
Details
(4 keywords, Whiteboard: fixed-aviary1.0)
Crash Data
Attachments
(7 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040421
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040421
Go to the page http://de.selfhtml.org/
Press the link "SELFHTML Suche"
At the top left the search input appears.
Enter the word browser and press "Suchen"
A javscript windows pops up with a ok button.
After pressing ok the browser crashes.
Reproducible: Always
Steps to Reproduce:
1.Go to the page http://de.selfhtml.org/ and press the link "SELFHTML Suche"
2. Enter the word browser at the search input
3. after press "Suchen" a javascript window pops up
4. when pressing ok the browser crashes
Actual Results:
browser crash
Expected Results:
should show the search results instead
program error:
mozilla.exe has generated errors and will be closed by Windows.
You will need to restart the program.
An error log is being created.
Confirming with Mozilla trunk build 2004050907 on WinNT4.
Crash happens, access violation at c0000005. I cannot provide TB IDs because my
installer build doesn't contain TB -- once again.
Please add the keyword crash.
|
||
Comment 2•21 years ago
|
||
also crashing on Linux using FF 20040510, but Talkback doesn't popup.
(Starting mozilla.org Firefox in GDB probably gives a corrupt stack so it's not
relevant, crashes in nsMUTF7ToUnicode::nsMUTF7ToUnicode... I mention it in case
others see this too)
Keywords: crash,
stackwanted
OS: Windows 2000 → All
free_dbg_lk(void * 0x03bc2ff8, int 1) line 1066 + 60 bytes
_free_dbg(void * 0x03bc2ff8, int 1) line 1001 + 13 bytes
free(void * 0x03bc2ff8) line 956 + 11 bytes
FreeArenaList(JSArenaPool * 0x0012c76c, JSArena * 0x0012c76c, int 1) line 331 +
10 bytes
JS_FinishArenaPool(JSArenaPool * 0x0012c76c) line 437 + 15 bytes
js_ExecuteRegExp(JSContext * 0x02c5dc00, JSRegExp * 0x03bcb4b0, JSString *
0x03b96678, unsigned int * 0x0012c800, int 1, long * 0x0012c95c) line 3028 + 9 bytes
match_or_replace(JSContext * 0x02c5dc00, JSObject * 0x03b96680, unsigned int 1,
long * 0x03a7728c, int (JSContext *, long, GlobData *)* 0x010cafa0
match_glob(JSContext *, long, GlobData *), GlobData * 0x0012c848, long *
0x0012c95c) line 1152 + 27 bytes
str_match(JSContext * 0x02c5dc00, JSObject * 0x03b96680, unsigned int 1, long *
0x03a7728c, long * 0x0012c95c) line 1244 + 34 bytes
js_Invoke(JSContext * 0x02c5dc00, unsigned int 1, unsigned int 0) line 1281 + 23
bytes
js_Interpret(JSContext * 0x02c5dc00, long * 0x0012d930) line 3366 + 15 bytes
js_Invoke(JSContext * 0x02c5dc00, unsigned int 1, unsigned int 0) line 1301 + 13
bytes
js_Interpret(JSContext * 0x02c5dc00, long * 0x0012e8b4) line 3366 + 15 bytes
js_Invoke(JSContext * 0x02c5dc00, unsigned int 1, unsigned int 2) line 1301 + 13
bytes
js_InternalInvoke(JSContext * 0x02c5dc00, JSObject * 0x034fb9b8, long 55556544,
unsigned int 0, unsigned int 1, long * 0x0012eb14, long * 0x0012eb10) line 1378
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x02c5dc00, JSObject * 0x034fb9b8, long
55556544, unsigned int 1, long * 0x0012eb14, long * 0x0012eb10) line 3618 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x034fb9b8, JSObject * 0x034fb9c0,
unsigned int 1, long * 0x0012eb14, long * 0x0012eb10) line 1292 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03a82738, nsIDOMEvent
* 0x03a562d0) line 174 + 51 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03a827f8,
nsIDOMEvent * 0x03a562d0, nsIDOMEventTarget * 0x03a7b478, unsigned int 4,
unsigned int 7) line 1434 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03a83210,
nsIPresContext * 0x03a54af0, nsEvent * 0x0012f1b0, nsIDOMEvent * * 0x0012ee9c,
nsIDOMEventTarget * 0x03a7b478, unsigned int 7, nsEventStatus * 0x0012f698) line
1529
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x03a54af0, nsEvent *
0x0012f1b0, nsIDOMEvent * * 0x0012ee9c, unsigned int 7, nsEventStatus *
0x0012f698) line 1959
nsHTMLInputElement::HandleDOMEvent(nsIPresContext * 0x03a54af0, nsEvent *
0x0012f1b0, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus *
0x0012f698) line 1395 + 31 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f1b0, nsIView * 0x00000000,
unsigned int 1, nsEventStatus * 0x0012f698) line 6025 + 44 bytes
PresShell::HandleEventWithTarget(PresShell * const 0x031ba978, nsEvent *
0x0012f1b0, nsIFrame * 0x03a57bfc, nsIContent * 0x03a830d8, unsigned int 1,
nsEventStatus * 0x0012f698) line 5980 + 22 bytes
nsEventStateManager::CheckForAndDispatchClick(nsIPresContext * 0x03a54af0,
nsMouseEvent * 0x0012f8b8, nsEventStatus * 0x0012f698) line 2958 + 66 bytes
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x02bbf6d0,
nsIPresContext * 0x03a54af0, nsEvent * 0x0012f8b8, nsIFrame * 0x03a57bfc,
nsEventStatus * 0x0012f698, nsIView * 0x03a8ffe8) line 1979 + 23 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f8b8, nsIView * 0x03a8ffe8,
unsigned int 1, nsEventStatus * 0x0012f698) line 6077 + 52 bytes
PresShell::HandleEvent(PresShell * const 0x031ba9ec, nsIView * 0x03a8ffe8,
nsGUIEvent * 0x0012f8b8, nsEventStatus * 0x0012f698, int 0, int & 1) line 5918 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x03a8c4a0, nsGUIEvent * 0x0012f8b8, int 0)
line 2233
nsViewManager::DispatchEvent(nsViewManager * const 0x00f6ca00, nsGUIEvent *
0x0012f8b8, nsEventStatus * 0x0012f790) line 1973 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f8b8) line 79
nsWindow::DispatchEvent(nsWindow * const 0x03a8fdf4, nsGUIEvent * 0x0012f8b8,
nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f8b8) line 1088
nsWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint *
0x00000000) line 5189 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint *
0x00000000) line 5444
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 1310982, long *
0x0012fd7c) line 3975 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x006b0540, unsigned int 514, unsigned int 0, long
1310982) line 1349 + 27 bytes
USER32! 77d13a50()
USER32! 77d13b1f()
USER32! 77d13d79()
USER32! 77d14374()
CWinThread::Run() line 487 + 11 bytes
CWinApp::Run() line 400
AfxWinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00000000, char *
0x00142388, int 10) line 49 + 11 bytes
WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00000000, char * 0x00142388,
int 10) line 30
WinMainCRTStartup() line 330 + 54 bytes
KERNEL32! 77e614c7()
|
||
Comment 5•21 years ago
|
||
Confirmed using 2004050609 Nightly on Windows 2000. Talkback ID: TB43435X
Please change status to: NEW
Now crashed with Mozilla trunk build 2004051108 on WinNT4.
TB-ID: TB47150Y
|
|
||
Comment 7•21 years ago
|
||
|
|
||
Updated•21 years ago
|
Assignee: general → general
Component: Browser-General → JavaScript Engine
Keywords: stackwanted
QA Contact: general → pschwartau
Summary: browser crashes when searching at de.selfhtml.org → browser crashes when searching at de.selfhtml.org [@ FreeArenaList ]
|
||
Comment 8•21 years ago
|
||
testcase:
javascript:alert("-+16-+59-+66-+67-+80-+82-+143-+170-+176-+189-+308-+363-+364-+365-+377-+393-+404-+405-+419-+430-+641-+732-+754-+783-+786-+972-+977-+980-+982-+1010-+1011-+1027-+1028-+1039-+1040-+1074-+1084-+1086-+1098-+1267-+1296-+1305-+1367-+1371-+1379-+1480-+1481-+1482-+1484-+1510-+1526-+1565-+1568-+1574-+1577-+1604-+1632-+1638-+1643-+1657-+1708-+1722-+1941-+1948-+1955-+1965-+1966-+2027-+2039-+2040-+2041-+2048-+2054-+2059-+2090-+2091-+2092-+2105-+2118-+".match(eval("/\\+(3|4|7|21|47|49|53|54|56|57|58|59|60|61|62|64|67|69|72|73|74|76|78|80|84|91|95|96|99|118|120|141|142|145|147|148|149|151|152|160|164|169|170|171|173|174|175|176|181|183|185|186|188|189|190|191|193|200|201|202|204|205|207|208|209|211|214|216|221|223|226|229|230|231|233|237|239|249|250|252|255|258|260|261|267|269|270|278|280|281|290|291|293|294|295|296|297|298|299|300|301|302|303|306|307|308|309|311|313|317|319|321|322|328|329|338|342|343|345|347|349|352|359|360|364|366|367|368|370|373|376|377|378|379|380|381|384|385|386|387|388|389|390|393|394|396|397|398|399|400|402|403|416|418|419|420|423|424|425|428|429|430|432|440|442|444|445|446|448|449|629|643|646|647|649|652|658|668|680|681|682|683|684|703|706|720|722|731|733|736|737|738|741|744|745|749|752|753|754|755|763|786|803|806|807|808|812|829|831|843|844|845|846|847|848|849|851|854|855|856|858|859|860|861|863|866|867|868|869|870|871|875|876|877|878|879|881|882|883|884|885|886|888|889|890|891|892|893|894|895|896|897|898|900|901|903|904|906|908|910|911|912|913|914|915|916|918|919|921|970|971|972|973|980|986|987|988|991|998|1009|1011|1015|1016|1031|1037|1038|1039|1040|1045|1046|1051|1052|1053|1054|1057|1058|1060|1064|1069|1070|1071|1074|1075|1085|1089|1090|1091|1093|1094|1095|1096|1097|1101|1103|1107|1109|1110|1112|1115|1116|1117|1171|1172|1175|1183|1184|1233|1289|1296|1300|1307|1315|1317|1327|1367|1374|1384|1392|1393|1408|1409|1412|1428|1479|1480|1481|1482|1483|1484|1485|1486|1487|1488|1490|1491|1492|1493|1497|1510|1522|1524|1565|1566|1567|1568|1573|1574|1576|1582|1584|1586|1588|1591|1592|1593|1596|1599|1600|1604|1606|1615|1616|1617|1621|1625|1631|1632|1633|1636|1640|1643|1644|1645|1646|1648|1650|1652|1655|1656|1657|1658|1660|1661|1663|1669|1670|1671|1672|1673|1675|1676|1677|1679|1680|1683|1684|1685|1686|1687|1688|1689|1695|1697|1702|1703|1704|1705|1706|1711|1712|1713|1714|1716|1722|1725|1726|1731|1738|1744|1747|1748|1749|1750|1753|1757|1761|1762|1763|1764|1765|1766|1767|1769|1771|1772|1773|1774|1775|1776|1777|1778|1779|1780|1781|1782|1783|1784|1785|1786|1788|1789|1790|1791|1792|1793|1794|1796|1797|1798|1799|1801|1802|1803|1804|1805|1806|1807|1808|1809|1810|1811|1812|1815|1816|1817|1818|1821|1822|1823|1824|1825|1827|1828|1831|1835|1840|1844|1845|1849|1850|1852|1853|1854|1855|1856|1857|1858|1859|1860|1862|1866|1867|1874|1885|1886|1887|1890|1894|1897|1898|1903|1912|1913|1917|1923|1933|1940|1941|1944|1945|1946|1947|1948|1949|1950|1963|1964|1965|1967|1971|1972|1973|1974|1978|1983|1988|1990|1991|2001|2003|2013|2015|2020|2025|2026|2027|2029|2034|2039|2040|2041|2047|2048|2049|2050|2053|2054|2055|2057|2058|2059|2060|2061|2064|2067|2070|2073|2076|2079|2082|2085|2088|2090|2092|2093|2094|2095|2096|2098|2099|2100|2101|2102|2103|2105|2114|2119|2121|2122|2124|2128|2131|2132|21|170|177|190|191|291|982|1038|1655|1978|2090|2133|1983|783|1582|2102|6|14|53|65|66|67|68|72|85|88|95|96|97|121|126|145|148|154|160|184|188|219|220|258|267|277|289|292|295|297|304|317|318|322|332|342|343|353|354|367|373|378|381|384|398|402|418|419|425|428|438|643|662|665|673|675|705|706|803|876|973|988|1013|1015|1020|1047|1091|1171|1184|1317|1400|1401|1486|1572|1590|1591|1593|1600|1621|1632|1633|1635|1636|1638|1640|1648|1657|1958|1966|1969|1973|1983|2048|2061|2064|2067|2070|2073|2076|2079|2082|2085|2088|2091|2126|2127|2128|1063|986|16|59|66|67|80|82|143|170|176|189|308|363|364|365|377|393|404|405|419|430|641|732|754|783|786|972|977|980|982|1010|1011|1027|1028|1039|1040|1074|1084|1086|1098|1267|1296|1305|1367|1371|1379|1480|1481|1482|1484|1510|1526|1565|1568|1574|1577|1604|1632|1638|1643|1657|1708|1722|1941|1948|1955|1965|1966|2027|2039|2040|2041|2048|2054|2059|2090|2091|2092|2105|2118|1300|971|2047|2050|986|1632|2049|1184|2047)-/g")));
this is crashing Windows 2003 1.7 branch 20040515 for me: TB48397M
|
Assignee | |
Updated•21 years ago
|
Assignee: general → brendan
Flags: blocking1.7? → blocking1.7+
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.7final
|
|
Assignee | |
Updated•21 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 9•21 years ago
|
||
Another jsregexp.c bug, looks like. Can someone show that this regressed when
I landed rogerl's big rewrite (2003/10/22)? I'd appreciate any purify or
valgrind help, too, although this is easily reproduced. Must fix for 1.7, in
any event.
/be
|
||
Comment 10•21 years ago
|
||
I found the following two windows versions in archive.mozilla.org:
WFM: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007
Crash: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031028
Maybe someone could narrow this time window with the Linux nightlies.
|
|
Assignee | |
Comment 11•21 years ago
|
||
Naturally, I can't get valgrind working on FC1.
Timeless, anyone: purify or valgrind help?
/be
|
||
Comment 12•21 years ago
|
||
this is the only output I get from valgrind running the testcase in JS shell.
Invalid read of size 4
at 0x804F962: JS_malloc (jsapi.c:1448)
by 0x80C249B: js_InflateString (jsstr.c:2786)
by 0x8052907: JS_BufferIsCompilableUnit (jsapi.c:3106)
by 0x8049526: Process (js.c:378)
by 0x317C3637: ???
Address 0x7C32334E is not stack'd, malloc'd or (recently) free'd
|
||
Comment 13•21 years ago
|
||
no crash :Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/ 20031021
crash: 20031022
|
|
||
Comment 14•21 years ago
|
||
this is a (more useful) log from invoking the testcase from the commandline
rather than pasting it into an interactive session.
|
||
Comment 15•21 years ago
|
||
Assertion failure: a->base <= a->avail && a->avail <= a->limit, at jsarena.c:345
+ a 0x018a74d8 {next=0xcdcdcdcd {next=??? base=??? limit=??? ...}
base=0xcdcdcdcd limit=0x00000001 ...} JSArena *
a->avail 0xcdcdcdcd unsigned long
a->base 0xcdcdcdcd unsigned long
a->limit 0x00000001 unsigned long
ntdll.dll!DbgBreakPoint()
PURERT.DLL!_x_checks_timed_fn_entry() + 0x16a3f3
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!JS_Assert(const
char * s=0x5116116c, const char * file=0x51161160, int ln=0x00000159) Line 149
+ 0x19 C
> JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!FreeArenaList
(JSArenaPool * pool=0x0013cd48, JSArena * head=0x0013cd48, int
reallyFree=0x00000001) Line 345 + 0x8f C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!JS_FinishArenaPool
(JSArenaPool * pool=0x0013cd48) Line 480 + 0x39 C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!js_ExecuteRegExp
(JSContext * cx=0x003681b8, JSRegExp * re=0x01734930, JSString *
str=0x00369bb0, unsigned int * indexp=0x0013cdd4, int test=0x00000001, long *
rval=0x0013cea0) Line 3107 + 0x1b C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!match_or_replace
(JSContext * cx=0x003681b8, JSObject * obj=0x00369bc8, unsigned int
argc=0x00000001, long * argv=0x0170842c, int (JSContext *, long, GlobData *)*
glob=0x5113e8b6, GlobData * data=0x0013ce08, long * rval=0x0013cea0) Line 1152
+ 0x5d C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!str_match
(JSContext * cx=0x003681b8, JSObject * obj=0x00369bc8, unsigned int
argc=0x00000001, long * argv=0x0170842c, long * rval=0x0013cea0) Line 1244 +
0x7c C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!js_Invoke
(JSContext * cx=0x003681b8, unsigned int argc=0x00000001, unsigned int
flags=0x00000000) Line 1281 + 0x62 C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!js_Interpret
(JSContext * cx=0x003681b8, long * result=0x0013d7b4) Line 3370 + 0x39 C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!js_Execute
(JSContext * cx=0x003681b8, JSObject * chain=0x00369748, JSScript *
script=0x0170d858, JSStackFrame * down=0x00000000, unsigned int
flags=0x00000000, long * result=0x0013d7b4) Line 1507 + 0x2b C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!JS_ExecuteScript
(JSContext * cx=0x003681b8, JSObject * obj=0x00369748, JSScript *
script=0x0170d858, long * rval=0x0013d7b4) Line 3473 + 0x4f C
js$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.exe!Load(JSContext *
cx=0x003681b8, JSObject * obj=0x00369748, unsigned int argc=0x00000001, long *
argv=0x017083fc, long * rval=0x0013d84c) Line 679 + 0x16 C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!js_Invoke
(JSContext * cx=0x003681b8, unsigned int argc=0x00000001, unsigned int
flags=0x00000000) Line 1281 + 0x62 C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!js_Interpret
(JSContext * cx=0x003681b8, long * result=0x0013f168) Line 3370 + 0x39 C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!js_Execute
(JSContext * cx=0x003681b8, JSObject * chain=0x00369748, JSScript *
script=0x01708340, JSStackFrame * down=0x00000000, unsigned int
flags=0x00000000, long * result=0x0013f168) Line 1507 + 0x2b C
JS32$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.DLL!JS_ExecuteScript
(JSContext * cx=0x003681b8, JSObject * obj=0x00369748, JSScript *
script=0x01708340, long * rval=0x0013f168) Line 3473 + 0x4f C
js$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.exe!Process(JSContext *
cx=0x003681b8, JSObject * obj=0x00369748, char * filename=0x00000000) Line 390
+ 0x16 C
js$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.exe!ProcessArgs
(JSContext * cx=0x003681b8, JSObject * obj=0x00369748, char * *
argv=0x0036510c, int argc=0x00000000) Line 568 + 0x11 C
js$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.exe!main(int
argc=0x00000000, char * * argv=0x0036510c, char * * envp=0x003631f0) Line 2426
+ 0x15 C
js$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.exe!mainCRTStartup()
Line 400 + 0xe C
PURERT.DLL!_x_checks_timed_fn_entry() + 0x1eb5
js$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.exe!00408059()
js$Purify_R_mozilla_js_src_WINNT5_@1__DBG_@OBJ.exe!0040804a()
kernel32.dll!GetCurrentDirectoryW() + 0x44
ntdll.dll!RtlGetFullPathName_U() + 0x1ee
|
|
||
Comment 16•21 years ago
|
||
fwiw 0xcdcdcdcd is crt: clean land (new, uninitd objects)
so the first assert was:
JS_ASSERT(a->base <= a->avail && a->avail <= a->limit);
then one line executed:
a->avail = a->base;
then another assert:
Assertion failure: (a)->avail <= (a)->limit, at jsarena.c:347
JS_CLEAR_UNUSED(a);
|
|
||
Comment 17•21 years ago
|
||
note that the JS_Asserts correspond to [I] Starting thread 0xe30
Attachment #148783 -
Attachment is patch: false
|
|
||
Comment 18•21 years ago
|
||
Just the ABW for people who don't like reading long purify logs:
[E] ABW: Array bounds write in memcpy {1 occurrence}
Writing 16060 bytes to 0x018a3644 (81 bytes at 0x018a74af illegal)
Address 0x018a3644 is 44 bytes into a 16023 byte block at 0x018a3618
Address 0x018a3644 points to a HeapAlloc'd block in heap 0x00360000
Thread ID: 0x3c8
Error location
memcpy+0xc [R:\mozilla\js\src\WINNT5.1_DBG.OBJ\js32.dll
ip=0x511547cf]
PushBackTrackState+0x350 [r:\mozilla\js\src\jsregexp.c:1766
ip=0x511166cf]
result = (REBackTrackData *) ((char *)gData-
>backTrackStack + offset);
}
gData->backTrackSP = result;
result->sz = gData->cursz;
gData->cursz = sz;
result->backtrack_op = op;
result->backtrack_pc = target;
result->cp = cp;
result->parenCount = parenCount;
result->precedingStateTop = gData->stateStackTop;
JS_ASSERT(gData->stateStackTop);
memcpy(result + 1, gData->stateStack,
=> sizeof(REProgState) * result->precedingStateTop);
if (parenCount != -1) {
result->parenIndex = parenIndex;
memcpy((char *)(result + 1) +
sizeof(REProgState) * result->precedingStateTop,
&x->parens[parenIndex],
sizeof(RECapture) * parenCount);
for (i = 0; i < parenCount; i++)
x->parens[parenIndex + i].index = -1;
}
return result;
}
ExecuteREBytecode+0xafe [r:\mozilla\js\src\jsregexp.c:2450
ip=0x51113e76]
MatchRegExp+0x146 [r:\mozilla\js\src\jsregexp.c:2832
ip=0x51113296]
js_ExecuteRegExp+0x3ff [r:\mozilla\js\src\jsregexp.c:2931
ip=0x51112097]
match_or_replace+0x7c6 [r:\mozilla\js\src\jsstr.c:1152
ip=0x5113e2d0]
str_match+0xe1 [r:\mozilla\js\src\jsstr.c:1244 ip=0x5113da84]
js_Invoke+0x19f7 [r:\mozilla\js\src\jsinterp.c:1281
ip=0x5108eb08]
js_Interpret+0x1d5a3 [r:\mozilla\js\src\jsinterp.c:3370
ip=0x510ae6d8]
js_Execute+0x7b8 [r:\mozilla\js\src\jsinterp.c:1507
ip=0x510907fe]
JS_ExecuteScript+0x5e [r:\mozilla\js\src\jsapi.c:3473 ip=0x51017e80]
Load+0xec [r:\mozilla\js\src\js.c:679 ip=0x00401341]
js_Invoke+0x19f7 [r:\mozilla\js\src\jsinterp.c:1281
ip=0x5108eb08]
js_Interpret+0x1d5a3 [r:\mozilla\js\src\jsinterp.c:3370
ip=0x510ae6d8]
js_Execute+0x7b8 [r:\mozilla\js\src\jsinterp.c:1507
ip=0x510907fe]
JS_ExecuteScript+0x5e [r:\mozilla\js\src\jsapi.c:3473 ip=0x51017e80]
Process+0x2a1 [r:\mozilla\js\src\js.c:390 ip=0x00403f5e]
ProcessArgs+0x42b [r:\mozilla\js\src\js.c:568 ip=0x00403c35]
main+0x1eb [r:\mozilla\js\src\js.c:2426 ip=0x004037dd]
mainCRTStartup+0x143 [f:\vs70builds\9466
\vc\crtbld\crt\src\crtexe.c:400 ip=0x00404367]
_except_list+0x59 [R:\mozilla\js\src\WINNT5.1_DBG.OBJ\js.exe
ip=0x00408059]
|
|
||
Comment 19•21 years ago
|
||
My tree is mostly current,
File: jsregexp.c Status: Needs Patch
Working revision: 3.82
is one rev out of date (a patch brendan made recently), the diffs attached
don't affect program control (it's essentially #if 0), but they do affect line
numbers (sorry). my jsconfig.h also defines a 151 version which is basically
150 + JS_HAS_XDR_FREEZE_THAW. This jsshell was built with that version. It
should not affect anything.
|
|
||
Comment 20•21 years ago
|
||
From the ABW:
- gData->stateStack 0x018a74ec {continue_pc=0xcdcdcdcd <Bad Ptr>
continue_op=0xcd 'Í' index=0xcdcd ...} REProgState *
|+ continue_pc 0xcdcdcdcd <Bad Ptr> unsigned char *
| continue_op 0xcd 'Í' unsigned char
| index 0xcdcd unsigned short
| parenSoFar 0x00000001 unsigned int
\- u {quantifier={min=0xcdcd max=0xcdcd } assertion={top=0xcdcdcdcd
sz=0xcdcdcdcd } } __unnamed
|+ quantifier {min=0xcdcd max=0xcdcd } __unnamed
\+ assertion {top=0xcdcdcdcd sz=0xcdcdcdcd } __unnamed
- gData 0x0013cd14 {cx=0x003681b8 {links={next=0x00365380
{next=0x003681b8 prev=0x003681b8 } prev=0x00365380 {next=0x003681b8
prev=0x003681b8 } } interpLevel=0x00000002 stackLimit=0x00000000 ...}
regexp=0x01734930 {nrefs=0x00000001 flags=0x0002 cloneIndex=0x0000 ...}
ok=0x00000001 ...} REGlobalData *
|+ cx 0x003681b8 {links={next=0x00365380 {next=0x003681b8
{next=0x00365380 prev=0x00365380 } prev=0x003681b8 {next=0x00365380
prev=0x00365380 } } prev=0x00365380 {next=0x003681b8 {next=0x00365380
prev=0x00365380 } prev=0x003681b8 {next=0x00365380 prev=0x00365380 } } }
interpLevel=0x00000002 stackLimit=0x00000000 ...} JSContext *
|+ regexp 0x01734930 {nrefs=0x00000001 flags=0x0002 cloneIndex=0x0000 ...}
JSRegExp *
| ok 0x00000001 int
| start 0x0000015e unsigned int
| skipped 0x00000000 int
|+ cpbegin 0x0170c2d0 "-+16-+59-+66-+67-+80-+82-+143-+170-+176-+189-+308-
+363-+364-+365-+377-+393-+404-+405-+419-+430-+641-+732-+754-+783-+786-+972-+977-
+980-+982-+1010-+1011-+1027-+1028-+1039-+1040-+1074-+1084-+1086-+1098-+1267-
+1296-+1305-+1367-+1371-+1379-+1480-+1481-+1482-+1484-+1510-+1526-+1565-+1568-
+1574-+1577-+1604-+1632-+1638-+1643-+1657-+1708-+1722-+1941-+1948-+1955-+1965-
+1966-+2027-+2039-+2040-+2041-+2048-+2054-+2059-+2090-+2091-+2092-+2105-+2118-+"
const unsigned short *
|+ cpend 0x0170c642 "" const unsigned short *
|+ stateStack 0x018a74ec {continue_pc=0xcdcdcdcd <Bad Ptr>
continue_op=0xcd 'Í' index=0xcdcd ...} REProgState *
| stateStackTop 0x0323 unsigned short
| maxStateStack 0x0640 unsigned short
|+ backTrackStack 0x018a362c {sz=0x00000000 backtrack_pc=0x01736bbf ""
backtrack_op=0x01 '␁' ...} REBackTrackData *
|+ backTrackSP 0x018a362c {sz=0x00000000 backtrack_pc=0x01736bbf ""
backtrack_op=0x01 '␁' ...} REBackTrackData *
| maxBackTrack 0x00003e80 unsigned int
| cursz 0x00003ed4 unsigned int
\+ pool {first={next=0x0189d678 {next=0x0189f658 {next=0x018a1638
base=0x0189f668 limit=0x018a160b ...} base=0x0189d688 limit=0x0189f62b ...}
base=0x0013cd58 limit=0x0013cd58 ...} current=0x018a3618 {next=0x00000000
{next=??? base=??? limit=??? ...} base=0x018a362c limit=0x018a74af ...}
arenasize=0x00001fa0 ...} JSArenaPool
|
|
Assignee | |
Comment 21•21 years ago
|
||
This code is ugly, with misnomers and cybercrud names all over.
The essential fix is to avoid assuming in PushBackTrackState that doubling the
backtrack stack size will suffice to hold the new result.
/be
|
|
Assignee | |
Comment 22•21 years ago
|
||
Comment on attachment 148787 [details] [diff] [review]
proposed fix (non-minimal)
Want to get this into 1.8a tonight.
/be
Attachment #148787 -
Flags: review?(shaver)
|
|
Assignee | |
Comment 23•21 years ago
|
||
Thanks to timeless for the ABW info in comment 20.
/be
|
||
Comment 24•21 years ago
|
||
Comment on attachment 148787 [details] [diff] [review]
proposed fix (non-minimal)
r=shaver
Attachment #148787 -
Flags: review?(shaver) → review+
|
|
Assignee | |
Comment 25•21 years ago
|
||
Comment on attachment 148787 [details] [diff] [review]
proposed fix (non-minimal)
This should go in for 1.7 also. I don't think it needs baking on the trunk; it
passes the JS testsuite and this bug's regression test.
/be
Attachment #148787 -
Flags: approval1.7?
|
||
Comment 26•21 years ago
|
||
Comment on attachment 148787 [details] [diff] [review]
proposed fix (non-minimal)
a=asa (on behalf of drivers) for checkin to 1.7
Attachment #148787 -
Flags: approval1.7? → approval1.7+
|
|
Assignee | |
Comment 27•21 years ago
|
||
Fixed on 1.7 branch and trunk. Yet another fix for the aviary branch to pick up.
/be
|
||
Updated•21 years ago
|
Whiteboard: fixed-aviary1.0
|
||
Comment 28•21 years ago
|
||
Verified as fix on latest 1.7 branch Win 06-24,Mac 06-30 & Linux 0629 builds.
Changing keywords from fixed1.7 to verified1.7.
Leave this bug status "as is" until this bug be verified on trunk again...
Keywords: fixed1.7 → verified1.7
|
||
Comment 29•20 years ago
|
||
thanks to be.
|
|
||
Comment 30•20 years ago
|
||
js1_5/Regress/regress-243174.js checked in.
|
|
||
Updated•20 years ago
|
Flags: testcase+
|
||
Updated•14 years ago
|
Crash Signature: [@ FreeArenaList ]
You need to log in
before you can comment on or make changes to this bug.
Description
•