Closed
Bug 288818
Opened 19 years ago
Closed 19 years ago
Crash at visiting dean edwards weblog [@ find_replen ]
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8beta2
People
(Reporter: martijn.martijn, Assigned: brendan)
References
()
Details
(5 keywords)
Crash Data
Attachments
(2 files)
7.32 KB,
text/plain
|
Details | |
3.04 KB,
patch
|
shaver
:
review+
dbaron
:
superreview+
brendan
:
approval-aviary1.0.3+
brendan
:
approval1.7.7+
|
Details | Diff | Splinter Review |
When visitting that site, I get a crash with the 2005-04-02 trunk build. I don't get a crash with the 2005-04-01 trunk build. I think this happens because of the fix for bug 288688, see the bactrace that I'll attach shortly.
Reporter | ||
Comment 1•19 years ago
|
||
Backtrace from my debug build.
Assignee | ||
Updated•19 years ago
|
Assignee | ||
Comment 2•19 years ago
|
||
Comment on attachment 179442 [details]
Backtrace
Crap, no one read the whole lambda-replace code section in find_replen! It
needs cx->regExpStatics.moreParens from the outer match to be valid after the
code I added to stack regExpStatics, which nulls moreParens!
Patch immediately.
/be
Attachment #179442 -
Attachment description: Bactrace → Backtrace
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Flags: blocking1.7.7+
Flags: blocking-aviary1.0.3+
OS: Windows XP → All
Hardware: PC → All
Assignee | ||
Comment 3•19 years ago
|
||
Pre-approving. I'm likely to check this in now, so Chase can respin when he gets the bugmail or drivers mail. /be
Attachment #179443 -
Flags: superreview?(dbaron)
Attachment #179443 -
Flags: review?(shaver)
Attachment #179443 -
Flags: approval1.7.7+
Attachment #179443 -
Flags: approval-aviary1.0.3+
Assignee | ||
Comment 4•19 years ago
|
||
I checked into the trunk and the two branches. Respin when you can, test harder. Thanks to Martijn for finding the hard case -- Dean Edwards, my whatwg.org buddy! /be
Comment 5•19 years ago
|
||
I was able to crash with the 4/2 Aviary build - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050402 Firefox/1.0.3 Incident ID: 4802538 Stack Signature find_replen 7661dfe2 Email Address jay@mozilla.org Product ID Firefox10 Build ID 2005040205 Trigger Time 2005-04-03 01:19:42.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (0003e099) URL visited http://dean.edwards.name/weblog/ User Comments Bug 288818: Crash visiting dean edwards weblog (http://dean.edwards.name/weblog/) Since Last Crash 1351 sec Total Uptime 1351 sec Trigger Reason Access violation Source File, Line No. d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line 1432 Stack Trace find_replen [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line 1432] replace_glob [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line 1538] match_or_replace [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line 1155] str_replace [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line 1608] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 949] js_Interpret [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 2993] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 966] fun_apply [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1573] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 949] js_Interpret [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 2993] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 966] js_Interpret [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 2993] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 966] nsXPCWrappedJSClass::CallMethod [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 1339] nsXPCWrappedJS::CallMethod [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 450] SharedStub [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp, line 147] nsEventListenerManager::HandleEventSubType [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1436] nsEventListenerManager::HandleEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1516] GlobalWindowImpl::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 927] DocumentViewerImpl::LoadComplete [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsDocumentViewer.cpp, line 917] nsDocShell::EndPageLoad [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp, line 4602] nsWebShell::EndPageLoad [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsWebShell.cpp, line 755] nsDocShell::OnStateChange [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp, line 4536] nsDocLoaderImpl::FireOnStateChange [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 1252] nsDocLoaderImpl::doStopDocumentLoad [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 873] nsDocLoaderImpl::OnStopRequest [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 701] nsLoadGroup::RemoveRequest [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/base/src/nsLoadGroup.cpp, line 695] nsHttpChannel::OnStopRequest [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 3695] nsInputStreamPump::OnStateStop [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 499] Resolving fixed for now since Brendan has checked in the patch everywhere. I'll retest with tomorrow's builds to verify.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 6•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050403 Firefox/1.0+ This fix is causing extreme memory use and make FF grind to a halt (no response, but no crash)
Comment 7•19 years ago
|
||
Could this have caused bug 288831?
Comment 8•19 years ago
|
||
This crash occured in Dean's javascript highlighting behaviors. I am still trying to come up with a minimal regular expression that will reproduce this crash, but on the off-hand that someone (be?) else knows how to simply reproduce this, please include it here so I can add it to the test library.
Summary: Crash at visitting dean edwards weblog → Crash at visiting dean edwards weblog
Assignee | ||
Comment 9•19 years ago
|
||
Wrong bug if this can't be reproduced with today's branch build. See comment 7. /be
Comment on attachment 179443 [details] [diff] [review] fix sr=dbaron, although I wonder whether you can move the whole thing to after the moreParens are pushed on the stack.
Attachment #179443 -
Flags: superreview?(dbaron) → superreview+
Comment 11•19 years ago
|
||
Verified Fixed with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050403 Firefox/1.0.3
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 12•19 years ago
|
||
dbaron: not without another lambda_out2: target and goto, and an inner block scope without hoisting the variables to an existing outer one. /be
Updated•19 years ago
|
Keywords: fixed-aviary1.0.3,
fixed1.7.7
Summary: Crash at visiting dean edwards weblog → Crash at visiting dean edwards weblog [@ find_replen ]
Comment on attachment 179443 [details] [diff] [review] fix r=shaver
Attachment #179443 -
Flags: review?(shaver) → review+
Comment 14•19 years ago
|
||
*** Bug 291667 has been marked as a duplicate of this bug. ***
Comment 15•19 years ago
|
||
*** Bug 295320 has been marked as a duplicate of this bug. ***
Updated•19 years ago
|
Flags: testcase-
Updated•13 years ago
|
Crash Signature: [@ find_replen ]
You need to log in
before you can comment on or make changes to this bug.
Description
•