Closed
Bug 305884
Opened 19 years ago
Closed 19 years ago
crash in js1_5/Regress/regress-281606.js [@ SimpleMatch]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: bc, Assigned: mrbkap)
References
Details
(Keywords: crash, verified1.8)
Crash Data
Attachments
(1 file)
1.61 KB,
patch
|
mrbkap
:
review+
shaver
:
superreview+
asa
:
approval1.8b5+
|
Details | Diff | Splinter Review |
Not sure why I got two stacks at the same time for the same test. Probably exists on the trunk as well. Stack Signature SimpleMatch 0f11009e Email Address mozqa@mozilla.com Product ID Firefox15 Build ID 2005082406 Trigger Time 2005-08-24 17:05:17.0 Platform Win32 Operating System Windows NT 5.2 build 3790 Module js3250.dll + (0003cc7d) URL visited js1_5/Regress/regress-281606.js User Comments Since Last Crash 0 sec Total Uptime 2548 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2345 Stack Trace SimpleMatch [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2345] ExecuteREBytecode [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2411] MatchRegExp [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2868] regexp_exec_sub [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 3705] regexp_exec [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 3718] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1174] js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3462] js_Execute [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1405] JS_EvaluateUCScriptForPrincipals [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3864] nsJSContext::EvaluateString [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1064] nsScriptLoader::EvaluateScript [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 757] nsScriptLoader::ProcessRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 658] nsScriptLoader::OnStreamComplete [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 1020] nsStreamLoader::OnStopRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamLoader.cpp, line 137] nsStreamListenerTee::OnStopRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 65] nsInputStreamPump::OnStateStop [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 507] Stack Signature SimpleMatch 39c0e058 Email Address mozqa@mozilla.com Product ID Firefox15 Build ID 2005082406 Trigger Time 2005-08-24 17:05:17.0 Platform Win32 Operating System Windows NT 5.2 build 3790 Module js3250.dll + (0003cba1) URL visited js1_5/Regress/regress-281606.js User Comments Since Last Crash 1 sec Total Uptime 2548 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2306 Stack Trace SimpleMatch [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2306] ExecuteREBytecode [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2619] MatchRegExp [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2868] match_or_replace [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line 1153] str_search [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line 1284] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1174] js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3462] js_Execute [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1405] JS_EvaluateUCScriptForPrincipals [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3864] nsJSContext::EvaluateString [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1064] nsScriptLoader::EvaluateScript [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 757] nsScriptLoader::ProcessRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 658] nsScriptLoader::OnStreamComplete [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 1020] nsStreamLoader::OnStopRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamLoader.cpp, line 137] nsStreamListenerTee::OnStopRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 65] nsInputStreamPump::OnStateStop [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 507]
Updated•19 years ago
|
Summary: crash in js1_5/Regress/regress-281606.js → crash in js1_5/Regress/regress-281606.js [@ SimpleMatch]
Assignee | ||
Comment 2•19 years ago
|
||
I can't reproduce in the shell (trunk and branch, even with TOO_MUCH_GC defined). I'll try again in the browser when my build finishes.
Assignee | ||
Comment 3•19 years ago
|
||
By hacking WAY_TOO_MUCH_GC to GC on every branch callback (in the shell, don't try this at home in your browser!) I've reproduced this to hit: 1040 JS_ASSERT(flags != GCF_FINAL); I'll see what else I can dig up.
Assignee | ||
Comment 4•19 years ago
|
||
This is really Brendan's patch. The problem that we found was that cx->exception is only protected if cx->throwing is true. Since we were clearing cx->throwing before pushing the exception onto the stack (and thus preventing it from being GC'd), it was wide open to be GC'd in the time between the throw and the JSOP_EXCEPTION. Since we always emit a JSOP_EXCEPTION inside catch blocks, this patch won't cause us to leak the exception object. This already has r=mrbkap.
Attachment #195047 -
Flags: superreview?(shaver)
Attachment #195047 -
Flags: review+
Comment 5•19 years ago
|
||
Comment on attachment 195047 [details] [diff] [review] prevent cx->exception from being collected >+ /* Don't clear cx->throwing so cx->exception isn't collected. */ The doubled negative hurts, how about "Don't clear cx->throwing yet, to protect cx->exception from the GC." /be
Comment 6•19 years ago
|
||
We should get this fixed on the 1.8 branch in due course. /be
Assignee: general → mrbkap
Flags: blocking1.8b5+
Reporter | ||
Comment 7•19 years ago
|
||
mrbkap, I tried this out and it didn't cause any regression that I could see and I didn't see this crash in my test run. However I can not definitely say it fixed the crash I have been seeing in nightly builds since they were not reproducible in all runs.
Comment 8•19 years ago
|
||
Comment on attachment 195047 [details] [diff] [review] prevent cx->exception from being collected sr=shaver
Attachment #195047 -
Flags: superreview?(shaver) → superreview+
Assignee | ||
Comment 9•19 years ago
|
||
Fix checked into trunk. Marking this, optimistically, as fixed.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 10•19 years ago
|
||
Comment on attachment 195047 [details] [diff] [review] prevent cx->exception from being collected This fixes potential crashes whenever someone uses a try/catch block.
Attachment #195047 -
Flags: approval1.8b5?
Updated•19 years ago
|
Attachment #195047 -
Flags: approval1.8b5? → approval1.8b5+
Reporter | ||
Updated•19 years ago
|
Flags: testcase+
Reporter | ||
Comment 12•19 years ago
|
||
no crash in firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8 → verified1.8
Reporter | ||
Comment 13•18 years ago
|
||
verified fixed 1.9 20060818 win/mac*/linux
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ SimpleMatch]
You need to log in
before you can comment on or make changes to this bug.
Description
•