Closed Bug 305884 Opened 19 years ago Closed 19 years ago

crash in js1_5/Regress/regress-281606.js [@ SimpleMatch]

Tracking

()

Status:

VERIFIED FIXED

People

(Reporter: bc, Assigned: mrbkap)

References

Details

(Keywords: crash, verified1.8)

Crash Data

Attachments

(1 file)

prevent cx->exception from being collected 19 years ago Blake Kaplan (:mrbkap) (inactive) 1.61 KB, patch	mrbkap : review+ shaver : superreview+ asa : approval1.8b5+	Details \| Diff \| Splinter Review

Bob Clary [:bc] (inactive)

Reporter

Description

•

19 years ago

Not sure why I got two stacks at the same time for the same test. Probably
exists on the trunk as well.

Stack Signature	 SimpleMatch 0f11009e
Email Address	mozqa@mozilla.com
Product ID	Firefox15
Build ID	2005082406
Trigger Time	2005-08-24 17:05:17.0
Platform	Win32
Operating System	Windows NT 5.2 build 3790
Module	js3250.dll + (0003cc7d)
URL visited	js1_5/Regress/regress-281606.js
User Comments	
Since Last Crash	0 sec
Total Uptime	2548 sec
Trigger Reason	Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2345
Stack Trace 	
SimpleMatch 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2345]
ExecuteREBytecode 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2411]
MatchRegExp 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2868]
regexp_exec_sub 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 3705]
regexp_exec 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 3718]
js_Invoke 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1174]
js_Interpret 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 3462]
js_Execute 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1405]
JS_EvaluateUCScriptForPrincipals 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line
3864]
nsJSContext::EvaluateString 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1064]
nsScriptLoader::EvaluateScript 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 757]
nsScriptLoader::ProcessRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 658]
nsScriptLoader::OnStreamComplete 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 1020]
nsStreamLoader::OnStopRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamLoader.cpp,
line 137]
nsStreamListenerTee::OnStopRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp,
line 65]
nsInputStreamPump::OnStateStop 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 507]

Stack Signature	 SimpleMatch 39c0e058
Email Address	mozqa@mozilla.com
Product ID	Firefox15
Build ID	2005082406
Trigger Time	2005-08-24 17:05:17.0
Platform	Win32
Operating System	Windows NT 5.2 build 3790
Module	js3250.dll + (0003cba1)
URL visited	js1_5/Regress/regress-281606.js
User Comments	
Since Last Crash	1 sec
Total Uptime	2548 sec
Trigger Reason	Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2306
Stack Trace 	
SimpleMatch 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2306]
ExecuteREBytecode 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2619]
MatchRegExp 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2868]
match_or_replace 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line
1153]
str_search 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line
1284]
js_Invoke 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1174]
js_Interpret 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 3462]
js_Execute 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1405]
JS_EvaluateUCScriptForPrincipals 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line
3864]
nsJSContext::EvaluateString 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1064]
nsScriptLoader::EvaluateScript 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 757]
nsScriptLoader::ProcessRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 658]
nsScriptLoader::OnStreamComplete 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 1020]
nsStreamLoader::OnStopRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamLoader.cpp,
line 137]
nsStreamListenerTee::OnStopRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp,
line 65]
nsInputStreamPump::OnStateStop 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 507]

Jesse Ruderman

Updated

•

19 years ago

Summary: crash in js1_5/Regress/regress-281606.js → crash in js1_5/Regress/regress-281606.js [@ SimpleMatch]

Brendan Eich [:brendan]

Comment 1

•

19 years ago

mrbkap, you have any thoughts here?

/be

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 2

•

19 years ago

I can't reproduce in the shell (trunk and branch, even with TOO_MUCH_GC
defined). I'll try again in the browser when my build finishes.

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 3

•

19 years ago

By hacking WAY_TOO_MUCH_GC to GC on every branch callback (in the shell, don't
try this at home in your browser!) I've reproduced this to hit:
1040        JS_ASSERT(flags != GCF_FINAL);

I'll see what else I can dig up.

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 4

•

19 years ago

Attached patch prevent cx->exception from being collected — Details — Splinter Review

This is really Brendan's patch. The problem that we found was that
cx->exception is only protected if cx->throwing is true. Since we were clearing
cx->throwing before pushing the exception onto the stack (and thus preventing
it from being GC'd), it was wide open to be GC'd in the time between the throw
and the JSOP_EXCEPTION. Since we always emit a JSOP_EXCEPTION inside catch
blocks, this patch won't cause us to leak the exception object.

This already has r=mrbkap.

Attachment #195047 - Flags: superreview?(shaver)

Attachment #195047 - Flags: review+

Brendan Eich [:brendan]

Comment 5

•

19 years ago

Comment on attachment 195047 [details] [diff] [review]
prevent cx->exception from being collected

>+                /* Don't clear cx->throwing so cx->exception isn't collected. */

The doubled negative hurts, how about "Don't clear cx->throwing yet, to protect
cx->exception from the GC."

/be

Boris Zbarsky [:bzbarsky]

Updated

•

19 years ago

Blocks: 307312

Brendan Eich [:brendan]

Comment 6

•

19 years ago

We should get this fixed on the 1.8 branch in due course.

/be

Assignee: general → mrbkap

Flags: blocking1.8b5+

Bob Clary [:bc] (inactive)

Reporter

Comment 7

•

19 years ago

mrbkap, I tried this out and it didn't cause any regression that I could see and
I didn't see this crash in my test run.  However I can not definitely say it
fixed the crash I have been seeing in nightly builds since they were not
reproducible in all runs.

Mike Shaver (:shaver -- probably not reading bugmail closely)

Comment 8

•

19 years ago

Comment on attachment 195047 [details] [diff] [review]
prevent cx->exception from being collected

sr=shaver

Attachment #195047 - Flags: superreview?(shaver) → superreview+

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 9

•

19 years ago

Fix checked into trunk. Marking this, optimistically, as fixed.

Status: NEW → RESOLVED

Closed: 19 years ago

Resolution: --- → FIXED

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 10

•

19 years ago

Comment on attachment 195047 [details] [diff] [review]
prevent cx->exception from being collected

This fixes potential crashes whenever someone uses a try/catch block.

Attachment #195047 - Flags: approval1.8b5?

Asa Dotzler [:asa]

Updated

•

19 years ago

Attachment #195047 - Flags: approval1.8b5? → approval1.8b5+

Blake Kaplan (:mrbkap) (inactive)

Assignee

Comment 11

•

19 years ago

Fix checked into MOZILLA_1_8_BRANCH.

Keywords: fixed1.8

Bob Clary [:bc] (inactive)

Reporter

Updated

•

19 years ago

Flags: testcase+

Bob Clary [:bc] (inactive)

Reporter

Comment 12

•

19 years ago

no crash in firefox 1.5 rc2 winxp/linux

Keywords: fixed1.8 → verified1.8

Bob Clary [:bc] (inactive)

Reporter

Comment 13

•

18 years ago

verified fixed 1.9 20060818 win/mac*/linux

Status: RESOLVED → VERIFIED

Nobody; OK to take it and work on it

Updated

•

13 years ago

Crash Signature: [@ SimpleMatch]

You need to log in before you can comment on or make changes to this bug.