Closed
Bug 748212
Opened 12 years ago
Closed 12 years ago
Crash [@ js::RegExpShared::execute] or "Assertion failure: isRegExp(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla15
People
(Reporter: gkw, Assigned: luke)
References
Details
(4 keywords, Whiteboard: [native-crash][js-triage-done])
Crash Data
Attachments
(2 files, 1 obsolete file)
|
7.57 KB,
text/plain
|
Details | |
|
1.03 KB,
patch
|
bholley
:
review+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
"".match(wrap(evalcx("/x/",newGlobal('new-compartment'))))
asserts js debug shell on m-c changeset 142fe408f5b4 without any CLI arguments at Assertion failure: isRegExp(), and crashes js opt shell at a weird memory address with js::RegExpShared::execute near the top of the stack.
s-s because a weird memory address 0x1501c49 is being accessed (see the $pc line)
autoBisecting now...
|
Reporter | |
Comment 1•12 years ago
|
||
Oops, forgot the debug stack.
Attachment #617765 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 2•12 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 86106:304182354c92 user: Luke Wagner date: Wed Feb 01 13:36:48 2012 -0800 summary: Bug 688069 - fix String.prototype.{replace,match,search,split} for transparently wrapped RegExp arguments (r=cdleary)
Blocks: 688069
|
|
Assignee | |
Comment 3•12 years ago
|
||
Ah... a wrapped wrapper. Not s-s since this depends on the shell function 'wrap' which has no analogue in web content.
Group: core-security
Whiteboard: js-triage-needed → js-triage-done
|
|
Assignee | |
Comment 4•12 years ago
|
||
I'm sure bholley has seen this type of thing before...
|
||
Updated•12 years ago
|
Attachment #617799 -
Flags: review?(bobbyholley+bmo) → review+
|
|
Assignee | |
Comment 5•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/adc258d17ecb
Target Milestone: --- → mozilla15
|
||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/adc258d17ecb
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Comment 7•12 years ago
|
||
It's #22 top crasher in FennecAndroid 14.0b3.
blocking-fennec1.0: --- → ?
status-firefox13:
--- → affected
status-firefox14:
--- → affected
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: js-triage-done → [native-crash][js-triage-done]
Version: Trunk → 13 Branch
|
||
Comment 8•12 years ago
|
||
Luke, we probably want this for Fennec, and I imagine desktop will want it too - can you nom for aurora and beta?
blocking-fennec1.0: ? → soft
|
|
Assignee | |
Comment 9•12 years ago
|
||
Comment on attachment 617799 [details] [diff] [review] fix and test [Approval Request Comment] Bug caused by (feature/regressing bug #): 748212 User impact if declined: crashes Testing completed (on m-c, etc.): m-c Risk to taking this patch (and alternatives if risky): very low With the uplift today, this is fixed on aurora.
Attachment #617799 -
Flags: approval-mozilla-beta?
|
||
Comment 10•12 years ago
|
||
Comment on attachment 617799 [details] [diff] [review] fix and test [Triage Comment] Close to a top crasher in FN, and also a regression in FF13. Approved for Beta 14.
Attachment #617799 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
Assignee | |
Comment 11•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/2666d43c0d5d
|
|
Reporter | |
Updated•12 years ago
|
Flags: in-testsuite+
|
|
Reporter | |
Comment 12•12 years ago
|
||
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•