Closed
Bug 1013586
Opened 10 years ago
Closed 10 years ago
crash in js::RegExpShared::compile(JSContext*, bool, wchar_t const*, unsigned int)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla33
People
(Reporter: jbecerra, Assigned: bhackett1024)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
6.17 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-a854ef7c-f767-4fbf-acce-cfd682140518. ============================================================= Recent signature on nightly 32a1, most of them happening on Windows XP. Started appearing around 5/17, and currently in the top 20 crashers for nightly. It's also coming up in the list of explosive crashers for 32a1. There are no comments in the reports so far. More reports can be found here: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3ARegExpShared%3A%3Acompile%28JSContext%2A%2C+bool%2C+wchar_t+const%2A%2C+unsigned+int%29 0 @0x9fd3d92 1 mozjs.dll js::RegExpShared::compile(JSContext *,bool,wchar_t const *,unsigned int) js/src/vm/RegExpObject.cpp 2 mozjs.dll js::RegExpShared::execute(JSContext *,wchar_t const *,unsigned int,unsigned int *,js::MatchPairs &) js/src/vm/RegExpObject.cpp 3 mozjs.dll ExecuteRegExpImpl js/src/builtin/RegExp.cpp 4 mozjs.dll js::ExecuteRegExp(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSString *>,js::MatchConduit &,js::RegExpStaticsUpdate) js/src/builtin/RegExp.cpp 5 mozjs.dll regexp_exec_impl js/src/builtin/RegExp.cpp 6 mozjs.dll regexp_exec_impl js/src/builtin/RegExp.cpp 7 mozjs.dll js::regexp_exec(JSContext *,unsigned int,JS::Value *) js/src/builtin/RegExp.cpp 8 mozjs.dll js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) js/src/vm/Interpreter.cpp 9 mozjs.dll Interpret js/src/vm/Interpreter.cpp 10 mozjs.dll js::RunScript(JSContext *,js::RunState &) js/src/vm/Interpreter.cpp 11 mozjs.dll js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) js/src/vm/Interpreter.cpp 12 mozjs.dll js::Execute(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value *) js/src/vm/Interpreter.cpp 13 mozjs.dll Evaluate js/src/jsapi.cpp 14 mozjs.dll JS::Evaluate(JSContext *,JS::Handle<JSObject *>,JS::ReadOnlyCompileOptions const &,JS::SourceBufferHolder &) js/src/jsapi.cpp 15 xul.dll nsJSUtils::EvaluateString(JSContext *,JS::SourceBufferHolder &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions const &,JS::MutableHandle<JS::Value>,void * *) dom/base/nsJSUtils.cpp 16 xul.dll nsJSUtils::EvaluateString(JSContext *,JS::SourceBufferHolder &,JS::Handle<JSObject *>,JS::CompileOptions &,void * *) dom/base/nsJSUtils.cpp 17 xul.dll nsScriptLoader::EvaluateScript(nsScriptLoadRequest *,JS::SourceBufferHolder &,void * *) content/base/src/nsScriptLoader.cpp 18 xul.dll nsScriptLoader::ProcessRequest(nsScriptLoadRequest *,void * *) content/base/src/nsScriptLoader.cpp 19 xul.dll nsScriptLoader::ProcessPendingRequests() content/base/src/nsScriptLoader.cpp 20 xul.dll nsScriptLoader::OnStreamComplete(nsIStreamLoader *,nsISupports *,tag_nsresult,unsigned int,unsigned char const *) content/base/src/nsScriptLoader.cpp 21 xul.dll nsStreamLoader::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) netwerk/base/src/nsStreamLoader.cpp 22 xul.dll nsForceXMLListener::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) netwerk/streamconv/converters/nsHTTPCompressConv.cpp 23 xul.dll mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) netwerk/protocol/http/nsHttpChannel.cpp 24 xul.dll nsInputStreamPump::OnStateStop() netwerk/base/src/nsInputStreamPump.cpp 25 xul.dll nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *) netwerk/base/src/nsInputStreamPump.cpp 26 xul.dll nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp 27 xul.dll nsThread::ProcessNextEvent(bool,bool *) xpcom/threads/nsThread.cpp 28 xul.dll NS_ProcessNextEvent(nsIThread *,bool) xpcom/glue/nsThreadUtils.cpp 29 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) ipc/glue/MessagePump.cpp 30 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 31 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 32 xul.dll nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp 33 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp 34 xul.dll nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp 35 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp 36 xul.dll XREMain::XRE_main(int,char * * const,nsXREAppData const *) toolkit/xre/nsAppRunner.cpp 37 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp 38 firefox.exe do_main browser/app/nsBrowserApp.cpp 39 firefox.exe NS_internal_main(int,char * *) browser/app/nsBrowserApp.cpp 40 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp 41 firefox.exe __tmainCRTStartup f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c:552 42 kernel32.dll BaseProcessStart
Comment 1•10 years ago
|
||
bhackett landed bug 976446 on 5/16, which switched our regexp engine from Yarr to irregexp, as this is a regexp crash appearing with the first irregexp build, I expect it to be connected. Brian, can you take a look?
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 3•10 years ago
|
||
This might be a dupe of bug 1012642, which landed on m-c this morning.
Flags: needinfo?(bhackett1024)
Comment 4•10 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #3) > This might be a dupe of bug 1012642, which landed on m-c this morning. I can't see that other bug, but it doesn't look like it, we still get reports from current builds.
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 5•10 years ago
|
||
OK, I thought bug 1017154 would help here, but it's landed and doesn't seem to be affecting these crashes. Bug 1018620 might help too. (Both of these are fixing latent issues with how RegExps interact with GC that were exposed by the irregexp landing).
Depends on: 1018620
Assignee | ||
Comment 6•10 years ago
|
||
Well, bug 1018620 didn't seem to help this, but it's still hard to say that a similar issue (cross compartment bug) isn't the problem here. The attached diagnostic patch lets the RegExpShared know which compartment it is in and adds MOZ_CRASH'es to catch any place where there is a mismatch between the shared structure and the objects or RegExpCompartments they are stored in, or between the shared structure and its JitCode.
Attachment #8436581 -
Flags: review?(wmccloskey)
Attachment #8436581 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2679510e9371
Whiteboard: [leave open]
Comment 8•10 years ago
|
||
Looks like it worked! Backed out for Android jsreftest crashes. https://hg.mozilla.org/integration/mozilla-inbound/rev/4d0a7ec4a19b https://tbpl.mozilla.org/php/getParsedLog.php?id=41391628&tree=Mozilla-Inbound
Assignee | ||
Comment 9•10 years ago
|
||
The stack in that crash isn't related to the MOZ_CRASH'es added in this patch and after repushing to try I didn't get any further failures in android 4.0, so trying again. https://tbpl.mozilla.org/?tree=Try&rev=19346c6e3b41 https://hg.mozilla.org/integration/mozilla-inbound/rev/2e9bcf014247
Comment 10•10 years ago
|
||
Not sure how much it'll matter, but note that the crash this was backed out for yesterday was a *jsreftest* crash, not reftest. So all those retriggers on your Try run were for the wrong tests :(
Comment 12•10 years ago
|
||
FWIW: bp-fb8378ea-bf80-439c-9fe4-e88cf2140611 Happens (~100% of the time; i.e. reproducible) going into Amazon Account (using new Minefield profile). Does not happen running in "safe mode" (not sure if 'js::RegExpShared::compile' code is turned off in "safe-mode"). Is there a 'diagnostic patched' Nightly version for Windows XP, that I can use to help catch more information for this bug?
Assignee | ||
Comment 13•10 years ago
|
||
I think tomorrow's nightly will have the diagnostic patch.
Comment 14•10 years ago
|
||
If I am reading the pushlog correctly it does look like the latest nightly has this patch (cset: 2e9bcf014247). So I hope this dump helps: bp-f311e5f1-b68d-46e0-9f37-dbd922140612
Assignee | ||
Comment 15•10 years ago
|
||
(In reply to Ken from comment #14) > If I am reading the pushlog correctly it does look like the latest nightly > has this patch (cset: 2e9bcf014247). > So I hope this dump helps: bp-f311e5f1-b68d-46e0-9f37-dbd922140612 Thanks. Jan looked at some of the dumps for these crashes and they are crashing at an instruction which we always emit but isn't supported on older CPUs. Filed bug 1024678 for that.
Comment 16•10 years ago
|
||
Brian: can we close this irregexp crash bug now that xmm register bug 1024678 has been fixed? Does your diagnostic patch need to be backed out?
Keywords: regression
Assignee | ||
Comment 17•10 years ago
|
||
(In reply to Chris Peterson (:cpeterson) from comment #16) > Brian: can we close this irregexp crash bug now that xmm register bug > 1024678 has been fixed? Does your diagnostic patch need to be backed out? Yeah, it looks like this and bug 1013589 were fixed by bug 1024678. I'll back out the diagnostic patch.
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 18•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/850dc2171ec7
Comment 19•10 years ago
|
||
It looks like this has stopped happening in 33.0a1 after the 20140612030349 build, I'm not finding it in builds from 6/13 or later (it still exists on Aurora 32, though). That would confirm that bug 1024678 fixes this.
Comment 21•10 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #17) > Yeah, it looks like this and bug 1013589 were fixed by bug 1024678. Can we mark this bug fixed based on that?
Updated•10 years ago
|
Assignee: nobody → bhackett1024
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [leave open]
Updated•10 years ago
|
status-firefox33:
--- → fixed
Target Milestone: --- → mozilla33
You need to log in
before you can comment on or make changes to this bug.
Description
•