Closed Bug 1013586 Opened 11 years ago Closed 11 years ago

crash in js::RegExpShared::compile(JSContext*, bool, wchar_t const*, unsigned int)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
32 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla33
Tracking Flags:
Tracking Status
firefox32 --- affected
firefox33 --- fixed

People

(Reporter: jbecerra, Assigned: bhackett1024)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

diagnostic patch
6.17 KB, patch
billm
: review+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-a854ef7c-f767-4fbf-acce-cfd682140518. ============================================================= Recent signature on nightly 32a1, most of them happening on Windows XP. Started appearing around 5/17, and currently in the top 20 crashers for nightly. It's also coming up in the list of explosive crashers for 32a1. There are no comments in the reports so far. More reports can be found here: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3ARegExpShared%3A%3Acompile%28JSContext%2A%2C+bool%2C+wchar_t+const%2A%2C+unsigned+int%29 0 @0x9fd3d92 1 mozjs.dll js::RegExpShared::compile(JSContext *,bool,wchar_t const *,unsigned int) js/src/vm/RegExpObject.cpp 2 mozjs.dll js::RegExpShared::execute(JSContext *,wchar_t const *,unsigned int,unsigned int *,js::MatchPairs &) js/src/vm/RegExpObject.cpp 3 mozjs.dll ExecuteRegExpImpl js/src/builtin/RegExp.cpp 4 mozjs.dll js::ExecuteRegExp(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSString *>,js::MatchConduit &,js::RegExpStaticsUpdate) js/src/builtin/RegExp.cpp 5 mozjs.dll regexp_exec_impl js/src/builtin/RegExp.cpp 6 mozjs.dll regexp_exec_impl js/src/builtin/RegExp.cpp 7 mozjs.dll js::regexp_exec(JSContext *,unsigned int,JS::Value *) js/src/builtin/RegExp.cpp 8 mozjs.dll js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) js/src/vm/Interpreter.cpp 9 mozjs.dll Interpret js/src/vm/Interpreter.cpp 10 mozjs.dll js::RunScript(JSContext *,js::RunState &) js/src/vm/Interpreter.cpp 11 mozjs.dll js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) js/src/vm/Interpreter.cpp 12 mozjs.dll js::Execute(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value *) js/src/vm/Interpreter.cpp 13 mozjs.dll Evaluate js/src/jsapi.cpp 14 mozjs.dll JS::Evaluate(JSContext *,JS::Handle<JSObject *>,JS::ReadOnlyCompileOptions const &,JS::SourceBufferHolder &) js/src/jsapi.cpp 15 xul.dll nsJSUtils::EvaluateString(JSContext *,JS::SourceBufferHolder &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions const &,JS::MutableHandle<JS::Value>,void * *) dom/base/nsJSUtils.cpp 16 xul.dll nsJSUtils::EvaluateString(JSContext *,JS::SourceBufferHolder &,JS::Handle<JSObject *>,JS::CompileOptions &,void * *) dom/base/nsJSUtils.cpp 17 xul.dll nsScriptLoader::EvaluateScript(nsScriptLoadRequest *,JS::SourceBufferHolder &,void * *) content/base/src/nsScriptLoader.cpp 18 xul.dll nsScriptLoader::ProcessRequest(nsScriptLoadRequest *,void * *) content/base/src/nsScriptLoader.cpp 19 xul.dll nsScriptLoader::ProcessPendingRequests() content/base/src/nsScriptLoader.cpp 20 xul.dll nsScriptLoader::OnStreamComplete(nsIStreamLoader *,nsISupports *,tag_nsresult,unsigned int,unsigned char const *) content/base/src/nsScriptLoader.cpp 21 xul.dll nsStreamLoader::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) netwerk/base/src/nsStreamLoader.cpp 22 xul.dll nsForceXMLListener::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) netwerk/streamconv/converters/nsHTTPCompressConv.cpp 23 xul.dll mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) netwerk/protocol/http/nsHttpChannel.cpp 24 xul.dll nsInputStreamPump::OnStateStop() netwerk/base/src/nsInputStreamPump.cpp 25 xul.dll nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *) netwerk/base/src/nsInputStreamPump.cpp 26 xul.dll nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp 27 xul.dll nsThread::ProcessNextEvent(bool,bool *) xpcom/threads/nsThread.cpp 28 xul.dll NS_ProcessNextEvent(nsIThread *,bool) xpcom/glue/nsThreadUtils.cpp 29 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) ipc/glue/MessagePump.cpp 30 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 31 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 32 xul.dll nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp 33 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp 34 xul.dll nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp 35 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp 36 xul.dll XREMain::XRE_main(int,char * * const,nsXREAppData const *) toolkit/xre/nsAppRunner.cpp 37 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp 38 firefox.exe do_main browser/app/nsBrowserApp.cpp 39 firefox.exe NS_internal_main(int,char * *) browser/app/nsBrowserApp.cpp 40 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp 41 firefox.exe __tmainCRTStartup f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c:552 42 kernel32.dll BaseProcessStart
bhackett landed bug 976446 on 5/16, which switched our regexp engine from Yarr to irregexp, as this is a regexp crash appearing with the first irregexp build, I expect it to be connected. Brian, can you take a look?
Flags: needinfo?(bhackett1024)
This might be a dupe of bug 1012642, which landed on m-c this morning.
Flags: needinfo?(bhackett1024)
(In reply to Brian Hackett (:bhackett) from comment #3) > This might be a dupe of bug 1012642, which landed on m-c this morning. I can't see that other bug, but it doesn't look like it, we still get reports from current builds.
Flags: needinfo?(bhackett1024)
Depends on: 1017154
OK, I thought bug 1017154 would help here, but it's landed and doesn't seem to be affecting these crashes. Bug 1018620 might help too. (Both of these are fixing latent issues with how RegExps interact with GC that were exposed by the irregexp landing).
Depends on: 1018620
Attached patch diagnostic patchSplinter Review
Well, bug 1018620 didn't seem to help this, but it's still hard to say that a similar issue (cross compartment bug) isn't the problem here. The attached diagnostic patch lets the RegExpShared know which compartment it is in and adds MOZ_CRASH'es to catch any place where there is a mismatch between the shared structure and the objects or RegExpCompartments they are stored in, or between the shared structure and its JitCode.
Attachment #8436581 - Flags: review?(wmccloskey)
Attachment #8436581 - Flags: review?(wmccloskey) → review+
The stack in that crash isn't related to the MOZ_CRASH'es added in this patch and after repushing to try I didn't get any further failures in android 4.0, so trying again. https://tbpl.mozilla.org/?tree=Try&rev=19346c6e3b41 https://hg.mozilla.org/integration/mozilla-inbound/rev/2e9bcf014247
Not sure how much it'll matter, but note that the crash this was backed out for yesterday was a *jsreftest* crash, not reftest. So all those retriggers on your Try run were for the wrong tests :(
FWIW: bp-fb8378ea-bf80-439c-9fe4-e88cf2140611 Happens (~100% of the time; i.e. reproducible) going into Amazon Account (using new Minefield profile). Does not happen running in "safe mode" (not sure if 'js::RegExpShared::compile' code is turned off in "safe-mode"). Is there a 'diagnostic patched' Nightly version for Windows XP, that I can use to help catch more information for this bug?
I think tomorrow's nightly will have the diagnostic patch.
Blocks: 1024038
If I am reading the pushlog correctly it does look like the latest nightly has this patch (cset: 2e9bcf014247). So I hope this dump helps: bp-f311e5f1-b68d-46e0-9f37-dbd922140612
Depends on: 1024678
(In reply to Ken from comment #14) > If I am reading the pushlog correctly it does look like the latest nightly > has this patch (cset: 2e9bcf014247). > So I hope this dump helps: bp-f311e5f1-b68d-46e0-9f37-dbd922140612 Thanks. Jan looked at some of the dumps for these crashes and they are crashing at an instruction which we always emit but isn't supported on older CPUs. Filed bug 1024678 for that.
Brian: can we close this irregexp crash bug now that xmm register bug 1024678 has been fixed? Does your diagnostic patch need to be backed out?
Keywords: regression
(In reply to Chris Peterson (:cpeterson) from comment #16) > Brian: can we close this irregexp crash bug now that xmm register bug > 1024678 has been fixed? Does your diagnostic patch need to be backed out? Yeah, it looks like this and bug 1013589 were fixed by bug 1024678. I'll back out the diagnostic patch.
Flags: needinfo?(bhackett1024)
It looks like this has stopped happening in 33.0a1 after the 20140612030349 build, I'm not finding it in builds from 6/13 or later (it still exists on Aurora 32, though). That would confirm that bug 1024678 fixes this.
(In reply to Brian Hackett (:bhackett) from comment #17) > Yeah, it looks like this and bug 1013589 were fixed by bug 1024678. Can we mark this bug fixed based on that?
See Also: → 1027941
Assignee: nobody → bhackett1024
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [leave open]
status-firefox33: --- → fixed
Target Milestone: --- → mozilla33
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: