Closed Bug 1013586 Opened 10 years ago Closed 10 years ago

crash in js::RegExpShared::compile(JSContext*, bool, wchar_t const*, unsigned int)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
32 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla33
Tracking Flags:
Tracking Status
firefox32 --- affected
firefox33 --- fixed

People

(Reporter: jbecerra, Assigned: bhackett1024)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

diagnostic patch
6.17 KB, patch
billm
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-a854ef7c-f767-4fbf-acce-cfd682140518.
=============================================================

Recent signature on nightly 32a1, most of them happening on Windows XP. Started appearing around 5/17, and currently in the top 20 crashers for nightly. It's also coming up in the list of explosive crashers for 32a1. There are no comments in the reports so far. 

More reports can be found here: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3ARegExpShared%3A%3Acompile%28JSContext%2A%2C+bool%2C+wchar_t+const%2A%2C+unsigned+int%29


0 		@0x9fd3d92 	
1 	mozjs.dll 	js::RegExpShared::compile(JSContext *,bool,wchar_t const *,unsigned int) 	js/src/vm/RegExpObject.cpp
2 	mozjs.dll 	js::RegExpShared::execute(JSContext *,wchar_t const *,unsigned int,unsigned int *,js::MatchPairs &) 	js/src/vm/RegExpObject.cpp
3 	mozjs.dll 	ExecuteRegExpImpl 	js/src/builtin/RegExp.cpp
4 	mozjs.dll 	js::ExecuteRegExp(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSString *>,js::MatchConduit &,js::RegExpStaticsUpdate) 	js/src/builtin/RegExp.cpp
5 	mozjs.dll 	regexp_exec_impl 	js/src/builtin/RegExp.cpp
6 	mozjs.dll 	regexp_exec_impl 	js/src/builtin/RegExp.cpp
7 	mozjs.dll 	js::regexp_exec(JSContext *,unsigned int,JS::Value *) 	js/src/builtin/RegExp.cpp
8 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
9 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
10 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
11 	mozjs.dll 	js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) 	js/src/vm/Interpreter.cpp
12 	mozjs.dll 	js::Execute(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value *) 	js/src/vm/Interpreter.cpp
13 	mozjs.dll 	Evaluate 	js/src/jsapi.cpp
14 	mozjs.dll 	JS::Evaluate(JSContext *,JS::Handle<JSObject *>,JS::ReadOnlyCompileOptions const &,JS::SourceBufferHolder &) 	js/src/jsapi.cpp
15 	xul.dll 	nsJSUtils::EvaluateString(JSContext *,JS::SourceBufferHolder &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions const &,JS::MutableHandle<JS::Value>,void * *) 	dom/base/nsJSUtils.cpp
16 	xul.dll 	nsJSUtils::EvaluateString(JSContext *,JS::SourceBufferHolder &,JS::Handle<JSObject *>,JS::CompileOptions &,void * *) 	dom/base/nsJSUtils.cpp
17 	xul.dll 	nsScriptLoader::EvaluateScript(nsScriptLoadRequest *,JS::SourceBufferHolder &,void * *) 	content/base/src/nsScriptLoader.cpp
18 	xul.dll 	nsScriptLoader::ProcessRequest(nsScriptLoadRequest *,void * *) 	content/base/src/nsScriptLoader.cpp
19 	xul.dll 	nsScriptLoader::ProcessPendingRequests() 	content/base/src/nsScriptLoader.cpp
20 	xul.dll 	nsScriptLoader::OnStreamComplete(nsIStreamLoader *,nsISupports *,tag_nsresult,unsigned int,unsigned char const *) 	content/base/src/nsScriptLoader.cpp
21 	xul.dll 	nsStreamLoader::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) 	netwerk/base/src/nsStreamLoader.cpp
22 	xul.dll 	nsForceXMLListener::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp
23 	xul.dll 	mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) 	netwerk/protocol/http/nsHttpChannel.cpp
24 	xul.dll 	nsInputStreamPump::OnStateStop() 	netwerk/base/src/nsInputStreamPump.cpp
25 	xul.dll 	nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *) 	netwerk/base/src/nsInputStreamPump.cpp
26 	xul.dll 	nsInputStreamReadyEvent::Run() 	xpcom/io/nsStreamUtils.cpp
27 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
28 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	xpcom/glue/nsThreadUtils.cpp
29 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
30 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
31 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
32 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
33 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
34 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
35 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
36 	xul.dll 	XREMain::XRE_main(int,char * * const,nsXREAppData const *) 	toolkit/xre/nsAppRunner.cpp
37 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
38 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
39 	firefox.exe 	NS_internal_main(int,char * *) 	browser/app/nsBrowserApp.cpp
40 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
41 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c:552
42 	kernel32.dll 	BaseProcessStart
bhackett landed bug 976446 on 5/16, which switched our regexp engine from Yarr to irregexp, as this is a regexp crash appearing with the first irregexp build, I expect it to be connected.

Brian, can you take a look?
Flags: needinfo?(bhackett1024)
This might be a dupe of bug 1012642, which landed on m-c this morning.
Flags: needinfo?(bhackett1024)
(In reply to Brian Hackett (:bhackett) from comment #3)
> This might be a dupe of bug 1012642, which landed on m-c this morning.

I can't see that other bug, but it doesn't look like it, we still get reports from current builds.
Flags: needinfo?(bhackett1024)
Depends on: 1017154
OK, I thought bug 1017154 would help here, but it's landed and doesn't seem to be affecting these crashes.  Bug 1018620 might help too.  (Both of these are fixing latent issues with how RegExps interact with GC that were exposed by the irregexp landing).
Depends on: 1018620
Attached patch diagnostic patchSplinter Review 
Well, bug 1018620 didn't seem to help this, but it's still hard to say that a similar issue (cross compartment bug) isn't the problem here.  The attached diagnostic patch lets the RegExpShared know which compartment it is in and adds MOZ_CRASH'es to catch any place where there is a mismatch between the shared structure and the objects or RegExpCompartments they are stored in, or between the shared structure and its JitCode.
Attachment #8436581 - Flags: review?(wmccloskey)
Attachment #8436581 - Flags: review?(wmccloskey) → review+
The stack in that crash isn't related to the MOZ_CRASH'es added in this patch and after repushing to try I didn't get any further failures in android 4.0, so trying again.

https://tbpl.mozilla.org/?tree=Try&rev=19346c6e3b41
https://hg.mozilla.org/integration/mozilla-inbound/rev/2e9bcf014247
Not sure how much it'll matter, but note that the crash this was backed out for yesterday was a *jsreftest* crash, not reftest. So all those retriggers on your Try run were for the wrong tests :(
FWIW: bp-fb8378ea-bf80-439c-9fe4-e88cf2140611
Happens (~100% of the time; i.e. reproducible) going into Amazon Account (using new Minefield profile).

Does not happen running in "safe mode" (not sure if 'js::RegExpShared::compile' code is turned off in "safe-mode").

Is there a 'diagnostic patched' Nightly version for Windows XP, that I can use to help catch more information for this bug?
I think tomorrow's nightly will have the diagnostic patch.
Blocks: 1024038
If I am reading the pushlog correctly it does look like the latest nightly has this patch (cset: 2e9bcf014247).
So I hope this dump helps: bp-f311e5f1-b68d-46e0-9f37-dbd922140612
Depends on: 1024678
(In reply to Ken from comment #14)
> If I am reading the pushlog correctly it does look like the latest nightly
> has this patch (cset: 2e9bcf014247).
> So I hope this dump helps: bp-f311e5f1-b68d-46e0-9f37-dbd922140612

Thanks.  Jan looked at some of the dumps for these crashes and they are crashing at an instruction which we always emit but isn't supported on older CPUs.  Filed bug 1024678 for that.
Brian: can we close this irregexp crash bug now that xmm register bug 1024678 has been fixed? Does your diagnostic patch need to be backed out?
Keywords: regression
(In reply to Chris Peterson (:cpeterson) from comment #16)
> Brian: can we close this irregexp crash bug now that xmm register bug
> 1024678 has been fixed? Does your diagnostic patch need to be backed out?

Yeah, it looks like this and bug 1013589 were fixed by bug 1024678.  I'll back out the diagnostic patch.
Flags: needinfo?(bhackett1024)
It looks like this has stopped happening in 33.0a1 after the 20140612030349 build, I'm not finding it in builds from 6/13 or later (it still exists on Aurora 32, though). That would confirm that bug 1024678 fixes this.
(In reply to Brian Hackett (:bhackett) from comment #17)
> Yeah, it looks like this and bug 1013589 were fixed by bug 1024678.

Can we mark this bug fixed based on that?
See Also: → 1027941
Assignee: nobody → bhackett1024
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [leave open]
status-firefox33: --- → fixed
Target Milestone: --- → mozilla33
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: