Closed
Bug 1015766
Opened 10 years ago
Closed 10 years ago
Crash [@ MarkInternal]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox31 | --- | unaffected |
| firefox32 | + | unaffected |
| firefox33 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords)
Crash Data
Attachments
(1 file)
|
7.73 KB,
text/plain
|
Details |
gczeal(8, 2)
try {
[new String, y]
} catch (e) {}
r = /()/
"".replace(r, () => {
[]()
})
crashes js opt shell on m-c changeset e86a0d92d174 with --ion-eager --ion-parallel-compile=off at MarkInternal intermittently.
My configure flags are:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/32a1e7461250
user: Brian Hackett
date: Wed May 21 11:31:02 2014 -0700
summary: Bug 1010441 - Keep RegExpShared and RegExp jitcode around when preserving jitcode in a compartment, r=billm.
Tentatively marking s-s and sec-critical because gc is on the stack, but feel free to change this as necessary.
Brian, is bug 1010441 a likely regressor?Flags: needinfo?(bhackett1024)
|
||
Comment 1•10 years ago
|
||
I can't reproduce this. A full stack might be helpful, along with knowing the address this is crashing at.
Flags: needinfo?(bhackett1024)
|
Reporter | |
Comment 2•10 years ago
|
||
I need to look at this when I'm a little less busy.
Flags: needinfo?(gary)
|
||
Updated•10 years ago
|
tracking-firefox32:
--- → +
|
|
Reporter | |
Comment 3•10 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/184fd695b135 parent: 184725:b873c10c208d user: Jan de Mooij date: Fri May 23 20:45:52 2014 +0200 summary: Bug 1014114 - Self-host string HTML extensions. r=till Jan, is bug 1014114 a likely fix?
Flags: needinfo?(gary) → needinfo?(jdemooij)
|
||
Comment 4•10 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3) > summary: Bug 1014114 - Self-host string HTML extensions. r=till > > Jan, is bug 1014114 a likely fix? Pretty unlikely; the testcase in comment 0 doesn't use these HTML-related functions at all. It's possible it subtly affected GC/memory allocation somehow so that this no longer repros...
Flags: needinfo?(jdemooij)
|
|
Reporter | |
Comment 5•10 years ago
|
||
Thanks for the explanation, Jan. In this case, I guess we can land the test and open this up eventually to prevent it from recurring again. Al, is this a good way forward? Will the patch with the testcase need sec-approval?
Flags: needinfo?(abillings)
|
||
Comment 6•10 years ago
|
||
If this is only on Trunk right now, we can get everything in (including the test) with no approvals necessary.
Flags: needinfo?(abillings)
|
||
Comment 7•10 years ago
|
||
gkw: is this crash still reproducible or actionable? Or are you just waiting to land the test?
status-firefox33:
--- → affected
Flags: needinfo?(gary)
|
|
Reporter | |
Comment 8•10 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #4) > Pretty unlikely; the testcase in comment 0 doesn't use these HTML-related > functions at all. It's possible it subtly affected GC/memory allocation > somehow so that this no longer repros... (In reply to Al Billings [:abillings] from comment #6) > If this is only on Trunk right now, we can get everything in (including the > test) with no approvals necessary. Jan, I know we're all busy, but do you mind landing the test when you have time?
Flags: needinfo?(gary) → needinfo?(jdemooij)
|
|
||
Comment 9•10 years ago
|
||
OK I'll land the test next time I push something.
|
|
||
Comment 10•10 years ago
|
||
Landed the testcase as requested: https://hg.mozilla.org/integration/mozilla-inbound/rev/af615299658a
Flags: needinfo?(jdemooij)
|
||
Comment 11•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/af615299658a
Flags: in-testsuite+
|
|
Reporter | |
Comment 12•10 years ago
|
||
This should now no longer happen with the landing of the test. Since the real fix is unknown (bug 1014114 is an unlikely fix), let's resolve this WFM.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
|
||
Updated•10 years ago
|
|
||
Updated•9 years ago
|
Group: javascript-core-security
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•