Closed Bug 1052162 Opened 10 years ago Closed 10 years ago

Crash [@ js::jit::JitFrameIterator::script() const ]

Categories

(Core :: JavaScript Engine: JIT, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
firefox34 --- affected

People

(Reporter: kglazko, Unassigned)

Details

(Keywords: crash, reproducible)

bp-e0d66008-e6f7-4e5c-b0b3-b1ea72140811
bp-0b726b26-d6b4-4080-8843-345a82140811


STR: https://find.firefox.com

-In Sign In field, put a normal email address.
-In password field, copy and paste this text as many times as possible

Expected: Since there is no maximum password limit, I should be able to make my password arbitrarily large and there should be no crash.

Actual: Eventually, my browser crashed. Once, after I clicked Debug, the second time I did not click debug.
Flags: needinfo?(bhackett1024)
I'm on 32 Beta, and this is my config:
Build Machine

bld-lion-r5-008
Source

Built from https://hg.mozilla.org/releases/mozilla-beta/rev/7f45b3841df0
Build platform
target
x86_64-apple-darwin11.2.0
Keywords: crash, reproducible
Reproduced on 11 August nightly: bp-644543b4-3b77-4cdd-bc23-9b1732140811

Let's lock this until we know what's going on.

Basically I set a crazily large password field, hit "Debug script" when the slow script dialog came up, then randomly kept tapping on "Sign in" and the "X" (to exit dev tools), and after a few minutes Firefox just dies.
Group: core-security, javascript-core-security
Flags: needinfo?(bhackett1024)
Could not repro crash with flipping pref to false:  javascript.options.native_regexp , however, browser is still completely unresponsive after 5+ minutes.
(In reply to kglazko from comment #3)
> Could not repro crash with flipping pref to false: 
> javascript.options.native_regexp , however, browser is still completely
> unresponsive after 5+ minutes.

Me too, but for me, while my browser is also unresponsive for a few minutes, it trudgingly comes back to life shortly after (also a few more minutes).

This means after flipping the preference, neither kglazko nor I could reproduce this crash.

Brian, do you happen to know how we could move forward here?
Flags: needinfo?(bhackett1024)
Group: javascript-core-security
I can't reproduce this on nightly.  I never get a slow script dialog and near as I can tell some graphics code is bugging out trying to render that giant password field.  This crash doesn't really make sense to me since we never invoke the interrupt callback with regexp jitcode on the stack, so the native_regexp option shouldn't have an effect on stack iteration done under the interrupt callback.
Flags: needinfo?(bhackett1024)
Can't reproduce on Fx34 Nightly, debug ASan build. I get a good DoS, but no crash.


I do see the following assert:

[66469] ###!!! ASSERTION: bad width: 'metrics.Width() >= 0', file /Users/virtualmac/fx32/layout/generic/nsLineLayout.cpp, line 923



I also see this error:

System JS : ERROR (null):0 - too much recursion



And this warning:

[66469] WARNING: Overflowed nscoord_MAX in conversion to nscoord width: file ../../dist/include/nsRect.h, line 82
nsLineLayout: Text(0)"\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u"@625000c576e0 metrics=1844156160,1380!
(In reply to Matt Wobensmith from comment #6)
> [66469] ###!!! ASSERTION: bad width: 'metrics.Width() >= 0', file
> /Users/virtualmac/fx32/layout/generic/nsLineLayout.cpp, line 923

Bug 631922 and bug 703550?
We're not able to reproduce, closing for now. Keeping it hidden in the meantime.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.