Closed Bug 1486197 Opened 7 years ago Closed 6 years ago

Crash in js::irregexp::TextNode::TextEmitPass

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
Unspecified
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1502047
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix

People

(Reporter: calixte, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords)

Crash Data

This bug was filed from the Socorro interface and is report bp-c4cefbf5-d588-45ca-842f-ba5550180824. ============================================================= Top 10 frames of crashing thread: 0 xul.dll js::irregexp::TextNode::TextEmitPass js/src/irregexp/RegExpEngine.cpp:3898 1 xul.dll js::irregexp::TextNode::Emit js/src/irregexp/RegExpEngine.cpp:3992 2 xul.dll js::irregexp::ChoiceNode::Emit js/src/irregexp/RegExpEngine.cpp:4470 3 xul.dll js::irregexp::ActionNode::Emit js/src/irregexp/RegExpEngine.cpp:4576 4 xul.dll js::irregexp::TextNode::Emit js/src/irregexp/RegExpEngine.cpp:4030 5 xul.dll js::irregexp::ChoiceNode::EmitOutOfLineContinuation js/src/irregexp/RegExpEngine.cpp:4530 6 xul.dll js::irregexp::ChoiceNode::Emit js/src/irregexp/RegExpEngine.cpp:4496 7 xul.dll js::irregexp::ActionNode::Emit js/src/irregexp/RegExpEngine.cpp:4576 8 xul.dll js::irregexp::TextNode::Emit js/src/irregexp/RegExpEngine.cpp:4030 9 xul.dll js::irregexp::ChoiceNode::Emit js/src/irregexp/RegExpEngine.cpp:4470 ============================================================= There are 7 crashes (from 6 installations) in nightly 63 with buildid 20180824100112. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1485615. [1] https://hg.mozilla.org/mozilla-central/rev?node=c70943a6b070
Flags: needinfo?(jcoppeard)
Flags: needinfo?(jcoppeard)
(In reply to Calixte Denizet (:calixte) from comment #0) > In analyzing the backtrace, the regression may have been > introduced by patch [1] to fix bug 1485615. It does seems suspicious but I think that's unlikely. Nothing in js/src/irregexp touches the data structure in question. 7/12 crashes for that builds are EXCEPTION_ILLEGAL_INSTRUCTION which is strange...
Component: JavaScript: GC → JavaScript Engine
Following the spike in 20180824100112, there have been no crashes in subsequent builds.
Crashes are a mix of illegal instructions, EXEC, READ/WRITE with random addresses -> sec-high Given the EXECs, one can make an argument for sec-crit
Group: core-security
status-firefox61: unaffectedaffected
status-firefox62: unaffected?
status-firefox-esr52: unaffected?
status-firefox-esr60: unaffected?
Keywords: csectype-wildptr, sec-high
Group: core-security → javascript-core-security
Keywords: testcase-wanted
Waldo, based on Randell's comments (Comment 3), would you be willing to do some quick analysis of this bug to determine if it is actionable or not? This should help us set the right priority. If your are the wrong person, could you help find the right person on our team to look at this.
Flags: needinfo?(jwalden+bmo)

This seems to being tracked in Bug 1502047 so closing this one.

Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jwalden)
Resolution: --- → DUPLICATE

Removing employee no longer with company from CC list of private bugs.

Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.