Crash in [@ v8::internal::(anonymous namespace)::RawMatch<T>]
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: fluffyemily, Unassigned)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/a6eb1f3c-672b-4bf3-a354-52ae80210311
Reason: SIGSEGV /SEGV_MAPERR
Top 6 frames of crashing thread:
0 libxul.so v8::internal::IrregexpInterpreter::Result v8::internal:: js/src/irregexp/imported/regexp-interpreter.cc:435
1 libxul.so v8::internal::IrregexpInterpreter::MatchForCallFromRuntime js/src/irregexp/imported/regexp-interpreter.cc:1129
2 libxul.so js::irregexp::Execute js/src/irregexp/RegExpAPI.cpp:728
3 libxul.so ExecuteRegExp js/src/builtin/RegExp.cpp:1007
4 libxul.so js::RegExpMatcherRaw js/src/builtin/RegExp.cpp:1083
5 @0x74815749ec
| Reporter | ||
Updated•5 years ago
|
Comment 1•5 years ago
|
||
This might be a duplicate of bug 1691184, especially since the majority of the release crashes are at the same near-null address. If so, it should be fixed in Firefox 88.
Updated•5 years ago
|
Comment 2•5 years ago
|
||
We do see one crash in 88.0b2, with a slightly different signature, coming from Interpret not execute.
We'll have to see if any more reports come in.
Comment 3•5 years ago
|
||
I took a look at that one crash. It appears to be a bitflip in the bytecode for the regexp interpreter. We are doing a jump (represented by loading an offset from the bytecode instruction and adding it to the base address of the bytecode, and the offset we load is 0x10000040, which was presumably 0x40 until the bit flipped.
Comment 4•5 years ago
|
||
So at this point I'm going to resolve this as a dupe of Bug 1691184, as it seems that resolved the crashes outside of bitflips.
Description
•