Closed Bug 1697825 Opened 5 years ago Closed 5 years ago

Crash in [@ v8::internal::(anonymous namespace)::RawMatch<T>]

Categories

(Core :: JavaScript Engine, defect, P3)

Unspecified
Android
defect

Tracking

()

RESOLVED DUPLICATE of bug 1691184

People

(Reporter: fluffyemily, Unassigned)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/a6eb1f3c-672b-4bf3-a354-52ae80210311

Reason: SIGSEGV /SEGV_MAPERR

Top 6 frames of crashing thread:

0 libxul.so v8::internal::IrregexpInterpreter::Result v8::internal:: js/src/irregexp/imported/regexp-interpreter.cc:435
1 libxul.so v8::internal::IrregexpInterpreter::MatchForCallFromRuntime js/src/irregexp/imported/regexp-interpreter.cc:1129
2 libxul.so js::irregexp::Execute js/src/irregexp/RegExpAPI.cpp:728
3 libxul.so ExecuteRegExp js/src/builtin/RegExp.cpp:1007
4 libxul.so js::RegExpMatcherRaw js/src/builtin/RegExp.cpp:1083
5  @0x74815749ec 
Component: General → JavaScript Engine
Flags: needinfo?(iireland)
Product: GeckoView → Core

This might be a duplicate of bug 1691184, especially since the majority of the release crashes are at the same near-null address. If so, it should be fixed in Firefox 88.

Flags: needinfo?(iireland)
Severity: -- → S4

We do see one crash in 88.0b2, with a slightly different signature, coming from Interpret not execute.

We'll have to see if any more reports come in.

Priority: -- → P3

I took a look at that one crash. It appears to be a bitflip in the bytecode for the regexp interpreter. We are doing a jump (represented by loading an offset from the bytecode instruction and adding it to the base address of the bytecode, and the offset we load is 0x10000040, which was presumably 0x40 until the bit flipped.

So at this point I'm going to resolve this as a dupe of Bug 1691184, as it seems that resolved the crashes outside of bitflips.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.