crash if particular JS RegExp search operation called

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
15 years ago
14 years ago

People

(Reporter: ji_bo, Assigned: rogerl (gone))

Tracking

({crash})

Trunk
x86
All
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [QA: verify testcase interactively on Linux; segfault not caught by Perl])

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/4.0 (compatible; non MSIE 5.0;)
Build Identifier: 2002053012

The crash occurs when following is called from urlbar:
javascript: alert( 'ah.info'.search(/(\.(?!com|org)|\/)/) );

Reproducible: Always

Steps to Reproduce:
1. copy the expression to urlbar and press enter
Actual Results:  
crash

Expected Results:  
not to crash :-)

Comment 1

15 years ago
Reassigning to JS Engine. I crash on the following regexp
in the standalone JS shell:

js> var re = /(?!a|b)|c/;
js> re('');  <<<------------------------------ CRASH


STACK TRACE:
matchRENodes(MatchState * 0x0012e154, RENode * 0x00306300, RENode * 0x00306240, 
const unsigned short * 0x003051e0) line 1692 + 8 bytes
matchRENodes(MatchState * 0x0012e154, RENode * 0x003062e0, RENode * 0x00000000, 
const unsigned short * 0x003051e0) line 1818 + 27 bytes
matchRENodes(MatchState * 0x0012e154, RENode * 0x003062c0, RENode * 0x00000000, 
const unsigned short * 0x003051e0) line 1697 + 24 bytes
MatchRegExp(MatchState * 0x0012e154, RENode * 0x003062c0, const unsigned short * 
0x003051e0) line 2017 + 19 bytes
js_ExecuteRegExp(JSContext * 0x00301d60, JSRegExp * 0x00306220, JSString * 
0x002fb8b8, unsigned int * 0x0012e1e4, int 0, long * 0x0012e308) line 2086 + 20 
bytes
regexp_exec_sub(JSContext * 0x00301d60, JSObject * 0x002fb8b0, unsigned int 1, 
long * 0x0042106c, int 0, long * 0x0012e308) line 2736 + 29 bytes
regexp_exec(JSContext * 0x00301d60, JSObject * 0x002fb8b0, unsigned int 1, long 
* 0x0042106c, long * 0x0012e308) line 2749 + 27 bytes
regexp_call(JSContext * 0x00301d60, JSObject * 0x002fb340, unsigned int 1, long 
* 0x0042106c, long * 0x0012e308) line 2488 + 31 bytes
js_Call(JSContext * 0x00301d60, JSObject * 0x002fb340, unsigned int 1, long * 
0x0042106c, long * 0x0012e308) line 3199 + 26 bytes
js_Invoke(JSContext * 0x00301d60, unsigned int 1, unsigned int 0) line 839 + 23 
bytes
js_Interpret(JSContext * 0x00301d60, long * 0x0012fed8) line 2803 + 15 bytes
js_Execute(JSContext * 0x00301d60, JSObject * 0x002fb340, JSScript * 0x00306170, 
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fed8) line 1020 + 13 
bytes
JS_ExecuteScript(JSContext * 0x00301d60, JSObject * 0x002fb340, JSScript * 
0x00306170, long * 0x0012fed8) line 3277 + 25 bytes
Process(JSContext * 0x00301d60, JSObject * 0x002fb340, char * 0x00000000) line 
369 + 22 bytes
ProcessArgs(JSContext * 0x00301d60, JSObject * 0x002fb340, char * * 0x00300014, 
int 0) line 508 + 17 bytes
main(int 0, char * * 0x00300014) line 2108 + 21 bytes
JS! mainCRTStartup + 227 bytes
KERNEL32! 77f1b9ea()


Note both the ? and ! symbols are necessary in order for me to crash.
I don't know if this will be fixed by the RegExp rewrite in bug 85721.

I would guess "Yes", since both the reporter's example and mine work
perfectly in Rhino, where the rewrite has already been committed:

[ ] java org.mozilla.javascript.tools.shell.Main
Rhino 1.5 release 4 0000 00 00 (in progress)

js> 'ah.info'.search(/(\.(?!com|org)|\/)/);
2

js> var re = /(!a|b)|c/;
js> re('');
null


I will let Roger decide whether this is a duplicate of bug 85721 -
Assignee: nboyd → rogerl
Component: Core → JavaScript Engine
Product: Rhino → Browser
Version: other → Trunk

Comment 2

15 years ago
QA note: there is test coverage for the ?! operator in the large files:

     mozilla/js/tests/ecma_3/RegExp/perlstress-001.js
     mozilla/js/tests/ecma_3/RegExp/regress-85721.js

Nevertheless, I will add the examples from this bug in a
new regression testcase -

Comment 3

15 years ago
Testcase added to JS testsuite:

      mozilla/js/tests/ecma_3/RegExp/regress-187133.js

Currently passing in Rhino, but crashing in SpiderMonkey
in both the debug and optimized shell.

Note the typo at the end of Comment #1 above: 

      /(!a|b)|c/    should be
      /(?!a|b)|c/   as at the beginning of the comment.

Updated

15 years ago
Keywords: crash
OS: Windows 98 → All

Comment 4

15 years ago
By the definitions on <http://bugzilla.mozilla.org/bug_status.html#severity> and
<http://bugzilla.mozilla.org/enter_bug.cgi?format=guided>, crashing and dataloss
bugs are of critical or possibly higher severity.  Only changing open bugs to
minimize unnecessary spam.  Keywords to trigger this would be crash, topcrash,
topcrash+, zt4newcrash, dataloss.
Severity: normal → critical

Comment 5

15 years ago
the rewrite from bug 85721 fixes this.
Depends on: 85721

Updated

15 years ago
Whiteboard: [QA: verify testcase interactively on Linux; segfault not caught by Perl]
Probably fixed with bug 85721.

/be
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.