Closed
Bug 209067
Opened 22 years ago
Closed 21 years ago
Crash at matchRENodes [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1680]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: doronr, Assigned: rogerl)
References
()
Details
(Keywords: crash, Whiteboard: [Fix needed in Rhino as well as SpiderMonkey])
Attachments
(1 file)
21.88 KB,
text/plain
|
Details |
http://blatek.25.pl/test/viewSource/ is an example of doing viewsource in
JavaScript.
Copy the source code of cnn.com and insert it into the top input field. It will
then try to syntax highlight it using regexp and crash. IE and Opera don't crash.
tack Signature matchRENodes f9fbafb7
Email Address doron@netscape.com
Product ID MozillaTrunk
Build ID 2003042808
Trigger Time 2003-06-11 10:37:31
Platform Win32
Operating System Windows NT 5.0 build 2195
Module js3250.dll
URL visited
User Comments
Trigger Reason Stack overflow
Source File Name c:/builds/seamonkey/mozilla/js/src/jsregexp.c
Trigger Line No. 1680
Stack Trace
matchRENodes [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1680]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1344]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
greedyRecurse [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1362]
Comment 1•22 years ago
|
||
Compare bug 187133, "crash if particular JS RegExp search operation called"
There, too, we had a stack ending in matchRENodes(), but no greedyRecurse()
calls as in the stacktrace here.
bug 187133 is claimed to be fixed by the big RegExp rewrite in bug 85721.
We need to see if the current bug is fixed by that patch, as well -
Keywords: crash
Summary: Crash at matchRENodes [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1680] → Crash at matchRENodes [c:/builds/seamonkey/mozilla/js/src/jsregexp.c, line 1680]
Comment 2•22 years ago
|
||
Testcase added to JS testsuite:
mozilla/js/tests/ecma_3/RegExp/regress-209067.js
The testcase uses a complicated sequence of str.replace()'s
on a very large string (the source HTML for today's CNN page).
The current SpiderMonkey shell crashes on this with exactly the same
trace as Doron has reported above, due to stack overflow in jsregexp.c.
Also, we crash even with the latest patch for bug 85721 applied. No longer
due to stack overflow, however, but an access violation in jsstr.c:
MSVCRT! 7800168a()
do_replace(JSContext * 0x00301ca0, ReplaceData * 0x0012d598, unsigned short *
0x0044549c) line 1517 + 22 bytes
replace_glob(JSContext * 0x00301ca0, long 47, GlobData * 0x0012d598) line 1563 +
17 bytes
match_or_replace(JSContext * 0x00301ca0, JSObject * 0x00458120, unsigned int 2,
long * 0x00420090, int (JSContext *, long, GlobData *)* 0x610752bf
replace_glob(JSContext *, long, GlobData *), GlobData * 0x0012d598, long *
0x0012d690) line 1160 + 15 bytes
str_replace(JSContext * 0x00301ca0, JSObject * 0x00458120, unsigned int 2, long
* 0x00420090, long * 0x0012d690) line 1616 + 34 bytes
js_Invoke(JSContext * 0x00301ca0, unsigned int 2, unsigned int 0) line 843 + 23
bytes
js_Interpret(JSContext * 0x00301ca0, long * 0x0012e2dc) line 2830 + 15 bytes
js_Invoke(JSContext * 0x00301ca0, unsigned int 1, unsigned int 0) line 860 + 13
bytes
js_Interpret(JSContext * 0x00301ca0, long * 0x0012fed8) line 2830 + 15 bytes
js_Execute(JSContext * 0x00301ca0, JSObject * 0x002fb340, JSScript * 0x0032bc60,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fed8) line 1038 + 13 bytes
JS_ExecuteScript(JSContext * 0x00301ca0, JSObject * 0x002fb340, JSScript *
0x0032bc60, long * 0x0012fed8) line 3373 + 25 bytes
Process(JSContext * 0x00301ca0, JSObject * 0x002fb340, char * 0x00301f3b) line
331 + 22 bytes
ProcessArgs(JSContext * 0x00301ca0, JSObject * 0x002fb340, char * * 0x00301eb4,
int 6) line 461 + 17 bytes
main(int 6, char * * 0x00301eb4) line 2137 + 21 bytes
JS! mainCRTStartup + 227 bytes
KERNEL32! 77f1b9ea()
Assignee | ||
Comment 3•22 years ago
|
||
The fix for bug 85721 nominally fixes this bug since it avoids the stack
traffic, however the incoming string was so long it overflowed some int16
indices being used. I've updated the fixes on that bug and the patched shell
passes the new test just fine.
Updated•22 years ago
|
Depends on: RegExpPerf
Comment 4•22 years ago
|
||
Confirming what rogerl found: with the latest patch for bug 85721,
both types of crashes indicated above are fixed. So when the patch
for 85721 goes in, we will be able to resolve this bug as fixed.
However, note the same type of adjustment will be needed in Rhino.
The testcase above hangs with 100% CPU when I run it there -
Whiteboard: [Fix needed in Rhino as well as SpiderMonkey]
Comment 5•22 years ago
|
||
More specific data on Rhino: it takes about 5 minutes at 100% CPU
for Rhino to run the above test on my WinNT4.0 box (500MHz, 128M).
Comment 6•21 years ago
|
||
i ran into this when pasting a large stylesheet into the w3's css validator.
will attach crash log in a moment.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.5) Gecko/20031007
see also: talkback IDs TB24630961G and TB24631076W
OS: Windows 2000 → All
Hardware: PC → All
Comment 7•21 years ago
|
||
Comment 8•21 years ago
|
||
Fixed with bug 85721 and aftermath.
/be
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•