Closed Bug 228442 Opened 21 years ago Closed 21 years ago

Crash with RegExp.exec on complex regular expression and long string

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 220408

People

(Reporter: martin.honnen, Unassigned)

Details

(Keywords: crash)

Attachments

(4 files)

test case that crashes xpcshell that comes with Mozilla 1.4.1
70.28 KB, text/plain
Details
same test case with different content type to include in HTML page
70.28 KB, application/x-javascript
Details
HTML page loading the JavaScript that crashes Mozilla 1.4.1
449 bytes, text/html
Details
A short example which crashes 1.4.1 and 1.6
462 bytes, text/html
Details
I manage to crash both Mozilla 1.4.1 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4.1) Gecko/20031008) and the xpcshell that comes with that build with some RegExp.exec called on a complex pattern with a long string. I will upload the test case. This seems to be an 1.4 branch only problem as the crash doesn't occur with Mozilla 1.6b and the xpcshell that comes with that build.
I tried xpcshell from mozilla 1.4.1 for linux on viper and it didn't die on attachment 137394 [details] js> build() built on Nov 26 2003 at 19:19:04 note that neither xpcshell for linux nor xpcshell for windows want to run the script in interactive mode (they crash). you need to use |load('scriptfile')|
Enter two characters like 'sx' in the text box and the use tab to navigate to the submit button.
This crashed using 1.7b on Windows XP, so moving to Trunk. Also, according to the severity descriptions, crashers are critical. The Talkback ID is in the status whiteboard.
Severity: major → critical
Whiteboard: TB8503Q
Version: 1.4 Branch → Trunk
(In reply to comment #5) > Created an attachment (id=142430) > A short example which crashes 1.4.1 and 1.6 This problem isn't in any way related to this bug or regular expressions in general. It is caused by an endless loop your code is creating, the code can be minimized to one line: <input type="text" onblur="this.focus();alert('');"> Please open a separate bug on this and copy the talkback ID from the status whiteboard.
The last testcase gives this stack with Mozilla 1.7 beta: _chkstk() nsFontMetricsWin::GetCCMAP [mozilla/gfx/src/windows/nsFontMetricsWin.cpp, line 1725] nsFontMetricsWin::LoadFont [mozilla/gfx/src/windows/nsFontMetricsWin.cpp, line 2404] nsFontMetricsWin::FindLocalFont [mozilla/gfx/src/windows/nsFontMetricsWin.cpp, line 3264] nsFontMetricsWin::FindFont [mozilla/gfx/src/windows/nsFontMetricsWin.cpp, line 3501] nsFontMetricsWin::RealizeFont [mozilla/gfx/src/windows/nsFontMetricsWin.cpp, line 3616] nsFontMetricsWin::Init [mozilla/gfx/src/windows/nsFontMetricsWin.cpp, line 482] nsFontCache::GetMetricsFor [mozilla/gfx/src/nsDeviceContext.cpp, line 631] DeviceContextImpl::GetMetricsFor [mozilla/gfx/src/nsDeviceContext.cpp, line 306] ComputeLineHeight [mozilla/layout/html/base/src/nsHTMLReflowState.cpp, line 2156] nsHTMLReflowState::CalcLineHeight [mozilla/layout/html/base/src/nsHTMLReflowState.cpp, line 2193] nsBlockReflowState::nsBlockReflowState [mozilla/layout/html/base/src/nsBlockReflowState.cpp, line 168] nsBlockFrame::Reflow [mozilla/layout/html/base/src/nsBlockFrame.cpp, line 668] nsBoxToBlockAdaptor::Reflow [mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 884] nsBoxToBlockAdaptor::RefreshSizeCache [mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 385] nsBoxToBlockAdaptor::GetAscent [mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 590] nsSprocketLayout::GetAscent [mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 1512] nsContainerBox::GetAscent [mozilla/layout/xul/base/src/nsContainerBox.cpp, line 595] nsBoxFrame::GetAscent [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 954] nsSprocketLayout::GetAscent [mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 1512] nsContainerBox::GetAscent [mozilla/layout/xul/base/src/nsContainerBox.cpp, line 595] nsBoxFrame::GetAscent [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 954] nsSprocketLayout::GetAscent [mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 1512] nsContainerBox::GetAscent [mozilla/layout/xul/base/src/nsContainerBox.cpp, line 595] nsBoxFrame::GetAscent [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 954] nsSprocketLayout::GetAscent [mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 1512] nsContainerBox::GetAscent [mozilla/layout/xul/base/src/nsContainerBox.cpp, line 595] nsBoxFrame::GetAscent [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 954] nsSprocketLayout::Layout [mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 233] nsContainerBox::DoLayout [mozilla/layout/xul/base/src/nsContainerBox.cpp, line 612] nsBox::Layout [mozilla/layout/xul/base/src/nsBox.cpp, line 994] nsStackLayout::Layout [mozilla/layout/xul/base/src/nsStackLayout.cpp, line 322] nsContainerBox::DoLayout [mozilla/layout/xul/base/src/nsContainerBox.cpp, line 612] nsBox::Layout [mozilla/layout/xul/base/src/nsBox.cpp, line 994] nsBoxFrame::Reflow [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 868] nsRootBoxFrame::Reflow [mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, line 240] nsContainerFrame::ReflowChild [mozilla/layout/html/base/src/nsContainerFrame.cpp, line 950] ViewportFrame::Reflow [mozilla/layout/html/base/src/nsViewportFrame.cpp, line 249] PresShell::InitialReflow [mozilla/layout/html/base/src/nsPresShell.cpp, line 2813] nsXULDocument::StartLayout [mozilla/content/xul/document/src/nsXULDocument.cpp, line 2188] nsXULDocument::ResumeWalk [mozilla/content/xul/document/src/nsXULDocument.cpp, line 3041] nsXULDocument::CachedChromeStreamListener::OnStopRequest [mozilla/content/xul/document/src/nsXULDocument.cpp, line 4193] nsDocumentOpenInfo::OnStopRequest [mozilla/uriloader/base/nsURILoader.cpp, line 361] nsCachedChromeChannel::HandleStopLoadEvent [mozilla/rdf/chrome/src/nsChromeProtocolHandler.cpp, line 477] PL_HandleEvent [mozilla/xpcom/threads/plevent.c, line 672] PL_ProcessPendingEvents [mozilla/xpcom/threads/plevent.c, line 610] _md_EventReceiverProc [mozilla/xpcom/threads/plevent.c, line 1413] USER32.dll + 0x3d79 (0x77d43d79) USER32.dll + 0x3ddf (0x77d43ddf) nsContentTreeOwner::ShowAsModal [mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp, line 449] nsWindowWatcher::OpenWindowJS [mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp, line 785] nsWindowWatcher::OpenWindow [mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp, line 458] nsPromptService::DoDialog [mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp, line 633] nsPromptService::Alert [mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp, line 137] nsPrompt::Alert [mozilla/embedding/components/windowwatcher/src/nsPrompt.cpp, line 124] GlobalWindowImpl::Alert [mozilla/dom/src/base/nsGlobalWindow.cpp, line 2320] XPTC_InvokeByIndex [mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2029] XPC_WN_CallMethod [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1288] js_Invoke [mozilla/js/src/jsinterp.c, line 943] js_Interpret [mozilla/js/src/jsinterp.c, line 2963] js_Invoke [mozilla/js/src/jsinterp.c, line 959] js_InternalInvoke [mozilla/js/src/jsinterp.c, line 1036] JS_CallFunctionValue [mozilla/js/src/jsapi.c, line 3591]
Keywords: talkbackid
Keywords: talkbackid
Whiteboard: TB8503Q
This is completely misassigned. It's also probably a dup. Marking that way, those responsible for this bug should verify. /be *** This bug has been marked as a duplicate of 220408 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: