Closed Bug 288818 Opened 19 years ago Closed 19 years ago

Crash at visiting dean edwards weblog [@ find_replen ]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: martijn.martijn, Assigned: brendan)

References

(
URL
)

Details

(5 keywords)

Crash Data

Attachments

(2 files)

Backtrace
7.32 KB, text/plain
Details
fix
3.04 KB, patch
shaver
: review+
dbaron
: superreview+
brendan
: approval-aviary1.0.3+
brendan
: approval1.7.7+
Details | Diff | Splinter Review 
When visitting that site, I get a crash with the 2005-04-02 trunk build. I don't
get a crash with the 2005-04-01 trunk build.
I think this happens because of the fix for bug 288688, see the bactrace that
I'll attach shortly.
Attached file Backtrace 
Backtrace from my debug build.
Assignee: general → brendan
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta2
Comment on attachment 179442 [details]
Backtrace

Crap, no one read the whole lambda-replace code section in find_replen!  It
needs cx->regExpStatics.moreParens from the outer match to be valid after the
code I added to stack regExpStatics, which nulls moreParens!

Patch immediately.

/be
Attachment #179442 - Attachment description: Bactrace → Backtrace
Status: NEW → ASSIGNED
Flags: blocking1.7.7+
Flags: blocking-aviary1.0.3+
OS: Windows XP → All
Hardware: PC → All
Attached patch fixSplinter Review 
Pre-approving.	I'm likely to check this in now, so Chase can respin when he
gets the bugmail or drivers mail.

/be
Attachment #179443 - Flags: superreview?(dbaron)
Attachment #179443 - Flags: review?(shaver)
Attachment #179443 - Flags: approval1.7.7+
Attachment #179443 - Flags: approval-aviary1.0.3+
I checked into the trunk and the two branches.  Respin when you can, test
harder.  Thanks to Martijn for finding the hard case -- Dean Edwards, my
whatwg.org buddy!

/be
I was able to crash with the 4/2 Aviary build - Mozilla/5.0 (Windows; U; Windows
NT 5.1; en-US; rv:1.7.7) Gecko/20050402 Firefox/1.0.3

Incident ID: 4802538
Stack Signature	find_replen 7661dfe2
Email Address	jay@mozilla.org
Product ID	Firefox10
Build ID	2005040205
Trigger Time	2005-04-03 01:19:42.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	js3250.dll + (0003e099)
URL visited	http://dean.edwards.name/weblog/
User Comments	Bug 288818: Crash visiting dean edwards weblog
(http://dean.edwards.name/weblog/)
Since Last Crash	1351 sec
Total Uptime	1351 sec
Trigger Reason	Access violation
Source File, Line No.
d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line
1432
Stack Trace 	
find_replen 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c,
line 1432]
replace_glob 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c,
line 1538]
match_or_replace 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c,
line 1155]
str_replace 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c,
line 1608]
js_Invoke 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 949]
js_Interpret 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 2993]
js_Invoke 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 966]
fun_apply 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1573]
js_Invoke 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 949]
js_Interpret 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 2993]
js_Invoke 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 966]
js_Interpret 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 2993]
js_Invoke 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 966]
nsXPCWrappedJSClass::CallMethod 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 1339]
nsXPCWrappedJS::CallMethod 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 450]
SharedStub 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 147]
nsEventListenerManager::HandleEventSubType 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1436]
nsEventListenerManager::HandleEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1516]
GlobalWindowImpl::HandleDOMEvent 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 927]
DocumentViewerImpl::LoadComplete 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsDocumentViewer.cpp,
line 917]
nsDocShell::EndPageLoad 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp,
line 4602]
nsWebShell::EndPageLoad 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsWebShell.cpp,
line 755]
nsDocShell::OnStateChange 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp,
line 4536]
nsDocLoaderImpl::FireOnStateChange 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 1252]
nsDocLoaderImpl::doStopDocumentLoad 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 873]
nsDocLoaderImpl::OnStopRequest 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 701]
nsLoadGroup::RemoveRequest 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/base/src/nsLoadGroup.cpp,
line 695]
nsHttpChannel::OnStopRequest 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,
line 3695]
nsInputStreamPump::OnStateStop 
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 499]

Resolving fixed for now since Brendan has checked in the patch everywhere.  I'll
retest with tomorrow's builds to verify.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050403
Firefox/1.0+

This fix is causing extreme memory use and make FF grind to a halt (no response,
but no crash)
Could this have caused bug 288831?
This crash occured in Dean's javascript highlighting behaviors. I am still
trying to come up with a minimal regular expression that will reproduce this
crash, but on the off-hand that someone (be?) else knows how to simply reproduce
this, please include it here so I can add it to the test library.
Summary: Crash at visitting dean edwards weblog → Crash at visiting dean edwards weblog
Wrong bug if this can't be reproduced with today's branch build.  See comment 7.

/be
Comment on attachment 179443 [details] [diff] [review]
fix

sr=dbaron, although I wonder whether you can move the whole thing to after the
moreParens are pushed on the stack.
Attachment #179443 - Flags: superreview?(dbaron) → superreview+
Verified Fixed with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7)
Gecko/20050403 Firefox/1.0.3
Status: RESOLVED → VERIFIED
dbaron: not without another lambda_out2: target and goto, and an inner block
scope without hoisting the variables to an existing outer one.

/be
Summary: Crash at visiting dean edwards weblog → Crash at visiting dean edwards weblog [@ find_replen ]
*** Bug 291667 has been marked as a duplicate of this bug. ***
*** Bug 295320 has been marked as a duplicate of this bug. ***
Flags: testcase-
Crash Signature: [@ find_replen ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: