Closed Bug 288818 Opened 20 years ago Closed 20 years ago

Crash at visiting dean edwards weblog [@ find_replen ]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: martijn.martijn, Assigned: brendan)

References

(
URL
)

Details

(5 keywords)

Crash Data

Attachments

(2 files)

Backtrace
7.32 KB, text/plain
Details
fix
3.04 KB, patch
shaver
: review+
dbaron
: superreview+
brendan
: approval-aviary1.0.3+
brendan
: approval1.7.7+
Details | Diff | Splinter Review
When visitting that site, I get a crash with the 2005-04-02 trunk build. I don't get a crash with the 2005-04-01 trunk build. I think this happens because of the fix for bug 288688, see the bactrace that I'll attach shortly.
Attached file Backtrace
Backtrace from my debug build.
Assignee: general → brendan
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta2
Comment on attachment 179442 [details] Backtrace Crap, no one read the whole lambda-replace code section in find_replen! It needs cx->regExpStatics.moreParens from the outer match to be valid after the code I added to stack regExpStatics, which nulls moreParens! Patch immediately. /be
Attachment #179442 - Attachment description: Bactrace → Backtrace
Status: NEW → ASSIGNED
Flags: blocking1.7.7+
Flags: blocking-aviary1.0.3+
OS: Windows XP → All
Hardware: PC → All
Attached patch fixSplinter Review
Pre-approving. I'm likely to check this in now, so Chase can respin when he gets the bugmail or drivers mail. /be
Attachment #179443 - Flags: superreview?(dbaron)
Attachment #179443 - Flags: review?(shaver)
Attachment #179443 - Flags: approval1.7.7+
Attachment #179443 - Flags: approval-aviary1.0.3+
I checked into the trunk and the two branches. Respin when you can, test harder. Thanks to Martijn for finding the hard case -- Dean Edwards, my whatwg.org buddy! /be
I was able to crash with the 4/2 Aviary build - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050402 Firefox/1.0.3 Incident ID: 4802538 Stack Signature find_replen 7661dfe2 Email Address jay@mozilla.org Product ID Firefox10 Build ID 2005040205 Trigger Time 2005-04-03 01:19:42.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (0003e099) URL visited http://dean.edwards.name/weblog/ User Comments Bug 288818: Crash visiting dean edwards weblog (http://dean.edwards.name/weblog/) Since Last Crash 1351 sec Total Uptime 1351 sec Trigger Reason Access violation Source File, Line No. d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line 1432 Stack Trace find_replen [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line 1432] replace_glob [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line 1538] match_or_replace [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line 1155] str_replace [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line 1608] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 949] js_Interpret [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 2993] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 966] fun_apply [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1573] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 949] js_Interpret [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 2993] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 966] js_Interpret [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 2993] js_Invoke [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 966] nsXPCWrappedJSClass::CallMethod [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 1339] nsXPCWrappedJS::CallMethod [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 450] SharedStub [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp, line 147] nsEventListenerManager::HandleEventSubType [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1436] nsEventListenerManager::HandleEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1516] GlobalWindowImpl::HandleDOMEvent [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 927] DocumentViewerImpl::LoadComplete [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsDocumentViewer.cpp, line 917] nsDocShell::EndPageLoad [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp, line 4602] nsWebShell::EndPageLoad [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsWebShell.cpp, line 755] nsDocShell::OnStateChange [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp, line 4536] nsDocLoaderImpl::FireOnStateChange [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 1252] nsDocLoaderImpl::doStopDocumentLoad [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 873] nsDocLoaderImpl::OnStopRequest [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 701] nsLoadGroup::RemoveRequest [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/base/src/nsLoadGroup.cpp, line 695] nsHttpChannel::OnStopRequest [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 3695] nsInputStreamPump::OnStateStop [d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 499] Resolving fixed for now since Brendan has checked in the patch everywhere. I'll retest with tomorrow's builds to verify.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050403 Firefox/1.0+ This fix is causing extreme memory use and make FF grind to a halt (no response, but no crash)
Could this have caused bug 288831?
This crash occured in Dean's javascript highlighting behaviors. I am still trying to come up with a minimal regular expression that will reproduce this crash, but on the off-hand that someone (be?) else knows how to simply reproduce this, please include it here so I can add it to the test library.
Summary: Crash at visitting dean edwards weblog → Crash at visiting dean edwards weblog
Wrong bug if this can't be reproduced with today's branch build. See comment 7. /be
Comment on attachment 179443 [details] [diff] [review] fix sr=dbaron, although I wonder whether you can move the whole thing to after the moreParens are pushed on the stack.
Attachment #179443 - Flags: superreview?(dbaron) → superreview+
Verified Fixed with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050403 Firefox/1.0.3
Status: RESOLVED → VERIFIED
dbaron: not without another lambda_out2: target and goto, and an inner block scope without hoisting the variables to an existing outer one. /be
Summary: Crash at visiting dean edwards weblog → Crash at visiting dean edwards weblog [@ find_replen ]
Comment on attachment 179443 [details] [diff] [review] fix r=shaver
Attachment #179443 - Flags: review?(shaver) → review+
*** Bug 291667 has been marked as a duplicate of this bug. ***
*** Bug 295320 has been marked as a duplicate of this bug. ***
Flags: testcase-
Crash Signature: [@ find_replen ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: