Closed
Bug 288818
Opened 20 years ago
Closed 20 years ago
Crash at visiting dean edwards weblog [@ find_replen ]
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8beta2
People
(Reporter: martijn.martijn, Assigned: brendan)
References
()
Details
(5 keywords)
Crash Data
Attachments
(2 files)
7.32 KB,
text/plain
|
Details | |
3.04 KB,
patch
|
shaver
:
review+
dbaron
:
superreview+
brendan
:
approval-aviary1.0.3+
brendan
:
approval1.7.7+
|
Details | Diff | Splinter Review |
When visitting that site, I get a crash with the 2005-04-02 trunk build. I don't
get a crash with the 2005-04-01 trunk build.
I think this happens because of the fix for bug 288688, see the bactrace that
I'll attach shortly.
Reporter | ||
Comment 1•20 years ago
|
||
Backtrace from my debug build.
Assignee | ||
Updated•20 years ago
|
Assignee | ||
Comment 2•20 years ago
|
||
Comment on attachment 179442 [details]
Backtrace
Crap, no one read the whole lambda-replace code section in find_replen! It
needs cx->regExpStatics.moreParens from the outer match to be valid after the
code I added to stack regExpStatics, which nulls moreParens!
Patch immediately.
/be
Attachment #179442 -
Attachment description: Bactrace → Backtrace
Assignee | ||
Updated•20 years ago
|
Status: NEW → ASSIGNED
Flags: blocking1.7.7+
Flags: blocking-aviary1.0.3+
OS: Windows XP → All
Hardware: PC → All
Assignee | ||
Comment 3•20 years ago
|
||
Pre-approving. I'm likely to check this in now, so Chase can respin when he
gets the bugmail or drivers mail.
/be
Attachment #179443 -
Flags: superreview?(dbaron)
Attachment #179443 -
Flags: review?(shaver)
Attachment #179443 -
Flags: approval1.7.7+
Attachment #179443 -
Flags: approval-aviary1.0.3+
Assignee | ||
Comment 4•20 years ago
|
||
I checked into the trunk and the two branches. Respin when you can, test
harder. Thanks to Martijn for finding the hard case -- Dean Edwards, my
whatwg.org buddy!
/be
Comment 5•20 years ago
|
||
I was able to crash with the 4/2 Aviary build - Mozilla/5.0 (Windows; U; Windows
NT 5.1; en-US; rv:1.7.7) Gecko/20050402 Firefox/1.0.3
Incident ID: 4802538
Stack Signature find_replen 7661dfe2
Email Address jay@mozilla.org
Product ID Firefox10
Build ID 2005040205
Trigger Time 2005-04-03 01:19:42.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module js3250.dll + (0003e099)
URL visited http://dean.edwards.name/weblog/
User Comments Bug 288818: Crash visiting dean edwards weblog
(http://dean.edwards.name/weblog/)
Since Last Crash 1351 sec
Total Uptime 1351 sec
Trigger Reason Access violation
Source File, Line No.
d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c, line
1432
Stack Trace
find_replen
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c,
line 1432]
replace_glob
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c,
line 1538]
match_or_replace
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c,
line 1155]
str_replace
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsstr.c,
line 1608]
js_Invoke
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 949]
js_Interpret
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 2993]
js_Invoke
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 966]
fun_apply
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1573]
js_Invoke
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 949]
js_Interpret
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 2993]
js_Invoke
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 966]
js_Interpret
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 2993]
js_Invoke
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c,
line 966]
nsXPCWrappedJSClass::CallMethod
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 1339]
nsXPCWrappedJS::CallMethod
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 450]
SharedStub
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 147]
nsEventListenerManager::HandleEventSubType
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1436]
nsEventListenerManager::HandleEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1516]
GlobalWindowImpl::HandleDOMEvent
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 927]
DocumentViewerImpl::LoadComplete
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/content/base/src/nsDocumentViewer.cpp,
line 917]
nsDocShell::EndPageLoad
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp,
line 4602]
nsWebShell::EndPageLoad
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsWebShell.cpp,
line 755]
nsDocShell::OnStateChange
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp,
line 4536]
nsDocLoaderImpl::FireOnStateChange
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 1252]
nsDocLoaderImpl::doStopDocumentLoad
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 873]
nsDocLoaderImpl::OnStopRequest
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/uriloader/base/nsDocLoader.cpp,
line 701]
nsLoadGroup::RemoveRequest
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/base/src/nsLoadGroup.cpp,
line 695]
nsHttpChannel::OnStopRequest
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,
line 3695]
nsInputStreamPump::OnStateStop
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 499]
Resolving fixed for now since Brendan has checked in the patch everywhere. I'll
retest with tomorrow's builds to verify.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 6•20 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050403
Firefox/1.0+
This fix is causing extreme memory use and make FF grind to a halt (no response,
but no crash)
Comment 7•20 years ago
|
||
Could this have caused bug 288831?
Comment 8•20 years ago
|
||
This crash occured in Dean's javascript highlighting behaviors. I am still
trying to come up with a minimal regular expression that will reproduce this
crash, but on the off-hand that someone (be?) else knows how to simply reproduce
this, please include it here so I can add it to the test library.
Summary: Crash at visitting dean edwards weblog → Crash at visiting dean edwards weblog
Assignee | ||
Comment 9•20 years ago
|
||
Wrong bug if this can't be reproduced with today's branch build. See comment 7.
/be
Comment on attachment 179443 [details] [diff] [review]
fix
sr=dbaron, although I wonder whether you can move the whole thing to after the
moreParens are pushed on the stack.
Attachment #179443 -
Flags: superreview?(dbaron) → superreview+
Comment 11•20 years ago
|
||
Verified Fixed with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7)
Gecko/20050403 Firefox/1.0.3
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 12•20 years ago
|
||
dbaron: not without another lambda_out2: target and goto, and an inner block
scope without hoisting the variables to an existing outer one.
/be
Updated•20 years ago
|
Keywords: fixed-aviary1.0.3,
fixed1.7.7
Summary: Crash at visiting dean edwards weblog → Crash at visiting dean edwards weblog [@ find_replen ]
Comment 13•20 years ago
|
||
Comment on attachment 179443 [details] [diff] [review]
fix
r=shaver
Attachment #179443 -
Flags: review?(shaver) → review+
Comment 14•20 years ago
|
||
*** Bug 291667 has been marked as a duplicate of this bug. ***
Comment 15•20 years ago
|
||
*** Bug 295320 has been marked as a duplicate of this bug. ***
Updated•19 years ago
|
Flags: testcase-
Updated•14 years ago
|
Crash Signature: [@ find_replen ]
You need to log in
before you can comment on or make changes to this bug.
Description
•