Closed Bug 305884 Opened 19 years ago Closed 19 years ago

crash in js1_5/Regress/regress-281606.js [@ SimpleMatch]

Categories

(Core :: JavaScript Engine, defect)

1.8 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: bc, Assigned: mrbkap)

References

Details

(Keywords: crash, verified1.8)

Crash Data

Attachments

(1 file)

Not sure why I got two stacks at the same time for the same test. Probably exists on the trunk as well. Stack Signature SimpleMatch 0f11009e Email Address mozqa@mozilla.com Product ID Firefox15 Build ID 2005082406 Trigger Time 2005-08-24 17:05:17.0 Platform Win32 Operating System Windows NT 5.2 build 3790 Module js3250.dll + (0003cc7d) URL visited js1_5/Regress/regress-281606.js User Comments Since Last Crash 0 sec Total Uptime 2548 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2345 Stack Trace SimpleMatch [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2345] ExecuteREBytecode [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2411] MatchRegExp [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2868] regexp_exec_sub [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 3705] regexp_exec [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 3718] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1174] js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3462] js_Execute [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1405] JS_EvaluateUCScriptForPrincipals [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3864] nsJSContext::EvaluateString [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1064] nsScriptLoader::EvaluateScript [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 757] nsScriptLoader::ProcessRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 658] nsScriptLoader::OnStreamComplete [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 1020] nsStreamLoader::OnStopRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamLoader.cpp, line 137] nsStreamListenerTee::OnStopRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 65] nsInputStreamPump::OnStateStop [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 507] Stack Signature SimpleMatch 39c0e058 Email Address mozqa@mozilla.com Product ID Firefox15 Build ID 2005082406 Trigger Time 2005-08-24 17:05:17.0 Platform Win32 Operating System Windows NT 5.2 build 3790 Module js3250.dll + (0003cba1) URL visited js1_5/Regress/regress-281606.js User Comments Since Last Crash 1 sec Total Uptime 2548 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2306 Stack Trace SimpleMatch [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2306] ExecuteREBytecode [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2619] MatchRegExp [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c, line 2868] match_or_replace [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line 1153] str_search [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line 1284] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1174] js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3462] js_Execute [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1405] JS_EvaluateUCScriptForPrincipals [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3864] nsJSContext::EvaluateString [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1064] nsScriptLoader::EvaluateScript [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 757] nsScriptLoader::ProcessRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 658] nsScriptLoader::OnStreamComplete [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp, line 1020] nsStreamLoader::OnStopRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamLoader.cpp, line 137] nsStreamListenerTee::OnStopRequest [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 65] nsInputStreamPump::OnStateStop [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 507]
Summary: crash in js1_5/Regress/regress-281606.js → crash in js1_5/Regress/regress-281606.js [@ SimpleMatch]
mrbkap, you have any thoughts here? /be
I can't reproduce in the shell (trunk and branch, even with TOO_MUCH_GC defined). I'll try again in the browser when my build finishes.
By hacking WAY_TOO_MUCH_GC to GC on every branch callback (in the shell, don't try this at home in your browser!) I've reproduced this to hit: 1040 JS_ASSERT(flags != GCF_FINAL); I'll see what else I can dig up.
This is really Brendan's patch. The problem that we found was that cx->exception is only protected if cx->throwing is true. Since we were clearing cx->throwing before pushing the exception onto the stack (and thus preventing it from being GC'd), it was wide open to be GC'd in the time between the throw and the JSOP_EXCEPTION. Since we always emit a JSOP_EXCEPTION inside catch blocks, this patch won't cause us to leak the exception object. This already has r=mrbkap.
Attachment #195047 - Flags: superreview?(shaver)
Attachment #195047 - Flags: review+
Comment on attachment 195047 [details] [diff] [review] prevent cx->exception from being collected >+ /* Don't clear cx->throwing so cx->exception isn't collected. */ The doubled negative hurts, how about "Don't clear cx->throwing yet, to protect cx->exception from the GC." /be
Blocks: 307312
We should get this fixed on the 1.8 branch in due course. /be
Assignee: general → mrbkap
Flags: blocking1.8b5+
mrbkap, I tried this out and it didn't cause any regression that I could see and I didn't see this crash in my test run. However I can not definitely say it fixed the crash I have been seeing in nightly builds since they were not reproducible in all runs.
Comment on attachment 195047 [details] [diff] [review] prevent cx->exception from being collected sr=shaver
Attachment #195047 - Flags: superreview?(shaver) → superreview+
Fix checked into trunk. Marking this, optimistically, as fixed.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment on attachment 195047 [details] [diff] [review] prevent cx->exception from being collected This fixes potential crashes whenever someone uses a try/catch block.
Attachment #195047 - Flags: approval1.8b5?
Attachment #195047 - Flags: approval1.8b5? → approval1.8b5+
Fix checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8
Flags: testcase+
no crash in firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8verified1.8
verified fixed 1.9 20060818 win/mac*/linux
Status: RESOLVED → VERIFIED
Crash Signature: [@ SimpleMatch]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: