Closed
Bug 305884
Opened 19 years ago
Closed 19 years ago
crash in js1_5/Regress/regress-281606.js [@ SimpleMatch]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: bc, Assigned: mrbkap)
References
Details
(Keywords: crash, verified1.8)
Crash Data
Attachments
(1 file)
1.61 KB,
patch
|
mrbkap
:
review+
shaver
:
superreview+
asa
:
approval1.8b5+
|
Details | Diff | Splinter Review |
Not sure why I got two stacks at the same time for the same test. Probably
exists on the trunk as well.
Stack Signature SimpleMatch 0f11009e
Email Address mozqa@mozilla.com
Product ID Firefox15
Build ID 2005082406
Trigger Time 2005-08-24 17:05:17.0
Platform Win32
Operating System Windows NT 5.2 build 3790
Module js3250.dll + (0003cc7d)
URL visited js1_5/Regress/regress-281606.js
User Comments
Since Last Crash 0 sec
Total Uptime 2548 sec
Trigger Reason Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2345
Stack Trace
SimpleMatch
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2345]
ExecuteREBytecode
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2411]
MatchRegExp
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2868]
regexp_exec_sub
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 3705]
regexp_exec
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 3718]
js_Invoke
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1174]
js_Interpret
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 3462]
js_Execute
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1405]
JS_EvaluateUCScriptForPrincipals
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line
3864]
nsJSContext::EvaluateString
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1064]
nsScriptLoader::EvaluateScript
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 757]
nsScriptLoader::ProcessRequest
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 658]
nsScriptLoader::OnStreamComplete
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 1020]
nsStreamLoader::OnStopRequest
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamLoader.cpp,
line 137]
nsStreamListenerTee::OnStopRequest
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp,
line 65]
nsInputStreamPump::OnStateStop
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 507]
Stack Signature SimpleMatch 39c0e058
Email Address mozqa@mozilla.com
Product ID Firefox15
Build ID 2005082406
Trigger Time 2005-08-24 17:05:17.0
Platform Win32
Operating System Windows NT 5.2 build 3790
Module js3250.dll + (0003cba1)
URL visited js1_5/Regress/regress-281606.js
User Comments
Since Last Crash 1 sec
Total Uptime 2548 sec
Trigger Reason Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2306
Stack Trace
SimpleMatch
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2306]
ExecuteREBytecode
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2619]
MatchRegExp
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2868]
match_or_replace
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line
1153]
str_search
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line
1284]
js_Invoke
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1174]
js_Interpret
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 3462]
js_Execute
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1405]
JS_EvaluateUCScriptForPrincipals
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line
3864]
nsJSContext::EvaluateString
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1064]
nsScriptLoader::EvaluateScript
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 757]
nsScriptLoader::ProcessRequest
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 658]
nsScriptLoader::OnStreamComplete
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 1020]
nsStreamLoader::OnStopRequest
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamLoader.cpp,
line 137]
nsStreamListenerTee::OnStopRequest
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp,
line 65]
nsInputStreamPump::OnStateStop
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 507]
Updated•19 years ago
|
Summary: crash in js1_5/Regress/regress-281606.js → crash in js1_5/Regress/regress-281606.js [@ SimpleMatch]
Comment 1•19 years ago
|
||
mrbkap, you have any thoughts here?
/be
Assignee | ||
Comment 2•19 years ago
|
||
I can't reproduce in the shell (trunk and branch, even with TOO_MUCH_GC
defined). I'll try again in the browser when my build finishes.
Assignee | ||
Comment 3•19 years ago
|
||
By hacking WAY_TOO_MUCH_GC to GC on every branch callback (in the shell, don't
try this at home in your browser!) I've reproduced this to hit:
1040 JS_ASSERT(flags != GCF_FINAL);
I'll see what else I can dig up.
Assignee | ||
Comment 4•19 years ago
|
||
This is really Brendan's patch. The problem that we found was that
cx->exception is only protected if cx->throwing is true. Since we were clearing
cx->throwing before pushing the exception onto the stack (and thus preventing
it from being GC'd), it was wide open to be GC'd in the time between the throw
and the JSOP_EXCEPTION. Since we always emit a JSOP_EXCEPTION inside catch
blocks, this patch won't cause us to leak the exception object.
This already has r=mrbkap.
Attachment #195047 -
Flags: superreview?(shaver)
Attachment #195047 -
Flags: review+
Comment 5•19 years ago
|
||
Comment on attachment 195047 [details] [diff] [review]
prevent cx->exception from being collected
>+ /* Don't clear cx->throwing so cx->exception isn't collected. */
The doubled negative hurts, how about "Don't clear cx->throwing yet, to protect
cx->exception from the GC."
/be
Comment 6•19 years ago
|
||
We should get this fixed on the 1.8 branch in due course.
/be
Assignee: general → mrbkap
Flags: blocking1.8b5+
Reporter | ||
Comment 7•19 years ago
|
||
mrbkap, I tried this out and it didn't cause any regression that I could see and
I didn't see this crash in my test run. However I can not definitely say it
fixed the crash I have been seeing in nightly builds since they were not
reproducible in all runs.
Comment 8•19 years ago
|
||
Comment on attachment 195047 [details] [diff] [review]
prevent cx->exception from being collected
sr=shaver
Attachment #195047 -
Flags: superreview?(shaver) → superreview+
Assignee | ||
Comment 9•19 years ago
|
||
Fix checked into trunk. Marking this, optimistically, as fixed.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 10•19 years ago
|
||
Comment on attachment 195047 [details] [diff] [review]
prevent cx->exception from being collected
This fixes potential crashes whenever someone uses a try/catch block.
Attachment #195047 -
Flags: approval1.8b5?
Updated•19 years ago
|
Attachment #195047 -
Flags: approval1.8b5? → approval1.8b5+
Reporter | ||
Updated•19 years ago
|
Flags: testcase+
Reporter | ||
Comment 12•19 years ago
|
||
no crash in firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8 → verified1.8
Reporter | ||
Comment 13•18 years ago
|
||
verified fixed 1.9 20060818 win/mac*/linux
Status: RESOLVED → VERIFIED
Updated•14 years ago
|
Crash Signature: [@ SimpleMatch]
You need to log in
before you can comment on or make changes to this bug.
Description
•