crash in js1_5/Regress/regress-281606.js [@ SimpleMatch]

VERIFIED FIXED

Status

()

--
critical
VERIFIED FIXED
14 years ago
8 years ago

People

(Reporter: bc, Assigned: mrbkap)

Tracking

({crash, verified1.8})

1.8 Branch
x86
Windows XP
crash, verified1.8
Points:
---
Bug Flags:
blocking1.8b5 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
Not sure why I got two stacks at the same time for the same test. Probably
exists on the trunk as well.

Stack Signature	 SimpleMatch 0f11009e
Email Address	mozqa@mozilla.com
Product ID	Firefox15
Build ID	2005082406
Trigger Time	2005-08-24 17:05:17.0
Platform	Win32
Operating System	Windows NT 5.2 build 3790
Module	js3250.dll + (0003cc7d)
URL visited	js1_5/Regress/regress-281606.js
User Comments	
Since Last Crash	0 sec
Total Uptime	2548 sec
Trigger Reason	Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2345
Stack Trace 	
SimpleMatch 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2345]
ExecuteREBytecode 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2411]
MatchRegExp 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2868]
regexp_exec_sub 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 3705]
regexp_exec 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 3718]
js_Invoke 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1174]
js_Interpret 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 3462]
js_Execute 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1405]
JS_EvaluateUCScriptForPrincipals 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line
3864]
nsJSContext::EvaluateString 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1064]
nsScriptLoader::EvaluateScript 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 757]
nsScriptLoader::ProcessRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 658]
nsScriptLoader::OnStreamComplete 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 1020]
nsStreamLoader::OnStopRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamLoader.cpp,
line 137]
nsStreamListenerTee::OnStopRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp,
line 65]
nsInputStreamPump::OnStateStop 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 507]

Stack Signature	 SimpleMatch 39c0e058
Email Address	mozqa@mozilla.com
Product ID	Firefox15
Build ID	2005082406
Trigger Time	2005-08-24 17:05:17.0
Platform	Win32
Operating System	Windows NT 5.2 build 3790
Module	js3250.dll + (0003cba1)
URL visited	js1_5/Regress/regress-281606.js
User Comments	
Since Last Crash	1 sec
Total Uptime	2548 sec
Trigger Reason	Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2306
Stack Trace 	
SimpleMatch 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2306]
ExecuteREBytecode 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2619]
MatchRegExp 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsregexp.c,
line 2868]
match_or_replace 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line
1153]
str_search 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsstr.c, line
1284]
js_Invoke 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1174]
js_Interpret 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 3462]
js_Execute 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1405]
JS_EvaluateUCScriptForPrincipals 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line
3864]
nsJSContext::EvaluateString 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1064]
nsScriptLoader::EvaluateScript 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 757]
nsScriptLoader::ProcessRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 658]
nsScriptLoader::OnStreamComplete 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 1020]
nsStreamLoader::OnStopRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamLoader.cpp,
line 137]
nsStreamListenerTee::OnStopRequest 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp,
line 65]
nsInputStreamPump::OnStateStop 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 507]

Updated

14 years ago
Summary: crash in js1_5/Regress/regress-281606.js → crash in js1_5/Regress/regress-281606.js [@ SimpleMatch]
mrbkap, you have any thoughts here?

/be
(Assignee)

Comment 2

14 years ago
I can't reproduce in the shell (trunk and branch, even with TOO_MUCH_GC
defined). I'll try again in the browser when my build finishes.
(Assignee)

Comment 3

14 years ago
By hacking WAY_TOO_MUCH_GC to GC on every branch callback (in the shell, don't
try this at home in your browser!) I've reproduced this to hit:
1040        JS_ASSERT(flags != GCF_FINAL);

I'll see what else I can dig up.
(Assignee)

Comment 4

14 years ago
Created attachment 195047 [details] [diff] [review]
prevent cx->exception from being collected

This is really Brendan's patch. The problem that we found was that
cx->exception is only protected if cx->throwing is true. Since we were clearing
cx->throwing before pushing the exception onto the stack (and thus preventing
it from being GC'd), it was wide open to be GC'd in the time between the throw
and the JSOP_EXCEPTION. Since we always emit a JSOP_EXCEPTION inside catch
blocks, this patch won't cause us to leak the exception object.

This already has r=mrbkap.
Attachment #195047 - Flags: superreview?(shaver)
Attachment #195047 - Flags: review+
Comment on attachment 195047 [details] [diff] [review]
prevent cx->exception from being collected

>+                /* Don't clear cx->throwing so cx->exception isn't collected. */

The doubled negative hurts, how about "Don't clear cx->throwing yet, to protect
cx->exception from the GC."

/be
We should get this fixed on the 1.8 branch in due course.

/be
Assignee: general → mrbkap
Flags: blocking1.8b5+
(Reporter)

Comment 7

13 years ago
mrbkap, I tried this out and it didn't cause any regression that I could see and
I didn't see this crash in my test run.  However I can not definitely say it
fixed the crash I have been seeing in nightly builds since they were not
reproducible in all runs.
Comment on attachment 195047 [details] [diff] [review]
prevent cx->exception from being collected

sr=shaver
Attachment #195047 - Flags: superreview?(shaver) → superreview+
(Assignee)

Comment 9

13 years ago
Fix checked into trunk. Marking this, optimistically, as fixed.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
(Assignee)

Comment 10

13 years ago
Comment on attachment 195047 [details] [diff] [review]
prevent cx->exception from being collected

This fixes potential crashes whenever someone uses a try/catch block.
Attachment #195047 - Flags: approval1.8b5?

Updated

13 years ago
Attachment #195047 - Flags: approval1.8b5? → approval1.8b5+
(Assignee)

Comment 11

13 years ago
Fix checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8
(Reporter)

Updated

13 years ago
Flags: testcase+
(Reporter)

Comment 12

13 years ago
no crash in firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8 → verified1.8
(Reporter)

Comment 13

13 years ago
verified fixed 1.9 20060818 win/mac*/linux
Status: RESOLVED → VERIFIED
Crash Signature: [@ SimpleMatch]
You need to log in before you can comment on or make changes to this bug.