Closed
Bug 454682
Opened 16 years ago
Closed 16 years ago
TM: Crash in [@MatchRegExp] with JIT content enabled
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: marcia, Assigned: gal)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(1 file, 4 obsolete files)
9.13 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
Seen while running Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b1pre) Gecko/20080910020330 Minefield/3.1b1pre. STR: 1. I think I was scrolling an ebags.com page. Crash: http://crash-stats.mozilla.com/report/index/defcca61-7f70-11dd-a038-001cc45a2ce4
Reporter | ||
Comment 2•16 years ago
|
||
http://www.koingosw.com/products/airradar.php crashes for me on Windows XP as well. Changing OS to all and adding that site to the URL since it crashes 100% for me.
OS: Mac OS X → All
Hardware: PC → All
Summary: Crash in [@MatchRegExp] while scrolling a page with JIT enabled → Crash in [@MatchRegExp] with JIT content enabled
Updated•16 years ago
|
Summary: Crash in [@MatchRegExp] with JIT content enabled → TM: Crash in [@MatchRegExp] with JIT content enabled
Comment 3•16 years ago
|
||
I have this crash in a debugger now, I'll check it out.
Assignee: general → crowder
Comment 4•16 years ago
|
||
What seems to be happening here is that js_String_p_match is being called with a bogus "str"... I'll try to investigate more tomorrow (ideally providing a reduced testcase).
Comment 5•16 years ago
|
||
The pointer being passed in to js_String_p_match as the "str" parameter is, in fact, actually a String object, not a JSString. Not sure how this happened or how to debug further on this. Will seek help on IRC.
Comment 6•16 years ago
|
||
Shell testcase: a = new String("foo"); for (i = 0; i < 300; i++) { a.match(/bar/); }
Comment 8•16 years ago
|
||
There might be some better ways to approach this, I'm asking for review here, prior to testing, just to make sure I'm on the right track before spending much more time with this.
Attachment #338345 -
Flags: review?(shaver)
Comment 9•16 years ago
|
||
Possible alternatives would be adding a flag to the JSTraceableNative structure, or making the prefix parsing a little smarter (ie., "Ts" for string-this or "To" for objects, and so on). I think this implementation might be a hair faster than those, though? Not sure.
Comment 10•16 years ago
|
||
Comment 11•16 years ago
|
||
This adds the _obj version of the builtin, stolen from bz's patch. Obsoleting bz's patch per discussion on IRC.
Attachment #338345 -
Attachment is obsolete: true
Attachment #338360 -
Attachment is obsolete: true
Attachment #338362 -
Flags: review?(shaver)
Attachment #338345 -
Flags: review?(shaver)
Comment 12•16 years ago
|
||
I love it when bugzilla interdiff works.
Comment 13•16 years ago
|
||
For this testcase: a = "foo"; for (i = 0; i < 300; i++) { a.match(/bar/); } a = new String("foo"); for (i = 0; i < 300; i++) { a.match(/bar/); } I get the following result in debug output from the shell: recorder: started(2), aborted(0), completed(2), different header(0), trees trashed(0), slot promoted(0), unstable loop variable(0), breaks(0), returns(0)
Comment 14•16 years ago
|
||
Do we need to worry about the right jsval not being tval (in the call() case)?
Comment 15•16 years ago
|
||
I believe the current restrictions on the js_fun_apply case actually save us from having to worry about this. Either that, or my testcase is bogus.
Comment 16•16 years ago
|
||
Looks like brendan is doing work that'll make fun_apply handle more cases, so it probably needs to be handled more like this patch.
Attachment #338362 -
Attachment is obsolete: true
Attachment #338373 -
Flags: review?(shaver)
Attachment #338362 -
Flags: review?(shaver)
Comment 17•16 years ago
|
||
Comment on attachment 338373 [details] [diff] [review] v3 review? => mrbkap
Attachment #338373 -
Flags: review?(shaver) → review?(mrbkap)
Updated•16 years ago
|
Attachment #338373 -
Flags: review?(mrbkap) → review+
Updated•16 years ago
|
Attachment #338373 -
Flags: review?(gal)
Comment 18•16 years ago
|
||
Comment on attachment 338373 [details] [diff] [review] v3 Just to get another set of eyes on it before I land it.
Assignee | ||
Comment 19•16 years ago
|
||
Comment on attachment 338373 [details] [diff] [review] v3 Do we have a test case for this already?
Attachment #338373 -
Flags: review?(gal) → review+
Comment 20•16 years ago
|
||
The testcases in this bug are probably the only ones that actually use String objects with regexps in a loop. They'll need to get into the suite.
Updated•16 years ago
|
Flags: in-testsuite?
Assignee | ||
Comment 21•16 years ago
|
||
Whats the status on this bug?
Assignee | ||
Comment 23•16 years ago
|
||
Attachment #338373 -
Attachment is obsolete: true
Attachment #340032 -
Flags: review?
Assignee | ||
Updated•16 years ago
|
Assignee: crowder → gal
Assignee | ||
Comment 24•16 years ago
|
||
Crashes without the patch on the new test case in trace-test.js, passes with. Crowder had a better idea for a test case. He might add another test tomorrow.
Updated•16 years ago
|
Attachment #340032 -
Flags: review? → review+
Assignee | ||
Comment 25•16 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/cc12c800c346
Reporter | ||
Comment 28•16 years ago
|
||
I just hit this crash again today using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b1pre) Gecko/20080924020442 Minefield/3.1b1pre. My STR in this instance were: 1. Visit http://www.37signals.com/svn/posts/592-been-lightboxed-lately 2. Click on the That’s right, I got lightboxed link. I crashed right away. I tried to reproduce but the second time the site loaded fine. Breakpad: http://crash-stats.mozilla.com/report/index/5d5aca40-8a86-11dd-b3e7-001321b13766
Assignee | ||
Comment 29•16 years ago
|
||
Follow performance fix: http://hg.mozilla.org/tracemonkey/rev/80d1db7be330
Comment 31•16 years ago
|
||
(In reply to comment #28) > I just hit this crash again today using Mozilla/5.0 (Macintosh; U; Intel Mac > OS X 10.5; en-US; rv:1.9.1b1pre) Gecko/20080924020442 Minefield/3.1b1pre. My > STR in this instance were: > > 1. Visit http://www.37signals.com/svn/posts/592-been-lightboxed-lately > 2. Click on the That’s right, I got lightboxed link. I crashed right away. > > I tried to reproduce but the second time the site loaded fine. > > Breakpad: > http://crash-stats.mozilla.com/report/index/5d5aca40-8a86-11dd-b3e7-001321b13766 I don't see the crash using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080925033548 Minefield/3.1b1pre
Comment 32•16 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-454682.js,v <-- regress-454682.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/rev/b04c04268a94
Flags: in-testsuite?
Flags: in-testsuite+
Flags: in-litmus-
Updated•13 years ago
|
Crash Signature: [@MatchRegExp]
You need to log in
before you can comment on or make changes to this bug.
Description
•