Flash ad crashes Firefox [@ js_ValueToString - regexp_exec_sub]

RESOLVED INCOMPLETE

Status

()

--
critical
RESOLVED INCOMPLETE
10 years ago
7 years ago

People

(Reporter: george, Unassigned)

Tracking

({crash})

1.9.0 Branch
x86
Windows Vista
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

91.34 KB, application/octet-stream
Details
(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3

The Flash ad crashes Firefox. Here's the callstack

 	js3250.dll!js_ValueToString(JSContext * cx=0x0d0c6440, long v=378662688)  Line 2694 + 0x2 bytes	C
 	js3250.dll!regexp_exec_sub(JSContext * cx=0x00000000, JSObject * obj=0x05e1da00, unsigned int argc=1, long * argv=0x04e424cc, int test=0, long * rval=0x04e424c4)  Line 4185 + 0xe bytes	C
>	js3250.dll!regexp_exec(JSContext * cx=0x0d0c6440, unsigned int argc=1, long * vp=0x04e424c4)  Line 4214 + 0x40 bytes	C
 	js3250.dll!js_Interpret(JSContext * cx=0x0d0c6440)  Line 4840 + 0x10 bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=0x0d0c6440, unsigned int argc=3, long * vp=0x04e421b8, unsigned int flags=0)  Line 1314	C
 	js3250.dll!fun_apply(JSContext * cx=0x0d0c6440, unsigned int argc=3, long * vp=0x04e4219c)  Line 1679	C
 	js3250.dll!js_Interpret(JSContext * cx=)  Line 4840 + 0x10 bytes	C
 	nspr4.dll!PR_Unlock(PRLock * lock=0x0089a3a0)  Line 356	C
 	js3250.dll!GetPropertyTreeChild(JSContext * cx=0x0d0c6440, JSScopeProperty * parent=0x001ae9b0, JSScopeProperty * child=0x00000000)  Line 921	C
 	js3250.dll!js_Invoke(JSContext * cx=, unsigned int argc=, long * vp=, unsigned int flags=)  + 0x550a3 bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=0x0d0c6440, unsigned int argc=3, long * vp=0x04e42180, unsigned int flags=0)  Line 1314	C
 	xul.dll!60f3e103() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for xul.dll]	
 	js3250.dll!args_resolve(JSContext * cx=0xb24f220f, JSObject * obj=0x00020040, long id=1047, unsigned int flags=0, JSObject * * objp=0x00000000)  Line 484 + 0x1e bytes	C
 	mozcrt19.dll!arena_malloc_small(arena_s * arena=0x0d0c6498, unsigned int size=0, int zero=1047)  Line 3654	C
 	mozcrt19.dll!malloc(unsigned int size=0)  Line 5750 + 0x27 bytes	C
 	js3250.dll!js_EmitTree(JSContext * cx=, JSCodeGenerator * cg=, JSParseNode * pn=)  Line 6423 + 0x11 bytes	C
 	xul.dll!60f4e208() 	
 	xul.dll!60fe7eea() 	
 	mozcrt19.dll!arena_malloc_small(arena_s * arena=0x171b9f61, unsigned int size=0, int zero=1764548)  Line 3654	C
 	js3250.dll!js_LineNumberToPC(JSScript * script=0x0463e970, unsigned int target=74961856)  Line 1755 + 0x26 bytes	C
 	xul.dll!60f4e208() 	
 	xul.dll!60fe7eea() 	
 	xul.dll!60f3859e() 	
 	xul.dll!6144a085() 	
 	nspr4.dll!PR_Unlock(PRLock * lock=0x02dc96b0)  Line 356	C
 	xul.dll!6112bb3f() 	
 	xul.dll!60fe7f51() 	
 	xul.dll!613d738c() 	
 	xul.dll!611c85f2() 	
 	xul.dll!611c8861() 	
 	js3250.dll!JS_HandleTrap(JSContext * cx=0x0d0c6440, JSScript * script=0x171b9ee0, unsigned char * pc=0x171b9f20, long * rval=0x001aee3c)  Line 314 + 0x18 bytes	C
 	js3250.dll!js_Interpret(JSContext * cx=)  + 0x44022 bytes	C
 	nspr4.dll!_MD_CURRENT_THREAD()  Line 300	C
 	00000001()	
 	js3250.dll!js_Execute(JSContext * cx=0x00000000, JSObject * chain=0x60cc6689, JSScript * script=0x00000000, JSStackFrame * down=0x0d0c6440, unsigned int flags=218915904, long * result=0x00000001)  + 0x5d518 bytes	C
 	js3250.dll!js_Execute(JSContext * cx=0x00000000, JSObject * chain=0x179bc3a0, JSScript * script=0x00000000, JSStackFrame * down=0x04e4204c, unsigned int flags=16, long * result=0x001af0a4)  Line 1540	C
 	js3250.dll!obj_eval(JSContext * cx=0x171b9ee0, JSObject * obj=0x179bc3a0, unsigned int argc=1, long * argv=0x04e42160, long * rval=0x001af0a4)  Line 1340 + 0x16 bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=, unsigned int argc=, long * vp=, unsigned int flags=)  Line 1297 + 0x14 bytes	C
 	js3250.dll!js_Interpret(JSContext * cx=0x0d0c6440)  Line 4867	C
 	js3250.dll!js_Execute(JSContext * cx=0x00000000, JSObject * chain=0x04af0f00, JSScript * script=0x00000000, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x001af38c)  Line 1540	C
 	js3250.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=, JSObject * obj=, JSPrincipals * principals=, const unsigned short * chars=, unsigned int length=, const char * filename=, unsigned int lineno=, long * rval=)  Line 4999 + 0x12 bytes	C
 	nspr4.dll!PR_Lock(PRLock * lock=0x0d0c6440)  Line 240	C
 	xul.dll!60e57a94() 	
 	xul.dll!610f9862() 	
 	user32.dll!_DispatchMessageW@4()  + 0xf bytes	
 	xul.dll!60f6377e() 	
 	xul.dll!60e7ad23() 	
 	xul.dll!60ecc1a0() 	
 	xul.dll!60ecc26d() 	
 	xul.dll!60f50528() 	
 	xul.dll!60f626ba() 	
 	xul.dll!60fd67b6() 	
 	xul.dll!60eb1fa5() 	
 	mozcrt19.dll!extent_tree_ad_s_RB_INSERT(extent_tree_ad_s * head=0x0080001c, extent_node_s * elm=0x00000000)  Line 1988 + 0x67 bytes	C
 	mozcrt19.dll!arena_run_dalloc(arena_s * arena=0x00020040, arena_run_s * run=0x00000000, int dirty=8606208)  Line 3277 + 0xe bytes	C
 	mozcrt19.dll!arena_malloc(arena_s * arena=0x00000000, unsigned int size=0, int zero=1767012)  Line 3713 + 0x7 bytes	C
 	xul.dll!60f36443() 	
 	xul.dll!60f3859e() 	
 	xul.dll!60fba81c() 	
 	firefox.exe!wmain(int argc=4, wchar_t * * argv=0x0082f0c0)  Line 87 + 0xe6 bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 591 + 0x19 bytes	C
 	kernel32.dll!@BaseThreadInitThunk@12()  + 0x12 bytes	
 	ntdll.dll!___RtlUserThreadStart@8()  + 0x27 bytes	
 	ntdll.dll!__RtlUserThreadStart@8()  + 0x1b bytes	


Reproducible: Always

Steps to Reproduce:
1.
2.
3.



I'll attach a minidump in a followup, since bugzilla won't let me do so as part of the initial bug report.
(Reporter)

Comment 1

10 years ago
Created attachment 345223 [details]
Minidump
Can't reproduce in 3.0.3 or trunk, reporter can you reproduce this in safe mode: http://kb.mozillazine.org/Safe_Mode_(Firefox) ?
Also which version of flash are using? (about:plugins), latest, which I'm using, is 10.0 r12
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2pre) Gecko/20081029 Minefield/3.1b2pre

This works fine for me.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 (same for trunk)
BTW the report was on Vista which (unfortunately I forgot to include my platform/build info) is what I was using...
(Reporter)

Comment 6

10 years ago
Plugins: Shockwave Flash 9.0 r124

I should point that this did not occur immediately. It took a while before it happened -- maybe an hour; I was away from my desk when it happened last night.

We've gotten several anecdotal reports of browser crashes from our users since this ad was deployed on our site. We removed the ad last night.
(Reporter)

Comment 7

10 years ago
I no longer believe that the Flash ad was the problem.

Some of our users were experiencing severe performance problems in Internet Explorer 7. On several different machines, I pinpointed it down to a callstack that looked like this:

   6  Id: 1424.1570 Suspend: 1 Teb: 7ffd5000 Unfrozen
ChildEBP RetAddr  Args to Child              
0412ee98 6c76f175 00000022 09840024 0412f01c jscript!RegExpExec::FSameRevJump+0x27
0412eeb0 6c7556c9 09840024 0412eef4 6c74321e jscript!RegExpExec::FExecAux+0x2c5
0412eebc 6c74321e 09840024 0412f15c 0412ef7c jscript!RegExpExec::FExec+0x1f
0412eef4 6c75a485 09840024 00048ddd 00000000 jscript!RegExpExec::Exec+0x1d5
0412ef40 6c755581 09840024 09840024 00048ddd jscript!RegExpExec::ReplaceUsingString+0x2d
0412f170 6c75a3e9 00000000 0412f448 06a39cd8 jscript!RegExpObj::Exec+0x1da
0412f26c 6c761161 0c0d1fe0 0412f3d0 0412f448 jscript!JsStrReplace+0xeb
0412f2a4 6c760ee9 0412f448 00000002 0c43da00 jscript!NatFncObj::Call+0x41
...

Note that like the Firefox callstack in the original report, there is a JavaScript regular expression substitution going on. In the IE cases, it turns out to be a JSON string and the regex is the one at line 111 of http://dev.jquery.com/~john/jquery/build/js/json.js.

0:031> du 09840024 
09840024  ""[{\"Date\":\"2008-07-25 00:00:0"
09840064  "0 -07:00\",\"Appointments\":[{\""
098400a4  "Attendees\":[{\"AttendeeID\":\"7"
098400e4  "1e297e3-2861-43c5-a8ec-85e776ca2"
09840124  "c94\",\"Name\":\"Hank\",\"IColor"
09840164  "\":1},{\"AttendeeID\":\"5c30ce31"
098401a4  "-ddef-43b5-9c73-4696c29e3ea8\",\"
098401e4  ""Name\":\"Mary\",\"IColor\":3}],"
09840224  "\"StartTime\":\"2008-07-21 00:00"
09840264  ":00 -07:00\",\"StartTimeNoTimezo"
098402a4  "ne\":\"2008-07-21 00:00:00 -07:0"
098402e4  "0\",\"EndTime\":\"2008-07-26 00:" [About 100KB; rest snipped]

Using the series of regexes starting at line 458 of http://www.json.org/json2.js made the problem go away. Note the comments about "crippling inefficiencies in IE's and Safari's regexp engines" at line 449.

The JSON string above is doubly encoded and needs to be decoded twice,
due to a stupidity in our code that we'll fix soon.

But, ideally the various JS regex engines should not fall into a pathological tailspin, and certainly the FF engine should not crash sporadically on such input

Updated

10 years ago
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Summary: Flash ad crashes Firefox → Flash ad crashes Firefox [@ js_ValueToString - regexp_exec_sub]
Version: unspecified → 1.9.0 Branch

Comment 8

10 years ago
George, are you still seeing this bug in recent Firefox nightlies?  If so, can you attach a reduced testcase, or at least a self-contained testcase that doesn't involve Flash?
Please reopen with an answer to comment 8 or with more information. Frankly, if this is happening in IE as well, I'd venture to blame Flash.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INCOMPLETE
Crash Signature: [@ js_ValueToString - regexp_exec_sub]
You need to log in before you can comment on or make changes to this bug.