Closed Bug 492487 Opened 15 years ago Closed 15 years ago

reproducible fx3.5b4 crash [@ js_DeepBail ] when searching on aim.search.aol.com

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 487240

People

(Reporter: chofmann, Assigned: jorendorff)

References

Details

(Keywords: topcrash+, Whiteboard: [sg:critical?] gc-hazard)

currently ranks at #13 for 3.5b4 crashes and easily reproduced for me when trying the first test URL.

Firefox 3.5b4   1       http://aim.search.aol.com/search/weboffers?s_it=wo_more&query=http%3A%2F%2Fwww.psp+iso.com%2F   js_DeepBail

Firefox 3.5b4   1       http://aim.search.aol.com/search/search?&query=9th+centeury&invocationType=tb50fftrab   js_DeepBail

Firefox 3.5b4   1       http://aim.search.aol.com/search/search?&query=f&invocationType=tb50fftrab      js_DeepBail




stack for my crash during testing looks like:

0  	libmozjs.dylib  	js_DeepBail  	js/src/jstracer.cpp:5056
1 	libmozjs.dylib 	PopulateReportBlame 	js/src/jscntxt.h:1463
2 	libmozjs.dylib 	js_ReportErrorNumberVA 	js/src/jscntxt.cpp:1554
3 	libmozjs.dylib 	JS_ReportErrorFlagsAndNumberUC 	js/src/jsapi.cpp:5679
4 	libmozjs.dylib 	ReportRegExpErrorHelper 	js/src/jsregexp.cpp:452
5 	libmozjs.dylib 	ParseRegExp 	js/src/jsregexp.cpp:458
6 	libmozjs.dylib 	js_NewRegExp 	js/src/jsregexp.cpp:2538
7 	libmozjs.dylib 	js_NewRegExpOpt 	js/src/jsregexp.cpp:2637
8 	libmozjs.dylib 	regexp_compile_sub 	js/src/jsregexp.cpp:4780
9 	libmozjs.dylib 	RegExp_tn2 	js/src/jsregexp.cpp:4971
10 		@0x3a2ab956 	
11 		@0xbfffd1a7 	
12 	libmozjs.dylib 	js_MonitorLoopEdge 	js/src/jstracer.cpp:4513
13 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:3835
14 	libmozjs.dylib 	js_Execute 	js/src/jsinterp.cpp:1599
15 	libmozjs.dylib 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:5145
16 	XUL 	nsJSContext::EvaluateString 	dom/src/base/nsJSEnvironment.cpp:1603
17 	XUL 	nsScriptLoader::EvaluateScript 	content/base/src/nsScriptLoader.cpp:686
18 	XUL 	nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:600
19 	XUL 	nsScriptLoader::ProcessScriptElement 	content/base/src/nsScriptLoader.cpp:554
20 	XUL 	nsScriptElement::MaybeProcessScript 	content/base/src/nsScriptElement.cpp:193
21 	XUL 	nsHTMLScriptElement::MaybeProcessScript 	content/html/content/src/nsHTMLScriptElement.cpp:546
22 	XUL 	HTMLContentSink::ProcessSCRIPTEndTag 	content/html/document/src/nsHTMLContentSink.cpp:3142
23 	XUL 	SinkContext::CloseContainer 	content/html/document/src/nsHTMLContentSink.cpp:1022
24 	XUL 	HTMLContentSink::CloseContainer 	content/html/document/src/nsHTMLContentSink.cpp:2393
25 	XUL 	CNavDTD::CloseContainer 	parser/htmlparser/src/CNavDTD.cpp:2800
26 	XUL 	CNavDTD::HandleEndToken 	parser/htmlparser/src/CNavDTD.cpp:1679
27 	XUL 	CNavDTD::HandleToken 	parser/htmlparser/src/CNavDTD.cpp:760
28 	XUL 	CNavDTD::BuildModel 	parser/htmlparser/src/CNavDTD.cpp:332
29 	XUL 	nsParser::BuildModel 	parser/htmlparser/src/nsParser.cpp:2378
30 	XUL 	nsParser::ResumeParse 	parser/htmlparser/src/nsParser.cpp:2251
31 	XUL 	nsParser::OnDataAvailable 	parser/htmlparser/src/nsParser.cpp:2904
32 	XUL 	nsHTTPCompressConv::do_OnDataAvailable 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp:375
33 	XUL 	nsHTTPCompressConv::OnDataAvailable 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp:319
34 	XUL 	nsStreamListenerTee::OnDataAvailable 	netwerk/base/src/nsStreamListenerTee.cpp:97
35 	XUL 	nsHttpChannel::OnDataAvailable 	netwerk/protocol/http/src/nsHttpChannel.cpp:5035
36 	XUL 	nsInputStreamPump::OnStateTransfer 	netwerk/base/src/nsInputStreamPump.cpp:508
37 	XUL 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:398
38 	XUL 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:111
39 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
40 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
41 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
42 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:405
43 	CoreFoundation 	CoreFoundation@0x735f4 	
44 	CoreFoundation 	CoreFoundation@0x73cd7 	
45 	HIToolbox 	HIToolbox@0x302bf 	
46 	HIToolbox 	HIToolbox@0x30011 	
47 	HIToolbox 	HIToolbox@0x2ff4c 	
48 	AppKit 	AppKit@0x40d7c 	
49 	AppKit 	AppKit@0x4062f 	
50 	JavaEmbeddingPlugin 	JavaEmbeddingPlugin@0x12fc2 	
51 	AppKit 	AppKit@0x3966a 	
52 	XUL 	nsAppShell::Run 	widget/src/cocoa/nsAppShell.mm:716
53 	XUL 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
54 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3298
55 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
56 	firefox-bin 	firefox-bin@0x1541 	
57 	firefox-bin 	firefox-bin@0x1468 	
58 		@0x1
Flags: blocking1.9.1?
Keywords: topcrash+
Summary: crash [@ js_DeepBail ] when searching on aim.search.aol.com → reproducable fx3.5b4 crash [@ js_DeepBail ] when searching on aim.search.aol.com
Assignee: general → jorendorff
Flags: blocking1.9.1? → blocking1.9.1+
possible dupe or companion @ bug 493290
Group: core-security
This looks like the GC hazard 487134 fixed. I am not crashing on TM tip.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Depends on: 493345
No longer depends on: 493345
Summary: reproducable fx3.5b4 crash [@ js_DeepBail ] when searching on aim.search.aol.com → reproducible fx3.5b4 crash [@ js_DeepBail ] when searching on aim.search.aol.com
Flags: wanted1.9.0.x-
Whiteboard: [sg:critical?] gc-hazard
Group: core-security
You need to log in before you can comment on or make changes to this bug.