Closed Bug 549081 Opened 14 years ago Closed 9 years ago

segmentation fault after typing "S0" in quick search box on thepiratebay.org [@ memcpy | PushBackTrackState | ExecuteREBytecode]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.2 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: statn, Unassigned)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [has stacktrace])

Crash Data

Attachments

(1 file)

Backtrace after segfault
3.63 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.0) Gecko/20100115 SUSE/3.6.0-1.2 Firefox/3.6
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.0) Gecko/20100115 SUSE/3.6.0-1.2 Firefox/3.6

When XUL/Migemo extension is installed and I visit thepiratebay.org, then try to use quicksearch, Firefox crashes with the output to terminal:
/usr/bin/firefox: line 128:  7329 Segmentation fault      $MOZ_PROGRAM "$@"


Reproducible: Always

Steps to Reproduce:
1. create new profile for FF (with firefox -P)
2. install XUL/Migemo extension and restart FF
3. on FF start in dialog choose to download dictionary from the internet
4. type 'thepiratebay.org' in locationbar and press enter
5. when page is loaded unfocus search inputbox of thepiratebay.org
6. press '/' button to activate quick-search
7. type "S0" in quick-search box

Actual Results:  
crash with segfault

Expected Results:  
quick-search should work
#0  0x00007ffff73d68cc in memcpy () from /lib64/libc.so.6
#1  0x00007ffff6815964 in PushBackTrackState (gData=0x7fffffff6740, op=REOP_EMPTY, 
    target=<value optimized out>, x=<value optimized out>, cp=0x0, parenIndex=0, parenCount=0)
    at /usr/include/bits/string3.h:52
#2  0x00007ffff681d032 in ExecuteREBytecode (gData=<value optimized out>, x=<value optimized out>)
    at /usr/src/debug/mozilla/js/src/jsregexp.cpp:4362
#3  MatchRegExp (gData=<value optimized out>, x=<value optimized out>)
    at /usr/src/debug/mozilla/js/src/jsregexp.cpp:4754
#4  js_ExecuteRegExp (gData=<value optimized out>, x=<value optimized out>)
    at /usr/src/debug/mozilla/js/src/jsregexp.cpp:4883
#5  0x00007ffff682f9b1 in DoMatch (cx=0x7fffe3ceec00, vp=0x7fffe3da1550, str=0x7fffdec9f140, 
    g=<value optimized out>, callback=<value optimized out>, data=0x7fffffff68e8, flags=
    TEST_GLOBAL_BIT) at /usr/src/debug/mozilla/js/src/jsstr.cpp:1499
#6  0x00007ffff68343d2 in str_match (cx=0x7fffe3ceec00, argc=1, vp=0x7fffe3da1550)
    at /usr/src/debug/mozilla/js/src/jsstr.cpp:1578
#7  0x00007ffff67d044c in js_Interpret (cx=0x7fffe3ceec00)
    at /usr/src/debug/mozilla/js/src/jsops.cpp:2208
#8  0x00007ffff67d8ea8 in js_Invoke (cx=0x7fffe3ceec00, argc=0, vp=0x7fffe3da1170, 
    flags=<value optimized out>) at /usr/src/debug/mozilla/js/src/jsinterp.cpp:1368
#9  0x00007ffff54e92fc in nsXPCWrappedJSClass::CallMethod (this=0x7fffdb19b980, 
    wrapper=<value optimized out>, methodIndex=<value optimized out>, info=0x7fffe3d262f0, 
    nativeParams=<value optimized out>)
    at /usr/src/debug/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1696
#10 0x00007ffff5d2c861 in PrepareAndDispatch (self=0x7fffdb1d52e0, 
    methodIndex=<value optimized out>, args=0x7fffffff72b0, gpregs=0x7fffffff7230, fpregs=
    0x7fffffff7260)
    at /usr/src/debug/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
#11 0x00007ffff5d2bd23 in SharedStub () at ../../../../../../dist/include/xptcstubsdef.inc:1
#12 0x00007ffff5d2bc81 in NS_InvokeByIndex_P (that=0x7fffe31ffff8, methodIndex=3494382824, 
    paramCount=4294888208, params=0x224c)
    at /usr/src/debug/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208
#13 0x00007ffff54ec313 in XPCWrappedNative::CallMethod (ccx=..., mode=<value optimized out>)
    at /usr/src/debug/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2721
#14 0x00007ffff54f4953 in XPC_WN_CallMethod (cx=0x7fffe3ceec00, obj=0x7fffdb1e20c0, argc=3, argv=
    0x7fffe3da1148, vp=<value optimized out>)
    at /usr/src/debug/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1740
#15 0x00007ffff67d899e in js_Invoke (cx=0x7fffe3ceec00, argc=0, vp=0x7fffe3da1138, 
    flags=<value optimized out>) at /usr/src/debug/mozilla/js/src/jsinterp.cpp:1360
#16 0x00007ffff67ca66d in js_Interpret (cx=0x7fffe3ceec00)
    at /usr/src/debug/mozilla/js/src/jsops.cpp:2240
#17 0x00007ffff67d8ea8 in js_Invoke (cx=0x7fffe3ceec00, argc=0, vp=0x7fffe3da1038, 
    flags=<value optimized out>) at /usr/src/debug/mozilla/js/src/jsinterp.cpp:1368
#18 0x00007ffff67d97a0 in js_InternalInvoke (cx=0x7fffe3ceec00, obj=0x7fffe3ce2f40, fval=
    140737011594112, flags=<value optimized out>, argc=1, argv=<value optimized out>, rval=
    0x7fffffff80e0) at /usr/src/debug/mozilla/js/src/jsinterp.cpp:1423
#19 0x00007ffff678331a in JS_CallFunctionValue (cx=0x7fffe31ffff8, obj=0x7fffd0480ce8, fval=
    -79088, argc=<value optimized out>, argv=<value optimized out>, rval=<value optimized out>)
    at /usr/src/debug/mozilla/js/src/jsapi.cpp:5112
#20 0x00007ffff58b3b9f in nsJSContext::CallEventHandler (this=0x7fffe3cded60, 
    aTarget=<value optimized out>, aScope=<value optimized out>, aHandler=0x7fffe3953380, 
    aargv=<value optimized out>, arv=0x7fffffff8280)
    at /usr/src/debug/mozilla/dom/base/nsJSEnvironment.cpp:2134
#21 0x00007ffff58ce0e2 in nsGlobalWindow::RunTimeout (this=0x7fffe3cefc00, aTimeout=0x7fffcffe2580)
    at /usr/src/debug/mozilla/dom/base/nsGlobalWindow.cpp:8075
#22 0x00007ffff58ce37e in nsGlobalWindow::TimerCallback (aTimer=<value optimized out>, aClosure=
    0x7fffd0480ce8) at /usr/src/debug/mozilla/dom/base/nsGlobalWindow.cpp:8409
#23 0x00007ffff5d231f9 in nsTimerImpl::Fire (this=0x7fffcffe9510)
    at /usr/src/debug/mozilla/xpcom/threads/nsTimerImpl.cpp:427
#24 0x00007ffff5d232c3 in nsTimerEvent::Run (this=<value optimized out>)
    at /usr/src/debug/mozilla/xpcom/threads/nsTimerImpl.cpp:519
#25 0x00007ffff5d20ce3 in nsThread::ProcessNextEvent (this=0x7ffff6d1f790, mayWait=1, result=
    0x7fffffff83bc) at /usr/src/debug/mozilla/xpcom/threads/nsThread.cpp:527
#26 0x00007ffff5cf4aaf in NS_ProcessNextEvent_P (thread=0x7fffe31ffff8, mayWait=-800584472)
    at nsThreadUtils.cpp:250
#27 0x00007ffff5c7acd9 in nsBaseAppShell::Run (this=0x7fffe7ea1be0)
    at /usr/src/debug/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:170
#28 0x00007ffff5b50322 in nsAppStartup::Run (this=0x7fffeb808400)
    at /usr/src/debug/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:182
#29 0x00007ffff54c2533 in XRE_main (argc=<value optimized out>, argv=<value optimized out>, 
    aAppData=<value optimized out>) at /usr/src/debug/mozilla/toolkit/xre/nsAppRunner.cpp:3505
#30 0x00000000004027fb in main (argc=1, argv=0x7fffffffddd8)
    at /usr/src/debug/mozilla/xulrunner/stub/nsXULStub.cpp:583
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
Summary: segmentation fault after typing "S0" in quick search box on thepiratebay.org → segmentation fault after typing "S0" in quick search box on thepiratebay.org [@ memcpy | PushBackTrackState | ExecuteREBytecode]
Version: unspecified → 1.9.2 Branch
Assignee: nobody → general
QA Contact: general → general

    
  
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → Windows CE
Whiteboard: [has stacktrace]

    
  
OS: Windows CE → Linux
Crash Signature: [@ memcpy | PushBackTrackState | ExecuteREBytecode]

    
    

    
  
1. http://cotacaodolarhoje.info/ with 1.9.2/windows
2. Crash 

 	msvcr80d.dll!memcpy(unsigned char * dst=0x03635b40, unsigned char * src=0x072ce30c, unsigned long count=4294909768)  Line 188	Asm
>	js3250.dll!PushBackTrackState(REGlobalData * gData=0x0012eac0, REOp op=REOP_EOL, unsigned char * target=0x075a7c90, REMatchState * x=0x03636890, const unsigned short * cp=0x07524166, unsigned int parenIndex=0, unsigned int parenCount=0)  Line 3477 + 0x1d bytes	C++
 	js3250.dll!ExecuteREBytecode(REGlobalData * gData=0x0012eac0, REMatchState * x=0x03636890)  Line 4261 + 0x1d bytes	C++
 	js3250.dll!MatchRegExp(REGlobalData * gData=0x0012eac0, REMatchState * x=0x03636890)  Line 4754 + 0xd bytes	C++
 	js3250.dll!js_ExecuteRegExp(JSContext * cx=0x0322d558, JSRegExp * re=0x075904a8, JSString * str=0x096c3590, unsigned int * indexp=0x0012eb48, int test=1, int * rval=0x02f6c600)  Line 4897 + 0xd bytes	C++
 	js3250.dll!DoMatch(JSContext * cx=0x0322d558, int * vp=0x02f6c600, JSString * str=0x096c3590, const RegExpGuard & g={...}, bool (JSContext *, unsigned int, void *)* callback=0x007bb420, void * data=0x0012eba4, MatchControlFlags flags=TEST_GLOBAL_BIT)  Line 1486 + 0x23 bytes	C++
 	js3250.dll!str_match(JSContext * cx=0x0322d558, unsigned int argc=1, int * vp=0x02f6c600)  Line 1579 + 0x25 bytes	C++

I have 43 urls with the majority in spanish or from brazil.

nightly Namoroka on WinXP bp-4aaf9312-9425-49ce-86d7-70afb2110830 [@ _PR_MD_PR_POLL ] which is instead bug 612270
Assignee: general → nobody

    
    

    
  
We have since switched to Google's regexp engine, irregexp. I am not able to reproduce this crash with the new engine, although the site may have changed in the intervening 4 years.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: