596669 - Fennec Android crash in jsstr.cpp:ReplaceCallback

Status: VERIFIED FIXED

(Firefox for Android Graveyard :: General, defect)

Description

[Benjamin Stover (:stechz)]

This is Android on Nexus One (ignore scratchbox directories, quirk of my build):

(gdb) bt
#0  0xafd0f1b8 in memcpy () from libc.so
#1  0x82a6d26c in ReplaceCallback (cx=0x4af01380, count=<value optimized out>, p=<value optimized out>)
    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsstr.cpp:2181
#2  0x82a657a2 in DoMatch (cx=0x4af01380, vp=0x4b0001d0, str=0x4b574300, rep=<value optimized out>, 
        callback=0x82a6ced1 <ReplaceCallback(JSContext*, size_t, void*)>, data=0x48111540, flags=REPLACE_ARGS)
    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsstr.cpp:1833
#3  0x82a6bb8e in str_replace_regexp (cx=0x4af01380, argc=2, vp=0x4b0001d0) at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsstr.cpp:2350
#4  js::str_replace (cx=0x4af01380, argc=2, vp=0x4b0001d0) at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsstr.cpp:2466
#5  0x82b1fbb0 in js::Interpret (cx=0x4af01380, entryFrame=<value optimized out>, inlineCallCount=Cannot access memory at address 0x98a00000
    )
    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsinterp.cpp:4611
#6  0x82a0f884 in js::RunScript (cx=0x4af01380, script=<value optimized out>, fun=<value optimized out>, scopeChain=<value optimized out>)
        at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsinterp.cpp:468
#7  0x82a105fc in js::Invoke (cx=0x4af01380, argsRef=<value optimized out>, flags=<value optimized out>)
            at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsinterp.cpp:614
#8  0x82a10b78 in js::ExternalInvoke (cx=0x4af01380, thisv=..., fval=..., argc=1, argv=0x48111c28, rval=0x48111ce8)
                at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsinterp.cpp:644
#9  0x829d50cc in ExternalInvoke (cx=0x4af01380, obj=<value optimized out>, fval=9304612810792172060, argc=1, argv=0x48111c28, rval=0x48111ce8)
                    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsinterp.h:729
#10 JS_CallFunctionValue (cx=0x4af01380, obj=<value optimized out>, fval=9304612810792172060, argc=1, argv=0x48111c28, rval=0x48111ce8)
                        at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsapi.cpp:4747
#11 0x826d6004 in nsXPCWrappedJSClass::CallMethod (this=0x4b744040, wrapper=0x82f057d8, methodIndex=<value optimized out>, info=0x47e9fe38, 
                            nativeParams=0x48111d78) at /scratchbox/users/ben/home/ben/projects/cedar/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1692
#12 0x826d3298 in nsXPCWrappedJS::CallMethod (this=0x82f057d8, methodIndex=3, info=0x47e9fe38, params=<value optimized out>)
                                at /scratchbox/users/ben/home/ben/projects/cedar/js/src/xpconnect/src/xpcwrappedjs.cpp:571
#13 0x8293f1e0 in PrepareAndDispatch (self=0x4b68b7a0, methodIndex=<value optimized out>, args=0x48111e34)
                                    at /scratchbox/users/ben/home/ben/projects/cedar/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:132
#14 0x8293e914 in SharedStub () from /scratchbox/users/ben/home/ben/projects/cedar/mobilebase-android/dist/bin/libxul.so
#15 0x8293e914 in SharedStub () from /scratchbox/users/ben/home/ben/projects/cedar/mobilebase-android/dist/bin/libxul.so
                                    Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Comment 1

[Benjamin Stover (:stechz)]

In ReplaceCallback, chars is aligned properly.

Comment 2

[Benjamin Stover (:stechz)]

Also from bug 595868 metacrash bug:

#0  0xafd0f1b8 in memcpy () from libc.so
#1  0x82a6be94 in ReplaceCallback (cx=0x49d01380, count=<value optimized out>,
p=<value optimized out>)
    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsstr.cpp:2181
#2  0x82a6438a in DoMatch (cx=0x49d01380, vp=0x49e00108, str=0x4a375260,
rep=<value optimized out>, 
    callback=0x82a6baf9 <ReplaceCallback(JSContext*, size_t, void*)>,
data=0x487b41b8, flags=REPLACE_ARGS)
    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsstr.cpp:1833
#3  0x82a6a7b6 in str_replace_regexp (cx=0x49d01380, argc=2, vp=0x49e00108) at
/scratchbox/users/ben/home/ben/projects/cedar/js/src/jsstr.cpp:2350
#4  js::str_replace (cx=0x49d01380, argc=2, vp=0x49e00108) at
/scratchbox/users/ben/home/ben/projects/cedar/js/src/jsstr.cpp:2466
#5  0x82b1eb16 in js::Interpret (cx=0x49d01380, entryFrame=<value optimized
out>, inlineCallCount=Cannot access memory at address 0x9a300000
)
    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsinterp.cpp:4611
#6  0x82a0e36c in js::RunScript (cx=0x49d01380, script=<value optimized out>,
fun=<value optimized out>, scopeChain=<value optimized out>)
    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsinterp.cpp:468
#7  0x82a0f0ec in js::Invoke (cx=0x49d01380, argsRef=<value optimized out>,
flags=<value optimized out>)
    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsinterp.cpp:614
#8  0x82a0f668 in js::ExternalInvoke (cx=0x49d01380, thisv=..., fval=...,
argc=1, argv=0x487b48a0, rval=0x487b4960)
    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsinterp.cpp:644
#9  0x829d3b74 in ExternalInvoke (cx=0x49d01380, obj=<value optimized out>,
fval=9304612810792172060, argc=1, argv=0x487b48a0, rval=0x487b4960)
    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsinterp.h:729
#10 JS_CallFunctionValue (cx=0x49d01380, obj=<value optimized out>,
fval=9304612810792172060, argc=1, argv=0x487b48a0, rval=0x487b4960)
    at /scratchbox/users/ben/home/ben/projects/cedar/js/src/jsapi.cpp:4747
#11 0x826d4bf4 in nsXPCWrappedJSClass::CallMethod (this=0x4a737f10,
wrapper=0x82f04458, methodIndex=<value optimized out>, info=0x47e9fe38, 
    nativeParams=0x487b49f0) at
/scratchbox/users/ben/home/ben/projects/cedar/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1692
#12 0x826d1e88 in nsXPCWrappedJS::CallMethod (this=0x82f04458, methodIndex=3,
info=0x47e9fe38, params=<value optimized out>)
    at
/scratchbox/users/ben/home/ben/projects/cedar/js/src/xpconnect/src/xpcwrappedjs.cpp:571
#13 0x8293dc18 in PrepareAndDispatch (self=0x4a7067a0, methodIndex=<value
optimized out>, args=0x487b4aac)
    at
/scratchbox/users/ben/home/ben/projects/cedar/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:132
#14 0x8293d34c in SharedStub () from
/scratchbox/users/ben/home/ben/projects/cedar/mobilebase-android/dist/bin/libxul.so
#15 0x8293d34c in SharedStub () from
/scratchbox/users/ben/home/ben/projects/cedar/mobilebase-android/dist/bin/libxul.so

Comment 3

[Benjamin Stover (:stechz)]

This is for cedar/mobile2 builds BTW, after JM merge had landed.

Comment 4

[Benjamin Stover (:stechz)]

Looks like this is the place it is crashing in JS:
http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/nsUpdateTimerManager.js#201

Comment 5

[Benjamin Stover (:stechz)]

It sounds like as a last resort we may be able to compile without compiled regexps to fix this problem.

Comment 6

[Benjamin Stover (:stechz)]

We are seeing bogus values being given for regular expression matching begin and end values. Sounds like an unsigned/signed issue perhaps?

Comment 7

[Benjamin Stover (:stechz)]

Attachment: Disable YARR (not ideal)

Something in the YARR is giving us bogus offsets for pattern matching. Disabling YARR seems to fix all my crash problems on Android.

Comment 8

[Doug Turner (:dougt)]

using this patch I was able to start fennec on a linux-arm device.

Comment 9

[Brad Lassey [:blassey] (use needinfo?)]

pushed http://hg.mozilla.org/mozilla-central/rev/b9ff2a9339e2

Comment 10

[Aakash Desai [:aakashd]]

verified FIXED on build:

Mozilla/5.0 (Android; Linux armv71; Nokia N900; en-US; rv:2.0b6pre) Gecko/20100916 Namoroka/4.0b7pre Fennec/2.0b1pre