Closed
Bug 600158
Opened 15 years ago
Closed 14 years ago
crash mainly on start-up under Windows XP [@ JSC::Yarr::RegexGenerator::generateDisjunction(JSC::Yarr::PatternDisjunction*) ]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | - |
People
(Reporter: scoobidiver, Unassigned)
Details
(Keywords: crash, regression, Whiteboard: softblocker)
Crash Data
Build : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b7pre) Gecko/20100927 Firefox/4.0b7pre
This is a residual crash signature that exists in trunk build.
It happens mainly on start-up under Windows XP.
It is #39 top crasher for this build.
Signature JSC::Yarr::RegexGenerator::generateDisjunction(JSC::Yarr::PatternDisjunction*)
UUID 35d64c66-fa51-402d-aa6e-336272100927
Time 2010-09-27 18:19:23.468981
Uptime 0
Last Crash 17 seconds before submission
Install Age 9513 seconds (2.6 hours) since version was first installed.
Product Firefox
Version 4.0b7pre
Build ID 20100927041306
Branch 2.0
OS Windows NT
OS Version 5.1.2600 Service Pack 3
CPU x86
CPU Info GenuineIntel family 6 model 22 stepping 1
Crash Reason EXCEPTION_ACCESS_VIOLATION_WRITE
Crash Address 0x171
Frame Module Signature [Expand] Source
0 xul.dll JSC::Yarr::RegexGenerator::generateDisjunction js/src/yarr/yarr/RegexJIT.cpp:1394
1 xul.dll JSC::Yarr::RegexGenerator::generate js/src/yarr/yarr/RegexJIT.cpp:1468
2 xul.dll JSC::Yarr::RegexGenerator::compile js/src/yarr/yarr/RegexJIT.cpp:1473
3 xul.dll JSC::Yarr::jitCompileRegex js/src/yarr/yarr/RegexJIT.cpp:1510
4 xul.dll js::RegExp::compileHelper js/src/jsregexpinlines.h:396
5 xul.dll js::RegExp::compile js/src/jsregexpinlines.h:421
6 xul.dll js::RegExp::create js/src/jsregexpinlines.h:355
7 xul.dll js::RegExp::createObjectNoStatics js/src/jsregexpinlines.h:377
8 xul.dll js::Parser::primaryExpr js/src/jsparse.cpp:8617
9 xul.dll js::Parser::memberExpr js/src/jsparse.cpp:7196
10 xul.dll js::Parser::unaryExpr js/src/jsparse.cpp:6569
11 xul.dll js::Parser::assignExpr js/src/jsparse.cpp:6186
More reports at :
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=JSC%3A%3AYarr%3A%3ARegexGenerator%3A%3AgenerateDisjunction%28JSC%3A%3AYarr%3A%3APatternDisjunction*%29&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=JSC%3A%3AYarr%3A%3ARegexGenerator%3A%3AgenerateDisjunction%28JSC%3A%3AYarr%3A%3APatternDisjunction*%29
|
||
Updated•15 years ago
|
blocking2.0: --- → ?
|
||
Updated•15 years ago
|
Assignee: general → cdleary
|
|
||
Updated•15 years ago
|
blocking2.0: ? → betaN+
|
||
Comment 1•15 years ago
|
||
We are still seeing crashes with this in beta7 as well as on the trunk. The volume is pretty low though. It's outside the top 300.
|
||
Comment 3•15 years ago
|
||
I wonder if it's related to the following. Observed in a x64-linux
M-C build from 30 Dec 2010. When loading
http://blog.chromium.org/2011/01/html-video-codec-support-in-chrome.html
fx crashed twice in a row, with glibc complaining of a corrupted heap,
and a restart on valgrind shows a heap block overrun.
I can't reproduce on a fresh M-C with just one tab unfortunately. The
above failure was on my "production" Firefox, with 50ish tabs on the
go.
Invalid write of size 4
## is immediately followed by an invalid read at the same address
at 0x6789B6C: JSC::Yarr::RegexGenerator::TermGenerationState::
jumpToBacktrack(JSC::AbstractMacroAssembler<JSC::X86Assembler>
::JumpList&, JSC::MacroAssembler*) (jsvector.h:87)
by 0x678CF9F: JSC::Yarr::RegexGenerator::generateTerm
(RegexJIT.cpp:702)
by 0x678D542: JSC::Yarr::RegexGenerator::generateDisjunction
(RegexJIT.cpp:1257)
by 0x678EA1D: JSC::Yarr::RegexGenerator::compile (RegexJIT.cpp:1519)
by 0x6789109: JSC::Yarr::jitCompileRegex (RegexJIT.cpp:1573)
by 0x66A74F6: js::RegExp::createFlagged (jsregexpinlines.h:435)
by 0x66BFEA9: RegExpGuard::normalizeRegExp (jsstr.cpp:1796)
by 0x66BC46C: str_match (jsstr.cpp:1924)
by 0x677571C: CallCompiler::generateNativeStub() (jscntxtinlines.h:685)
by 0x6771982: js::mjit::ic::NativeCall (MonoIC.cpp:898)
by 0x3DDE1B30: ???
by 0x6731C97: js::mjit::EnterMethodJIT (MethodJIT.cpp:745)
Address 0x2beefec0 is 0 bytes after a block of size 128 alloc'd
at 0x4C27878: malloc (vg_replace_malloc.c:236)
by 0x675FAC6: js::VectorImpl<JSC::AbstractMacroAssembler<JSC::X86Assembler>
::Jump, 16ul, js::SystemAllocPolicy, false>::growTo(js::Vector
<JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump, 16ul,
js::SystemAllocPolicy>&, unsigned long) (jsutil.h:209)
by 0x6789C13: JSC::Yarr::RegexGenerator::TermGenerationState::
jumpToBacktrack (jsvector.h:658)
by 0x678CF9F: JSC::Yarr::RegexGenerator::generateTerm (RegexJIT.cpp:702)
by 0x678D542: JSC::Yarr::RegexGenerator::generateDisjunction
(RegexJIT.cpp:1257)
by 0x678EA1D: JSC::Yarr::RegexGenerator::compile (RegexJIT.cpp:1519)
by 0x6789109: JSC::Yarr::jitCompileRegex (RegexJIT.cpp:1573)
by 0x66A74F6: js::RegExp::createFlagged (jsregexpinlines.h:435)
by 0x66BFEA9: RegExpGuard::normalizeRegExp (jsstr.cpp:1796)
by 0x66BC46C: str_match (jsstr.cpp:1924)
by 0x677571C: CallCompiler::generateNativeStub() (jscntxtinlines.h:685)
by 0x6771982: js::mjit::ic::NativeCall (MonoIC.cpp:898)
|
|
||
Comment 4•15 years ago
|
||
Str (M-C of today, --disable-jemalloc build, x64-linux,
gcc-4.4.3 (Ubuntu 10.04), -g -O2)
1. create empty (vanilla) profile
2. load http://blog.chromium.org/2011/01/html-video-codec-support-in-chrome.html
2 x above error then appear.
I can't reproduce this on x64 MacOSX though.
|
|
||
Updated•15 years ago
|
blocking2.0: - → ?
|
|
||
Comment 5•15 years ago
|
||
It's still rare in Socorro, so if it's reproducible, I guess we should fix, but if it's reproducible only on x64 Linux, I'd be reluctant to actually hold a release for it. Seems borderline, though (i.e., one of the worse softblockers).
blocking2.0: ? → betaN+
Whiteboard: softblocker
|
|
||
Comment 6•15 years ago
|
||
Julian's problem smells like bug 574459 to me. The report looks like a jsvector operation is being attempted on a jsvector that failed to be extended due to OOM.
|
|
||
Comment 7•15 years ago
|
||
But this machine has 8G memory + 16G swap, and was (very) far from
being out of memory.
I just tried again now. I can crash it repeatedly in a browser containing
just 1 tab and nothing else, so I really don't think this is an OOM thing.
|
||
Comment 8•15 years ago
|
||
** PRODUCT DRIVERS PLEASE NOTE **
This bug is one of 19 being moved from blocking2.0:betaN+ to blocking2.0:- as we reached the endgame of Firefox 4. The rationale for the move is:
- the bug had been identified as a "soft" blocker which could be fixed in some follow up release
- the bug had been identified as one requiring beta coverage, thus is not appropriate for a ".x" stability & security release
The owner of the bug may wish to renominate for .x consideration.
blocking2.0: betaN+ → .x+
|
|
||
Comment 10•14 years ago
|
||
Un-assigning, just because finishing this bug is not on my roadmap.
|
|
||
Updated•14 years ago
|
Assignee: cdleary → general
|
||
Updated•14 years ago
|
Crash Signature: [@ JSC::Yarr::RegexGenerator::generateDisjunction(JSC::Yarr::PatternDisjunction*) ]
|
|
Reporter | |
Comment 11•14 years ago
|
||
There have been no crashes across all version for the last four weeks.
I close it as WFM.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•