User Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20100101 Firefox/8.0 Build ID: 20110928060149 Steps to reproduce: I stumbled into another regexp issue similar to https://bugzilla.mozilla.org/show_bug.cgi?id=653672. That one was fixed in Firefox 7.0, but this one remains in it and 8.0 beta. Filing as a security bug based on the high crash address and probability of there being a similar integer error. Actual results: Firefox 7.0 / Linux (64-bit Debian 6.0.2) -> https://crash-stats.mozilla.com/report/index/2b6d78d1-df97-4497-bbcc-b3fae2111003 Firefox 8.0 beta / ditto-> https://crash-stats.mozilla.com/report/index/bp-82827ac7-07c6-4f97-a697-5f1202111003 Expected results: Firefox shouldn't have crashed and I should have caught this earlier.
Open the attached file to reproduce. Firefox usually appears to get stuck for a few seconds and then crashes. Some pages exhibiting this crash instantly. I tried to make a small repro that crashes most of the time on different versions. Firefox 8.0 on 32-bit Debian crashed with a slightly different signature [@ JSC::Yarr::execute ] -> https://crash-stats.mozilla.com/report/index/bp-180837cb-6a6f-440f-a900-b859c2111003
Using Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:10.0a1) Gecko/20111003 Firefox/10.0a1 I don't crash, but Nightly stops responding and I have to force quit.
Firefox 7.0.1 / Windows 7 -> https://crash-stats.mozilla.com/report/index/bbba3892-7e36-40d5-963e-93b422111004
OS: Linux → All
Haven't tested nightly yet, but have we updated YARR since Fx8?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → cdleary
Status: NEW → ASSIGNED
Assignee: cdleary → general
Product: Firefox → Core
QA Contact: general → general
Can you report this to WebKit and attach that patch to see if they want to upstream it?
(In reply to David Mandelin from comment #7) > Can you report this to WebKit and attach that patch to see if they want to > upstream it? Will do. I actually missed one shell test failure as well. Will post the link when I fix that and submit to their tracker.
Can we get the webkit bug link added to this bug?
Comment on attachment 565697 [details] [diff] [review] Error check regexp quantifier in parser and alternative offset in emitter. Review of attachment 565697 [details] [diff] [review]: ----------------------------------------------------------------- Chris says the patch has a problem and needs refreshing.
Fixes the problem. Will post to webkit bug tracker now.
Attachment #565697 - Attachment is obsolete: true
Too late for 8 given the complexity of this patch.
Do we want this for 9?
Chris, what's left here?
Comment on attachment 568767 [details] [diff] [review] Error check regexp quantifier in parser and alternative offset in emitter. No feedback from WebKit. Requesting approval for aurora / beta landing ASAP.
Attachment #568767 - Flags: review?(dmandelin) → review+
Comment on attachment 568767 [details] [diff] [review] Error check regexp quantifier in parser and alternative offset in emitter. [Triage Comment] Please re-nominate for approval once this has landed on m-c.
Target Milestone: --- → mozilla11
https://hg.mozilla.org/mozilla-central/rev/bbda472dc34b Re-nom coming per comment 17.
Marking FIXED since this landed on m-c.
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?] → [sg:critical?][qa+]
Comment on attachment 568767 [details] [diff] [review] Error check regexp quantifier in parser and alternative offset in emitter. [Triage Comment] Let's take this on both aurora and beta - this is critical and we expect to find any regressions quickly (if there are any).
Attachment #564162 - Attachment mime type: text/plain → text/html
See Also: → https://bugs.webkit.org/show_bug.cgi?id=70648
Crash no longer reproducible with 2011-12-08 Nightly and Aurora, and Firefox 9.0b5.
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug691299-regexp.js.
You need to log in before you can comment on or make changes to this bug.