Closed Bug 694820 Opened 13 years ago Closed 13 years ago

GC related Crash [@ regexp_finalize ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox10 --- affected

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: crash, crashreportid, Whiteboard: js-triage-done)

Crash Data

This is not directly reproducible.

0. Run browser doing tons of stuff for ~11 hours (Nightly/Mac OS X 10.5).
1. Open http://www.usatoday.com/ in a new tab (url is probably irrelevant)
2. Crash [@ regexp_finalize ]

bp-efcf7545-565f-4450-b581-a83a62111015

Build ID	20111015031037

Crash Address	0xffffffffffffff96

Frame 	Module 	Signature [Expand] 	
Source
0 	XUL 	regexp_finalize 	js/src/assembler/jit/ExecutableAllocator.h:126
1 	XUL 	js::gc::FinalizeArenas 	js/src/jsobjinlines.h:199
2 	XUL 	js::gc::ArenaLists::finalizeObjects 	js/src/jsgc.cpp:1362
3 	XUL 	GCCycle 	js/src/jsgc.cpp:2463
4 	XUL 	js_GC 	js/src/jsgc.cpp:2856
5 	XUL 	JS_GC 	js/src/jsapi.cpp:2708
6 	XUL 	nsXPConnect::Collect 	js/xpconnect/src/nsXPConnect.cpp:409
7 	XUL 	nsXPConnect::GarbageCollect 	js/xpconnect/src/nsXPConnect.cpp:417


https://hg.mozilla.org/mozilla-central/annotate/6d5fd5a30c71/js/src/assembler/jit/ExecutableAllocator.h#l126

    void release(bool willDestroy = false)
    { 
        JS_ASSERT(m_refCount != 0);
        // XXX: disabled, see bug 654820.
        //JS_ASSERT_IF(willDestroy, m_refCount == 1);
=>        if (--m_refCount == 0) {
            js::UnwantedForeground::delete_(this);
        }
    }

Bad |this| ? Security Sensitive since this is gc and jit related. Not sure this bug will be helpful since I can't reproduce, but maybe it will give someone a clue.
Whiteboard: js-triage-needed
Bob, have you seen this anywhere else? I can't reproduce with the STR given.
Chris, no I've never seen it again.
Sounds like this bug isn't doing us much good. Should we close it WORKSFORME? unhide it but leave it open?
wfm and open it sound ok to me. cdleary?
Whiteboard: js-triage-needed → js-triage-done
done.
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.