Closed
Bug 701399
Opened 13 years ago
Closed 13 years ago
crash in JSC::Yarr::execute
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla10
People
(Reporter: kairo, Unassigned)
References
()
Details
(Keywords: crash, regression, Whiteboard: [sg:critical])
Crash Data
This bug was filed from the Socorro interface and is
report bp-719c0e9d-f023-4cbc-b293-180482111110 .
=============================================================
This may be related to or even a dupe of bug 701396 in the end, but https://crash-stats.mozilla.com/report/list?signature=JSC%3A%3AYarr%3A%3Aexecute%28JSC%3A%3AYarr%3A%3AYarrCodeBlock%26%2C%20wchar_t%20const*%2C%20unsigned%20int%2C%20unsigned%20int%2C%20int*%29 lists a number of different versions, including Firefox 8, and not just trunk, even though there has been a spike in this on trunk in the last days (since it became 11.0a1) just as with that other signature.
Still possible that the crashes with older versions than trunk are yet another bug, given that the stacks look different for 8.0, I guess both coming from JS RegExp code is normal as we may only use Yarr for that. If the older ones are a different bug, we may need to file that one as a separate thing as well.
Comments sounds like people were playing Flash, going to websites or starting up, so probably web content causing this crash, just like with bug 701396.
|
||
Comment 1•13 years ago
|
||
Adding Mac signature.
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)]
[@ JSC::Yarr::execute ]
|
|
||
Updated•13 years ago
|
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)]
[@ JSC::Yarr::execute ] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)]
[@ JSC::Yarr::execute ]
[@ @0x0 | JSC::Yarr::execute ]
|
||
Comment 3•13 years ago
|
||
1. http://video.sina.com.cn/index.shtml
2. Crash
Mac OS X Nightly
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000003
0x00000003 in ?? ()
(gdb) bt
#0 0x00000003 in ?? ()
#1 0x0733b704 in JSC::Yarr::YarrCodeBlock::execute (this=0x22bc5770, input=0x22bca618, start=0, length=41, output=0x2bec6014) at yarr/YarrJIT.h:72
#2 0x0733b2b5 in JSC::Yarr::execute (jitObject=@0x22bc5770, input=0x22bca618, start=0, length=41, output=0x2bec6014) at /work/mozilla/builds/nightly/mozilla/js/src/yarr/YarrJIT.cpp:2461
#3 0x07262af4 in js::RegExpPrivateCode::execute (this=0x22bc5770, cx=0x22b1d880, chars=0x22bca618, length=41, start=0, output=0x2bec6014, outputCount=1157102722) at vm/RegExpObject-inl.h:334
#4 0x07260552 in js::RegExpPrivate::execute (this=0x22bc5770, cx=0x22b1d880, chars=0x22bca618, length=41, lastIndex=0xbfffa9c4, allocScope=@0xbfffa8ec, output=0xbfffa8e8) at /work/mozilla/builds/nightly/mozilla/js/src/vm/RegExpObject.cpp:212
Linux Nightly
#0 0x0000000003359b60 in ?? ()
#1 0x00007ffff52f1396 in JSC::Yarr::YarrCodeBlock::execute (this=0x1d32e10,
input=0x362bc78, start=0, length=41, output=0x2de4208)
at /work/mozilla/builds/nightly/mozilla/js/src/yarr/YarrJIT.h:72
#2 0x00007ffff52f099e in JSC::Yarr::execute (jitObject=..., input=0x362bc78,
start=0, length=41, output=0x2de4208)
at /work/mozilla/builds/nightly/mozilla/js/src/yarr/YarrJIT.cpp:2461
#3 0x00007ffff521d04a in js::RegExpPrivateCode::execute (this=0x1d32e10, cx=
0x1978960, chars=0x362bc78, length=41, start=0, output=0x2de4208,
outputCount=4)
at /work/mozilla/builds/nightly/mozilla/js/src/vm/RegExpObject-inl.h:334
#4 0x00007ffff521a648 in js::RegExpPrivate::execute (this=0x1d32e10, cx=
0x1978960, chars=0x362bc78, length=41, lastIndex=0x7fffffff7b40,
allocScope=..., output=0x7fffffff7a38)
at /work/mozilla/builds/nightly/mozilla/js/src/vm/RegExpObject.cpp:212
WinXP Nightly bp-6b5b93e5-ac92-4de4-a490-a98b02111111
[@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative*, int>::deleteAllValues() ]
Note Crash Automation was able to reproduce on Aurora Linux once, but I have not been able to reproduce.
I think this bug and bug 701396 are dupes.
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)]
[@ JSC::Yarr::execute ]
[@ @0x0 | JSC::Yarr::execute ] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)]
[@ JSC::Yarr::execute ]
[@ @0x0 | JSC::Yarr::execute ]
[@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative*, int>::deleteAllValues() ]
status-firefox10:
--- → affected
status-firefox11:
--- → affected
OS: Windows 7 → All
|
|
||
Comment 4•13 years ago
|
||
Nightly Linux 32bit bp-8932f062-2363-42c9-853f-e77a82111111
[@ regexp_trace ]
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)]
[@ JSC::Yarr::execute ]
[@ @0x0 | JSC::Yarr::execute ]
[@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative*, int>::deleteAllValues() ] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)]
[@ JSC::Yarr::execute ]
[@ @0x0 | JSC::Yarr::execute ]
[@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative* int>::deleteAllValues() ]
[@ regexp_trace ]
I trigger this within a minute if I enable out of date addons, never happens otherwise.
|
||
Comment 6•13 years ago
|
||
I can easily hit this crash while trying to configure a vaio z on store.sony.com , on OSX 64bit and Linux 64bit.
Linux crash
https://crash-stats.mozilla.com/report/index/bp-cbd7fbc2-662d-42ad-8732-3c6f02111114
OSX crash
https://crash-stats.mozilla.com/report/index/bp-43ecec02-1742-45b0-be83-8e5302111114
|
||
Comment 7•13 years ago
|
||
It's #2 top crasher in 10.0a2 and 11.0a1.
tracking-firefox10:
--- → ?
tracking-firefox11:
--- → ?
|
||
Comment 8•13 years ago
|
||
Given signature bp-719c0e9d-f023-4cbc-b293-180482111110 this is potentially exploitable unless there's some proof the bogus jitObject can only be NULL and not any other bogus value.
|
|
||
Updated•13 years ago
|
Keywords: regression
Version: Trunk → 10 Branch
|
|
||
Updated•13 years ago
|
Crash Signature: int>::deleteAllValues() ]
[@ regexp_trace ] → int>::deleteAllValues() ]
[@ regexp_trace ]
[@ @0x0 | JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*) ]
|
Reporter | |
Comment 9•13 years ago
|
||
We had no crashes on trunk with this signature with builds from 2011-11-15 or -16 yet, the last ones we have are from -14 builds.
|
|
||
Comment 10•13 years ago
|
||
fixed by bug 701332 ?
|
||
Comment 11•13 years ago
|
||
Yeah, this must have been fixed by Chris a couple of days ago.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 12•13 years ago
|
||
Changing resolution to fixed. Don't forget to land the fix on Aurora. This is still rampant there.
Resolution: WORKSFORME → FIXED
|
|
||
Updated•13 years ago
|
|
|
||
Comment 13•13 years ago
|
||
For all crash signatures, the latest 10.0a2 crashes happen in 20111118 build.
status-firefox10:
affected → ---
Target Milestone: --- → mozilla10
|
|
||
Comment 14•13 years ago
|
||
There are one crash in 10.0a2/20111121 and another one in 11.0a1/20111122. So it's no fully fixed:
bp-7459695f-044e-45c1-b6bf-2983c2111123
bp-47fba1f9-a2e4-42f9-8c27-2c0d52111123
|
|
||
Updated•10 years ago
|
Group: core-security
|
||
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•