crash in js::detail::RegExpCode::compile when restarting after installing ABP




7 years ago
3 years ago


(Reporter: nhirata, Assigned: dmandelin)


({crash, regression, reproducible})

14 Branch
crash, regression, reproducible

Firefox Tracking Flags

(firefox14 affected, firefox15 affected, blocking-fennec1.0 -)


(Whiteboard: [native-crash][startupcrash], crash signature)

This bug was filed from the Socorro interface and is 
report bp-b43bddc3-e2b6-496a-9fe0-e4ada2120320 .
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	JSC::Yarr::wordcharCreate 	Utility.h:581
1 	JSC::Yarr::byteCompile 	js/src/yarr/YarrPattern.h:392
2 	js::detail::RegExpCode::compile 	js/src/vm/RegExpObject.cpp:280
3 	js::RegExpObject::createShared 	js/src/vm/RegExpObject.cpp:525
4 	js::CloneRegExpObject 	js/src/vm/RegExpObject-inl.h:82
5 	js::Interpret 	js/src/jsinterp.cpp:2850
6 	js::RunScript 	js/src/jsinterp.cpp:469
7 	js::Execute 	js/src/jsinterp.cpp:667
8 	JS_ExecuteScript 	js/src/jsapi.cpp:5232
9 	JS_ExecuteScriptVersion 	js/src/jsapi.cpp:5240
10 	mozJSComponentLoader::GlobalForLocation 	js/xpconnect/loader/mozJSComponentLoader.cpp:955
11 	mozJSComponentLoader::LoadModule 	js/xpconnect/loader/mozJSComponentLoader.cpp:517
12 	nsComponentManagerImpl::KnownModule::Load 	xpcom/components/nsComponentManager.cpp:723
13 	nsFactoryEntry::GetFactory 	xpcom/components/nsComponentManager.cpp:1738
14 	nsComponentManagerImpl::CreateInstance 	xpcom/components/nsComponentManager.cpp:974
15 	nsComponentManagerImpl::GetService 	xpcom/components/nsComponentManager.cpp:1270
16 	nsJSCID::GetService 	js/xpconnect/src/XPCJSID.cpp:803
17 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:194
18 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:3021
19 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1539
20 	js::Interpret 	js/src/jscntxtinlines.h:314
21 	js::RunScript 	js/src/jsinterp.cpp:469
22 	js::InvokeKernel 	js/src/jsinterp.cpp:528
23 	js_fun_apply 	js/src/jsinterp.h:172
24 	js::Interpret 	js/src/jscntxtinlines.h:314
25 	js::RunScript 	js/src/jsinterp.cpp:469
26 	js::InvokeGetterOrSetter 	js/src/jsinterp.cpp:528
27 	js::GetPropertyHelper 	js/src/jsscopeinlines.h:287
28 	js::Interpret 	js/src/jsinterpinlines.h:268
29 	js::RunScript 	js/src/jsinterp.cpp:469
30 	js::InvokeKernel 	js/src/jsinterp.cpp:528
31 	js_fun_apply 	js/src/jsinterp.h:172
32 	js::Interpret 	js/src/jscntxtinlines.h:314
33 	js::RunScript 	js/src/jsinterp.cpp:469
34 	js::InvokeKernel 	js/src/jsinterp.cpp:528
35 	js_fun_apply 	js/src/jsinterp.h:172
36 	js::Interpret 	js/src/jscntxtinlines.h:314
37 	js::RunScript 	js/src/jsinterp.cpp:469
38 	js::InvokeKernel 	js/src/jsinterp.cpp:528
39 	js_fun_apply 	js/src/jsinterp.h:172
40 	js::Interpret 	js/src/jscntxtinlines.h:314
41 	js::RunScript 	js/src/jsinterp.cpp:469
42 	js::InvokeKernel 	js/src/jsinterp.cpp:528
43 	js_fun_apply 	js/src/jsinterp.h:172
44 	js::Interpret 	js/src/jscntxtinlines.h:314
45 	js::RunScript 	js/src/jsinterp.cpp:469
46 	js::Invoke 	js/src/jsinterp.cpp:528
47 	JS_CallFunctionValue 	js/src/jsapi.cpp:5389
48 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:1880
49 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:239
50 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:740
51 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:798
52 	nsEventTargetChainItem::HandleEvent 	content/events/src/nsEventListenerManager.h:169
53 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:348
54 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:682
55 	DocumentViewerImpl::LoadComplete 	layout/base/nsDocumentViewer.cpp:1070
56 	nsDocShell::EndPageLoad 	docshell/base/nsDocShell.cpp:6163
57 	nsDocShell::OnStateChange 	docshell/base/nsDocShell.cpp:6002
58 	nsDocLoader::DoFireOnStateChange 	uriloader/base/nsDocLoader.cpp:1383
59 	nsDocLoader::doStopDocumentLoad 	uriloader/base/nsDocLoader.cpp:963
60 	nsDocLoader::DocLoaderIsEmpty 	uriloader/base/nsDocLoader.cpp:852
61 	nsDocLoader::OnStopRequest 	uriloader/base/nsDocLoader.cpp:736
62 	nsLoadGroup::RemoveRequest 	netwerk/base/src/nsLoadGroup.cpp:731
63 	nsDocument::DoUnblockOnload 	content/base/src/nsDocument.cpp:7251
64 	nsDocument::UnblockOnload 	content/base/src/nsDocument.cpp:7193
65 	nsDocument::DispatchContentLoadedEvents 	content/base/src/nsDocument.cpp:4264
66 	nsRunnableMethodImpl<void , true>::Run 	nsThreadUtils.h:345
67 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
68 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
69 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
70 	MessageLoop::RunInternal 	ipc/chromium/src/base/
71 	MessageLoop::Run 	ipc/chromium/src/base/
72 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
73 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:295
74 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3703
75 	GeckoStart 	toolkit/xre/nsAndroidStartup.cpp:109
76 	__res_nsend 	other-licenses/android/res_send.c:1086
77 	dalvik-heap (deleted) 	dalvik-heap @0x5fa696 	
78 	dalvik-heap (deleted) 	dalvik-heap @0x57e466 	
80 	dalvik-LinearAlloc (deleted) 	dalvik-LinearAlloc @0x2088fa 	
81 	dalvik-heap (deleted) 	dalvik-heap @0x5fa696 	
83 	data@app@org.mozilla.fennec-1.apk@classes.dex 	data@app@org.mozilla.fennec-1.apk@classes.dex@0xf24af 	
84 	__res_nsend 	other-licenses/android/res_send.c:1071
85 	dalvik-LinearAlloc (deleted) 	dalvik-LinearAlloc @0x2088fa 	
87 	dalvik-heap (deleted) 	dalvik-heap @0x5fa696 	
89 	dalvik-LinearAlloc (deleted) 	dalvik-LinearAlloc @0x2088fa 	
90 	data@app@org.mozilla.fennec-1.apk@classes.dex 	data@app@org.mozilla.fennec-1.apk@classes.dex@0x86b3c 	
91 	dalvik-heap (deleted) 	dalvik-heap @0x5fa696 	
97 	dalvik-LinearAlloc (deleted) 	dalvik-LinearAlloc @0x1ff5b6 	
99 	core.odex 	core.odex@0xd55d2 	
100 	_ZN7android6LooperC2Eb 	
111 	framework.odex 	framework.odex@0x206892 	
112 	framework.odex 	framework.odex@0x206898 	
113 	framework.odex 	framework.odex@0x226baa

One crash was at :
It first appeared in 14.0a1/20120314.
Keywords: regression
Summary: crash in [@ js::detail::RegExpCode::compile ] → crash in js::detail::RegExpCode::compile @ JSC::Yarr::wordcharCreate
Whiteboard: [native-crash], startupcrash → [native-crash][startupcrash]
blocking-fennec1.0: --- → ?
blocking-fennec1.0: ? → -
Assignee: general → dmandelin
blocking-fennec1.0: - → +

Comment 2

7 years ago
Why does this block Fennec? It looks like just an OOM crash.
I think it was marked because this is a startup crash...
Re-nomming for review, it doesn't have a lot of reports right now.
blocking-fennec1.0: + → ?
blocking-fennec1.0: ? → -
I was able to reproduce this crash while I was trying to reproduce bug 750272:

Firefox 14.0a2 (2012-04-30)
Device: Samsung Captivate
OS: Android 2.2
It's #12 top crasher in 14.0a2.
Keywords: topcrash
I added a signature with a similar stack.
With combined signatures, it's #4 top crasher in 14.0a2 over the last week.

More reports at:
blocking-fennec1.0: - → ?
Crash Signature: [@ JSC::Yarr::wordcharCreate] → [@ JSC::Yarr::wordcharCreate] [@ JSC::Yarr::newlineCreate]
Summary: crash in js::detail::RegExpCode::compile @ JSC::Yarr::wordcharCreate → crash in js::detail::RegExpCode::compile
Keywords: qawanted, regressionwindow-wanted
Both crash signatures first appeared for Fennec in 14.0a1/20120314130626, just after the Maple merge.
The regression range is:
Keywords: regressionwindow-wanted
Can't seem to repro

Maybe a crash after restarting from a crash?
Can we get a birch bisect using old birch-nightlies
Keywords: regressionwindow-wanted
The start of wordcharCreate has:

   // FIXME: bug 574459 -- no NULL check

which can be hit in the case of OOM; I'd be surprised if that was the case here, but it's the right type of crash, and there isn't much else in wordcharCreate that could do this.


7 years ago
Depends on: 574459
blocking-fennec1.0: ? → +
I tried to reproduce the issue using comment 5 and I could not reproduce.
It seems to be partially fixed in 15.0a1/20120509 and 14.0a2/20120509, so it's no longer a top crasher. It might also mean that users who hit it gave up (startup crashes).
Keywords: topcrash
still occurs in 14.0a2 20120515.
DROID3 and Droid Bionic... Experia
status-firefox14: --- → affected
status-firefox15: --- → affected
I am still able to reproduce this issue on the latest Nightly and Aurora builds. After Fennec restarts, on Nightly you might wait more until the crash occurs. Also it's easily to reproduce it on a clean profile.

Firefox 15.0a1 (2012-05-15)
Device: Samsung Captivate
OS: Android 2.2


7 years ago
Keywords: reproducible
From Nicolae:

1. Open Fennec
2. Go to ( and install the add-on
3. When install is complete, a popup is triggered. Tap on Restart button
4. After Fennec restarts, wait
Step 4 for me was to go to : chrome://adblockplus/content/ui/firstRun.xhtml and then I crashed with the following crash :

Muy report might be different since I'm running a different build of Android OS?
Oops.  Missed this one.  Will bring this up in crash triage.

Comment 20

7 years ago
Dave, can someone in the JS team have a look at this?
Summary: crash in js::detail::RegExpCode::compile → crash in js::detail::RegExpCode::compile when restarting after installing ABP
removing qawanted, STRs in comment 17
Keywords: qawanted

Comment 22

7 years ago
Some notes: after the initial restart Adblock Plus will download its filters, this is probably responsible for the "wait" step. Then the filters are added to internal data structures, that's the Array.forEach() call on the stack (luckily the only place this method is used in Adblock Plus code). However, the filters will not be compiled into regular expressions during this step, that happens lazily afterwards. So the crash must be coming from one of the regular expression literals in Adblock Plus code. From what I can tell, there are only three regexps in this code path:


The first two are used across compartments after CPG landing.

Comment 23

7 years ago
(In reply to Sheila Mooney from comment #20)
> Dave, can someone in the JS team have a look at this?

I looked at it myself. I guess comment 2 was far too terse. :-) Expanded version:

There are 2 crashes, which may or may not be the same thing. 

Crash 1 is the one in Socorro, e.g., from comment 0. That crash is clearly an OOM crash in the regexp compiler. It specifically happens in a function wordcharCreate that allocates a new CharacterClass object to represent \w. The code location in the crash report is not actually part of the source tree (it's a generated .h file), so I can't see exactly how it's really crashing. But AIUI, we use infallible malloc on Fennec (and Firefox), which means if we call |new| and we're OOM, we crash immediately. I.e., if we are OOM, crashing is the intended behavior.

If there is a bug, the bug would be that something is allocating too much memory. The question then becomes, "what is allocating too much memory"? I think a CharacterClass object is <256b, so it's extremely unlikely that it's that dynamic allocation site itself. It's possible that way too many CharacterClass objects get created. It could be the rest of the Yarr regexp compiler. It could be something that runs before Yarr.

Questions: How do Fennec developers generally investigate OOM crashes? Are there tools for tracking allocations? Is there way to measure what the memory usage is as the regexp compiler is starting up? Is it true that we're using infallible malloc? Also, I don't see this crash on the top 300 list, so does the Socorro crash really merit attention?

Crash 2 is the reproducible one with STR given in comment 17 and comment 18. The dump from Socorro looks like an OOM crash, but it doesn't have symbols so it's hard to tell what it is. (There aren't even enough symbols to show it has anything to do with wordcharCreate, but I'm assuming that someone somehow verified that.)

I tried to reproduce it just now on my Atrix but it didn't crash. Does it reliably reproduce, or do I have to try it multiple times?

I did notice that after trying a couple times, I somehow ended up with 10 copies of the "AdBlock Plus Installation Complete" window open. I could imagine that OOMing someone. But the Captivate has 512 MB RAM, so that seems unlikely. For fun, I opened Fennec, opened 5 copies of the install complete page, and then opened boingboing, and my Fennec memory usage is 103 MB.

Questions: Is this in fact the same crash? How reliably does it reproduce?
Duplicate of this bug: 738935
blocking-fennec1.0: + → -
Mark, is this fixed in the new version of ABP that's coming?
YARR was removed in bug 976446 - Resolving as Won't fix.
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
Keywords: regressionwindow-wanted
You need to log in before you can comment on or make changes to this bug.