Closed Bug 748212 Opened 9 years ago Closed 9 years ago

Crash [@ js::RegExpShared::execute] or "Assertion failure: isRegExp(),"

Categories

(Core :: JavaScript Engine, defect)

13 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla15
Tracking Status
firefox13 --- affected
firefox14 --- fixed
blocking-fennec1.0 --- soft

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords, Whiteboard: [native-crash][js-triage-done])

Crash Data

Attachments

(2 files, 1 obsolete file)

Attached file stack (obsolete) —
"".match(wrap(evalcx("/x/",newGlobal('new-compartment'))))

asserts js debug shell on m-c changeset 142fe408f5b4 without any CLI arguments at Assertion failure: isRegExp(), and crashes js opt shell at a weird memory address with js::RegExpShared::execute near the top of the stack.

s-s because a weird memory address 0x1501c49 is being accessed (see the $pc line)

autoBisecting now...
Attached file stacks
Oops, forgot the debug stack.
Attachment #617765 - Attachment is obsolete: true
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   86106:304182354c92
user:        Luke Wagner
date:        Wed Feb 01 13:36:48 2012 -0800
summary:     Bug 688069 - fix String.prototype.{replace,match,search,split} for transparently wrapped RegExp arguments (r=cdleary)
Blocks: 688069
Ah... a wrapped wrapper.  Not s-s since this depends on the shell function 'wrap' which has no analogue in web content.
Group: core-security
Whiteboard: js-triage-needed → js-triage-done
Attached patch fix and testSplinter Review
I'm sure bholley has seen this type of thing before...
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #617799 - Flags: review?(bobbyholley+bmo)
Attachment #617799 - Flags: review?(bobbyholley+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/adc258d17ecb
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
It's #22 top crasher in FennecAndroid 14.0b3.
blocking-fennec1.0: --- → ?
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: js-triage-done → [native-crash][js-triage-done]
Version: Trunk → 13 Branch
Luke, we probably want this for Fennec, and I imagine desktop will want it too - can you nom for aurora and beta?
blocking-fennec1.0: ? → soft
Comment on attachment 617799 [details] [diff] [review]
fix and test

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 748212
User impact if declined: crashes
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): very low

With the uplift today, this is fixed on aurora.
Attachment #617799 - Flags: approval-mozilla-beta?
Comment on attachment 617799 [details] [diff] [review]
fix and test

[Triage Comment]
Close to a top crasher in FN, and also a regression in FF13. Approved for Beta 14.
Attachment #617799 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: in-testsuite+
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.