The default bug view has changed. See this FAQ.

Crash [@ js::RegExpShared::execute] or "Assertion failure: isRegExp(),"

VERIFIED FIXED in Firefox 14

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: luke)

Tracking

(Blocks: 1 bug, 4 keywords)

13 Branch
mozilla15
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox13 affected, firefox14 fixed, blocking-fennec1.0 soft)

Details

(Whiteboard: [native-crash][js-triage-done], crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 617765 [details]
stack

"".match(wrap(evalcx("/x/",newGlobal('new-compartment'))))

asserts js debug shell on m-c changeset 142fe408f5b4 without any CLI arguments at Assertion failure: isRegExp(), and crashes js opt shell at a weird memory address with js::RegExpShared::execute near the top of the stack.

s-s because a weird memory address 0x1501c49 is being accessed (see the $pc line)

autoBisecting now...
(Reporter)

Comment 1

5 years ago
Created attachment 617766 [details]
stacks

Oops, forgot the debug stack.
Attachment #617765 - Attachment is obsolete: true
(Reporter)

Comment 2

5 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   86106:304182354c92
user:        Luke Wagner
date:        Wed Feb 01 13:36:48 2012 -0800
summary:     Bug 688069 - fix String.prototype.{replace,match,search,split} for transparently wrapped RegExp arguments (r=cdleary)
Blocks: 688069
(Assignee)

Comment 3

5 years ago
Ah... a wrapped wrapper.  Not s-s since this depends on the shell function 'wrap' which has no analogue in web content.
Group: core-security
Whiteboard: js-triage-needed → js-triage-done
(Assignee)

Comment 4

5 years ago
Created attachment 617799 [details] [diff] [review]
fix and test

I'm sure bholley has seen this type of thing before...
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #617799 - Flags: review?(bobbyholley+bmo)
Attachment #617799 - Flags: review?(bobbyholley+bmo) → review+
(Assignee)

Comment 5

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/adc258d17ecb
Target Milestone: --- → mozilla15
https://hg.mozilla.org/mozilla-central/rev/adc258d17ecb
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Comment 7

5 years ago
It's #22 top crasher in FennecAndroid 14.0b3.
blocking-fennec1.0: --- → ?
status-firefox13: --- → affected
status-firefox14: --- → affected
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: js-triage-done → [native-crash][js-triage-done]
Version: Trunk → 13 Branch
Luke, we probably want this for Fennec, and I imagine desktop will want it too - can you nom for aurora and beta?
blocking-fennec1.0: ? → soft
(Assignee)

Comment 9

5 years ago
Comment on attachment 617799 [details] [diff] [review]
fix and test

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 748212
User impact if declined: crashes
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): very low

With the uplift today, this is fixed on aurora.
Attachment #617799 - Flags: approval-mozilla-beta?
Comment on attachment 617799 [details] [diff] [review]
fix and test

[Triage Comment]
Close to a top crasher in FN, and also a regression in FF13. Approved for Beta 14.
Attachment #617799 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
(Assignee)

Comment 11

5 years ago
https://hg.mozilla.org/releases/mozilla-beta/rev/2666d43c0d5d
status-firefox14: affected → fixed
(Reporter)

Updated

5 years ago
Flags: in-testsuite+
(Reporter)

Comment 12

4 years ago
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.