Last Comment Bug 748212 - Crash [@ js::RegExpShared::execute] or "Assertion failure: isRegExp(),"
: Crash [@ js::RegExpShared::execute] or "Assertion failure: isRegExp(),"
Status: VERIFIED FIXED
[native-crash][js-triage-done]
: assertion, crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 13 Branch
: All All
: -- critical (vote)
: mozilla15
Assigned To: Luke Wagner [:luke]
:
Mentors:
Depends on:
Blocks: jsfunfuzz 688069
  Show dependency treegraph
 
Reported: 2012-04-23 20:59 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-12-13 17:07 PST (History)
7 users (show)
gary: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected
fixed
soft


Attachments
stack (3.84 KB, text/plain)
2012-04-23 20:59 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
stacks (7.57 KB, text/plain)
2012-04-23 21:00 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
fix and test (1.03 KB, patch)
2012-04-23 23:24 PDT, Luke Wagner [:luke]
bobbyholley: review+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-04-23 20:59:33 PDT
Created attachment 617765 [details]
stack

"".match(wrap(evalcx("/x/",newGlobal('new-compartment'))))

asserts js debug shell on m-c changeset 142fe408f5b4 without any CLI arguments at Assertion failure: isRegExp(), and crashes js opt shell at a weird memory address with js::RegExpShared::execute near the top of the stack.

s-s because a weird memory address 0x1501c49 is being accessed (see the $pc line)

autoBisecting now...
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-04-23 21:00:29 PDT
Created attachment 617766 [details]
stacks

Oops, forgot the debug stack.
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2012-04-23 21:08:55 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   86106:304182354c92
user:        Luke Wagner
date:        Wed Feb 01 13:36:48 2012 -0800
summary:     Bug 688069 - fix String.prototype.{replace,match,search,split} for transparently wrapped RegExp arguments (r=cdleary)
Comment 3 Luke Wagner [:luke] 2012-04-23 23:18:49 PDT
Ah... a wrapped wrapper.  Not s-s since this depends on the shell function 'wrap' which has no analogue in web content.
Comment 4 Luke Wagner [:luke] 2012-04-23 23:24:24 PDT
Created attachment 617799 [details] [diff] [review]
fix and test

I'm sure bholley has seen this type of thing before...
Comment 6 Ed Morley [:emorley] 2012-04-26 10:41:34 PDT
https://hg.mozilla.org/mozilla-central/rev/adc258d17ecb
Comment 7 Scoobidiver (away) 2012-06-01 23:29:21 PDT
It's #22 top crasher in FennecAndroid 14.0b3.
Comment 8 Joe Drew (not getting mail) 2012-06-04 13:57:14 PDT
Luke, we probably want this for Fennec, and I imagine desktop will want it too - can you nom for aurora and beta?
Comment 9 Luke Wagner [:luke] 2012-06-04 15:33:05 PDT
Comment on attachment 617799 [details] [diff] [review]
fix and test

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 748212
User impact if declined: crashes
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): very low

With the uplift today, this is fixed on aurora.
Comment 10 Alex Keybl [:akeybl] 2012-06-04 15:43:21 PDT
Comment on attachment 617799 [details] [diff] [review]
fix and test

[Triage Comment]
Close to a top crasher in FN, and also a regression in FF13. Approved for Beta 14.
Comment 12 Gary Kwong [:gkw] [:nth10sd] 2012-12-13 17:07:14 PST
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.

Note You need to log in before you can comment on or make changes to this bug.