Closed
Bug 826581
Opened 12 years ago
Closed 12 years ago
Crash [@ js::RegExpShared::compile]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox17 | --- | unaffected |
firefox18 | --- | unaffected |
firefox19 | --- | unaffected |
firefox20 | + | fixed |
firefox21 | + | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: sstangl)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore][adv-main20-])
Attachments
(3 files)
6.24 KB,
text/plain
|
Details | |
7.20 KB,
patch
|
dvander
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
1.46 KB,
patch
|
dvander
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
try {
x = function() {}
for (y = 0; y < 64; y++) {
x += x
}
} catch (e) {}
x.replace(x, x, "gy")
crashes js opt shell on m-c changeset 33064e13c3fd without any CLI arguments at js::RegExpShared::compile when the testcase is passed in as a CLI argument.
s-s and assuming sec-critical because weird memory address 0x913fb008 is being accessed.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 116117:d229008d60ac
user: Sean Stangl
date: Wed Dec 12 17:23:04 2012 -0800
summary: Bug 808245, Part 4/6 - Compile RegExpShared at execution time. r=dvander
Reporter | ||
Updated•12 years ago
|
Flags: needinfo?(sstangl)
Assignee | ||
Comment 1•12 years ago
|
||
This is a great fuzz result. The problem is that the code currently assumes that the RegExp JSAtom source, stored in the RegExpShared, is kept rooted by at least one RegExpObject. This assumption is incorrect in the context of our "flags" extension to str_replace(), which converts a string to a regular expression without rooting it.
The solution is to have the RegExpGuard hold a root to the source. This gets a bit tricky, because Bug 820124 wants there to be a RegExpGuard in the RegExpStatics -- so there will have to be a second "heap-safe" RegExpGuard-like class just for that case.
Flags: needinfo?(sstangl)
Comment 2•12 years ago
|
||
Are you the right owner for this sg:crit regression? If not, please re-assign appropriately.
Assignee: general → sstangl
Assignee | ||
Comment 3•12 years ago
|
||
Yes, I'm the right owner. I have a fix already, but I'm going to manually verify all the RegExp rooting sites to make sure this bug doesn't occur again.
Assignee | ||
Comment 4•12 years ago
|
||
Attachment #698851 -
Flags: review?(dvander)
Updated•12 years ago
|
Attachment #698851 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 5•12 years ago
|
||
Reporter | ||
Updated•12 years ago
|
Flags: in-testsuite+
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7d9055884036
Needs landing on aurora.
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox21:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 7•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Assignee | ||
Comment 8•12 years ago
|
||
Comment on attachment 698851 [details] [diff] [review]
Root RegExp source for the lifetime of RegExpShared
[Approval Request Comment]
Bug caused by (feature/regressing bug #): 808245
User impact if declined: Unlikely crashes
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): None
String or UUID changes made by this patch: None
Attachment #698851 -
Flags: approval-mozilla-aurora?
Comment 9•12 years ago
|
||
Comment on attachment 698851 [details] [diff] [review]
Root RegExp source for the lifetime of RegExpShared
Low risk patch for a Fx 20 sec-crit regression.Considering where we are in the cycle this is manageable risk, hence approving it on aurora.
Attachment #698851 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Reporter | ||
Updated•12 years ago
|
Keywords: checkin-needed
Assignee | ||
Comment 10•12 years ago
|
||
Reporter | ||
Updated•12 years ago
|
Keywords: checkin-needed
Assignee | ||
Comment 11•12 years ago
|
||
Debugging Bug 820124 revealed that a small issue exists in this patch, which can lead to random crashes of a similar variety to the original bug. The HeapPtr must be a raw pointer.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 12•12 years ago
|
||
Attachment #701381 -
Flags: review?(dvander)
Reporter | ||
Updated•12 years ago
|
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 13•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 44dcffe8792b).
Updated•12 years ago
|
Attachment #701381 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 15•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/fb0dbf0686ae
Will also need landing on aurora after it hits m-c. I'll assume that the a=bajaj from above is valid for this fix, and land it tomorrow.
Reporter | ||
Comment 16•12 years ago
|
||
> Will also need landing on aurora after it hits m-c. I'll assume that the
> a=bajaj from above is valid for this fix, and land it tomorrow.
Request for approval for aurora landing will have to be made again because this is a separate patch. :|
Assignee | ||
Comment 17•12 years ago
|
||
Reporter | ||
Updated•12 years ago
|
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 18•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Assignee | ||
Comment 19•12 years ago
|
||
Comment on attachment 701381 [details] [diff] [review]
follow-up fix
[Approval Request Comment]
Bug caused by (feature/regressing bug #): 826581 (previous patch)
User impact if declined:
The first patch in this bug, which fixed the issue originally identified, introduced an extremely subtle bug involving prebarriers called during destructors. This can manifest as extremely unlikely crashes that are difficult to debug and obscure as to their cause.
Testing completed (on m-c, etc.): m-c and significant fuzzing as part of Bug 820124, which identified the issue.
Risk to taking this patch (and alternatives if risky): None
String or UUID changes made by this patch: None
Attachment #701381 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
Updated•12 years ago
|
Attachment #701381 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Reporter | ||
Updated•12 years ago
|
Keywords: checkin-needed
Comment 20•12 years ago
|
||
I've got this in my queue for Aurora landing once it reopens. Clearing checkin-needed so this doesn't show up in my queries.
Keywords: checkin-needed
Comment 21•12 years ago
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main20-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•