Closed Bug 851107 Opened 10 years ago Closed 10 years ago

Rooting Analysis: Crash on Heap near [@ execute] with RegExp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22

People

(Reporter: decoder, Assigned: terrence)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])

Crash Data

Attachments

(1 file)

v0
2.18 KB, patch
sfink
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central built with --enable-root-analysis, revision 8e68f4d73ec4 (run with ):


gczeal(6);
var re = /./;
re.lastIndex = {};
re.exec((/[]\u0032/m ));
Crash trace:

Program received signal SIGSEGV, Segmentation fault.
0xf7fc702e in ?? ()
(gdb) bt
#0  0xf7fc702e in ?? ()
#1  0x0841adc5 in execute (output=<optimized out>, length=<optimized out>, start=<optimized out>, input=0xda430028, this=0x89a9dec) at ../yarr/YarrJIT.h:134
#2  js::RegExpShared::execute (this=0x89a9de0, cx=0x8948a78, chars=0xda430028, length=<optimized out>, lastIndex=0xffffc06c, matches=...) at js/src/vm/RegExpObject.cpp:555
#3  0x084232d2 in ExecuteRegExpImpl (cx=0x8948a78, res=0x8970240, re=..., input="/[]\\u0032/m", chars=0xda430028, length=11, lastIndex=0xffffc06c, matches=...)
    at js/src/builtin/RegExp.cpp:133
#4  0x08425b67 in js::ExecuteRegExp (cx=0x8948a78, regexp=(JSObject * const) 0xf742f150 [object RegExp], string="/[]\\u0032/m", matches=...) at js/src/builtin/RegExp.cpp:598
#5  0x08425fc0 in regexp_exec_impl (cx=0x8948a78, args=...) at js/src/builtin/RegExp.cpp:646
#6  0x08426156 in CallNonGenericMethod (args=..., Impl=0x8425e30 <regexp_exec_impl(JSContext*, JS::CallArgs)>, Test=0x841f5a0 <IsRegExp(JS::Value const&)>, cx=0x8948a78) at ../jsapi.h:884
#7  js::regexp_exec (cx=0x8948a78, argc=1, vp=0xf7693060) at js/src/builtin/RegExp.cpp:663
#8  0x081a9f4f in CallJSNative (args=..., native=<optimized out>, cx=0x8948a78) at ../jscntxtinlines.h:327
#9  js::InvokeKernel (cx=0x8948a78, args=..., construct=js::NO_CONSTRUCT) at js/src/jsinterp.cpp:383
#10 0x08198120 in js::Interpret (cx=0x8948a78, entryFrame=0xf7693028, interpMode=js::JSINTERP_NORMAL) at js/src/jsinterp.cpp:2361
#11 0x081a9bac in js::RunScript (cx=0x8948a78, fp=0xf7693028) at js/src/jsinterp.cpp:340
#12 0x081ac560 in ExecuteKernel (result=0x0, evalInFrame=..., thisv=..., scopeChainArg=..., script=0xf7425100, cx=<optimized out>, type=<optimized out>) at js/src/jsinterp.cpp:530
#13 js::Execute (cx=0x8948a78, script=0xf7425100, scopeChainArg=(JSObject &) @0xf7421040 [object global] delegate, rval=0x0) at js/src/jsinterp.cpp:570
#14 0x0807f89b in JS_ExecuteScript (cx=0x8948a78, objArg=(JSObject *) 0xf7421040 [object global] delegate, scriptArg=0xf7425100, rval=0x0) at js/src/jsapi.cpp:5487
#15 0x08059b22 in Process (cx=0x8948a78, obj_=<optimized out>, filename=0xffffd177 "min.js", forceTTY=false) at js/src/shell/js.cpp:467
#16 0x0806150f in ProcessArgs (op=0xffffceb0, obj_=<optimized out>, cx=0x8948a78) at js/src/shell/js.cpp:5023
#17 Shell (cx=0x8948a78, op=0xffffceb0, envp=0xffffcfe0) at js/src/shell/js.cpp:5060
#18 0x0804b805 in main (argc=2, argv=0xffffcfd4, envp=0xffffcfe0) at js/src/shell/js.cpp:5283
I was not able to reproduce this with my existing build. What configure line, arch, and compiler is is this with?
This is 32 bit Linux (Ubuntu 12.04 LTS), the configure line is

--enable-debug --enable-optimize --enable-valgrind --target=i686-pc-linux-gnu --enable-root-analysis

and the compiler is GCC 4.6.3.
Attached patch v0Splinter Review 
This is another two instances of inline chars getting poisoned. We're going to need to fix this general class of problems before we can GGC strings. Until then, I think it's fine to just SkipRoot the one and move the other below the GC.
Assignee: general → terrence
Status: NEW → ASSIGNED
Attachment #725157 - Flags: review?(sphink)
Comment on attachment 725157 [details] [diff] [review]
v0

Review of attachment 725157 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/RegExpObject.cpp
@@ +569,5 @@
>  RegExpRunStatus
>  RegExpShared::executeMatchOnly(JSContext *cx, const jschar *chars, size_t length,
>                                 size_t *lastIndex, MatchPair &match)
>  {
> +    /* These chars maybe inline in a string. */

s/maybe/may be/
Attachment #725157 - Flags: review?(sphink) → review+
Oh, and maybe mention bug 846011. Unless you think we'll end up with too much clutter from that.
https://hg.mozilla.org/mozilla-central/rev/ea6b05238e68
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in before you can comment on or make changes to this bug.