crash in js::CrashAtUnhandlableOOM(char const*) | JSC::Yarr::YarrGenerator<int>::opCompileAlternative(JSC::Yarr::PatternAlternative*)

RESOLVED WONTFIX

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: lizzard, Unassigned)

Tracking

({crash, topcrash-win})

31 Branch
x86
Windows NT
crash, topcrash-win
Points:
---

Firefox Tracking Flags

(firefox31 wontfix, firefox32 unaffected, firefox33 unaffected)

Details

(crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

This bug was filed from the Socorro interface and is 
report bp-d589f6f7-167d-4f52-94d6-e49b82140421.
=============================================================

This crash signature shows up in 36 crashes on Windows over the last 28 days; I noticed it on the explosiveness chart for Firefox 31.0a1. It first showed up on 2014-04-18, in the 2014040903 build. 

More reports: 

https://crash-stats.mozilla.com/report/list?range_unit=days&range_value=28&signature=js%3A%3ACrashAtUnhandlableOOM%28char+const*%29+|+JSC%3A%3AYarr%3A%3AYarrGenerator%3Cint%3E%3A%3AopCompileAlternative%28JSC%3A%3AYarr%3A%3APatternAlternative*%29#tab-sigsummary


stack:

0 	mozjs.dll 	js::CrashAtUnhandlableOOM(char const *) 	js/src/jscntxt.cpp
1 	mozjs.dll 	JSC::Yarr::YarrGenerator<0>::opCompileAlternative(JSC::Yarr::PatternAlternative *) 	js/src/yarr/YarrJIT.cpp
2 	mozjs.dll 	JSC::Yarr::YarrGenerator<0>::opCompileParenthesesSubpattern(JSC::Yarr::PatternTerm *) 	js/src/yarr/YarrJIT.cpp
3 	mozjs.dll 	JSC::Yarr::YarrGenerator<0>::opCompileAlternative(JSC::Yarr::PatternAlternative *) 	js/src/yarr/YarrJIT.cpp
4 	mozjs.dll 	JSC::Yarr::YarrGenerator<0>::opCompileParenthesesSubpattern(JSC::Yarr::PatternTerm *) 	js/src/yarr/YarrJIT.cpp
5 	mozjs.dll 	JSC::Yarr::YarrGenerator<0>::opCompileAlternative(JSC::Yarr::PatternAlternative *) 	js/src/yarr/YarrJIT.cpp
6 	mozjs.dll 	JSC::Yarr::YarrGenerator<0>::opCompileParenthesesSubpattern(JSC::Yarr::PatternTerm *) 	js/src/yarr/YarrJIT.cpp
7 	mozjs.dll 	JSC::Yarr::YarrGenerator<0>::opCompileAlternative(JSC::Yarr::PatternAlternative *) 	js/src/yarr/YarrJIT.cpp
8 	mozjs.dll 	JSC::Yarr::YarrGenerator<0>::opCompileBody(JSC::Yarr::PatternDisjunction *) 	js/src/yarr/YarrJIT.cpp
9 	mozjs.dll 	JSC::Yarr::YarrGenerator<0>::compile(JSC::Yarr::JSGlobalData *,JSC::Yarr::YarrCodeBlock &) 	js/src/yarr/YarrJIT.cpp
10 	mozjs.dll 	JSC::Yarr::jitCompile(JSC::Yarr::YarrPattern &,JSC::Yarr::YarrCharSize,JSC::Yarr::JSGlobalData *,JSC::Yarr::YarrCodeBlock &,JSC::Yarr::YarrJITCompileMode) 	js/src/yarr/YarrJIT.cpp
11 	mozjs.dll 	js::RegExpShared::compile(JSContext *,JSLinearString &,bool) 	js/src/vm/RegExpObject.cpp
12 	mozjs.dll 	js::RegExpShared::compile(JSContext *,bool) 	js/src/vm/RegExpObject.cpp
13 	mozjs.dll 	js::RegExpShared::executeMatchOnly(JSContext *,wchar_t const *,unsigned int,unsigned int *,js::MatchPair &) 	js/src/vm/RegExpObject.cpp
14 	mozjs.dll 	ExecuteRegExpImpl 	js/src/builtin/RegExp.cpp
15 	mozjs.dll 	js::ExecuteRegExp(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSString *>,js::MatchConduit &,js::RegExpStaticsUpdate) 	js/src/builtin/RegExp.cpp
16 	mozjs.dll 	ExecuteRegExp 	js/src/builtin/RegExp.cpp
17 	mozjs.dll 	js::regexp_test(JSContext *,unsigned int,JS::Value *) 	js/src/builtin/RegExp.cpp
18 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
19 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
20 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
21 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
22 	mozjs.dll 	js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
23 	mozjs.dll 	JS_CallFunctionValue(JSContext *,JS::Handle<JSObject *>,JS::Handle<JS::Value>,JS::HandleValueArray const &,JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
24 	xul.dll 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *,unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) 	js/xpconnect/src/XPCWrappedJSClass.cpp
25 	xul.dll 	nsXPCWrappedJS::CallMethod(unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) 	js/xpconnect/src/XPCWrappedJS.cpp
26 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp
27 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp
28 	xul.dll 	nsContentPolicy::CheckPolicy(tag_nsresult ( nsIContentPolicy::*)(unsigned int,nsIURI *,nsIURI *,nsISupports *,nsACString_internal const &,nsISupports *,nsIPrincipal *,short *),unsigned int,nsIURI *,nsIURI *,nsISupports *,nsACString_internal const &,nsISupports *,nsIPrincipal *,short *) 	content/base/src/nsContentPolicy.cpp

Comment 1

3 years ago
(In reply to Liz Henry :lizzard from comment #0)
> It first showed up on 2014-04-18, in the 2014040903 build. 

Note that this probably does not point out that it regressed there, as the signature changed from just "js::CrashAtUnhandlableOOM(char const *)" to the current one due to bug 994913 being shipped to production late on the 17th (possibly early 18th UTC).
This is #6 topcrash in Firefox 31.0a2.
Keywords: topcrash-win
tracking-firefox31: --- → ?
Topcrash, tracking!
tracking-firefox31: ? → +
Naveed, it seems to be a Javascript bug. Could you find someone to have a look to this? Thanks
Flags: needinfo?(nihsanullah)
Sean what are our options here with the ongoing work in https://bugzilla.mozilla.org/show_bug.cgi?id=976446?
Flags: needinfo?(nihsanullah) → needinfo?(sstangl)
Created attachment 8439578 [details] [diff] [review]
Fallible append for YarrJIT (applies to beta)

(In reply to Naveed Ihsanullah [:naveed] from comment #5)
> Sean what are our options here with the ongoing work in
> https://bugzilla.mozilla.org/show_bug.cgi?id=976446?

Just for background, irregexp is shipped on trunk, but beta still uses Yarr. Although we are not going to fix logic issues with Yarr, handling OOM is something that could be done to stop some of the bleeding.

The attached patch makes Vector allocation in the YarrJIT fallible in a non-crashy way. If we uplift this patch to beta, it is likely to fix the topcrashes in this bug.

On OOM conditions, the patch causes regexp engine failure. We could also attempt to run the regexp in the interpreter on OOM, but it's probably not worth salvaging.
Attachment #8439578 - Flags: review?(kvijayan)
Flags: needinfo?(sstangl)
Created attachment 8439589 [details] [diff] [review]
Fallible append for YarrJIT v2 (applies to beta)

Minor change: also check return value of matchCharacterClass().
Attachment #8439578 - Attachment is obsolete: true
Attachment #8439578 - Flags: review?(kvijayan)
Attachment #8439589 - Flags: review?(kvijayan)
This YARR crash is no longer relevant because bug 976446 replaced YARR with irregexp.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
See Also: → bug 976446
status-firefox32: --- → unaffected
status-firefox33: --- → unaffected
tracking-firefox31: + → ---
status-firefox32: unaffected → ---
status-firefox33: unaffected → ---
tracking-firefox31: --- → -
Sorry, mid air collision.
status-firefox32: --- → unaffected
status-firefox33: --- → unaffected
tracking-firefox31: - → ---
(In reply to Chris Peterson (:cpeterson) from comment #8)
> This YARR crash is no longer relevant because bug 976446 replaced YARR with
> irregexp.

Please read the bug before closing. Although YARR was replaced on trunk and aurora, it still exists on beta, which has yet to ship. We can prevent a significant amount of future YARR crashiness before its death by taking the fallible-OOM patch in this bug.
Flags: needinfo?(nihsanullah)
31 is also an ESR release, so we've got that going for us.
Comment on attachment 8439589 [details] [diff] [review]
Fallible append for YarrJIT v2 (applies to beta)

Review of attachment 8439589 [details] [diff] [review]:
-----------------------------------------------------------------

Is |append| still used anywhere?  It might be worthwhile to remove it if it's not used anywhere else, or at least change it to |appendInfallible| to catch any remaining cases where we do unchecked allocation.

Otherwise, looks good.

::: js/src/yarr/wtfbridge.h
@@ +179,5 @@
>              js::CrashAtUnhandlableOOM("Yarr");
>      }
>  
> +    template <size_t M>
> +    void appendFallible(const Vector<T,M> &v) {

shouldn't this return bool?
Attachment #8439589 - Flags: review?(kvijayan) → review+
Considering that this is a safe-OOM and it hasn't changed in volume, I don't think we should take the risk of this in beta now. It's a known quantity.
status-firefox31: affected → wontfix
bows to bsmedberg on this
Flags: needinfo?(nihsanullah)

Updated

3 years ago
Duplicate of this bug: 1034712

Updated

3 years ago
Crash Signature: [@ js::CrashAtUnhandlableOOM(char const*) | JSC::Yarr::YarrGenerator<int>::opCompileAlternative(JSC::Yarr::PatternAlternative*)] → [@ js::CrashAtUnhandlableOOM(char const*) | JSC::Yarr::YarrGenerator<int>::opCompileAlternative(JSC::Yarr::PatternAlternative*)] [@ OOM | unknown | js::CrashAtUnhandlableOOM(char const*) | JSC::Yarr::YarrGenerator<int>::opCompileAlternative(JSC::Y&hellip;

Comment 16

3 years ago
FWIW, given the volume changes when 31 appeared on beta, this is probably the same as bug 814954 on 30 and below.
You need to log in before you can comment on or make changes to this bug.