Closed Bug 1032067 Opened 11 years ago Closed 11 years ago

Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h or Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla33

People

(Reporter: gkw, Assigned: jandem)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(4 files, 2 obsolete files)

stack
4.91 KB, text/plain
Details
testcase
45 bytes, text/plain;charset=utf-8
Details
Stack for testcase in comment 2
6.54 KB, text/plain
Details
Patch v3
3.83 KB, patch
luke
: review+
Details | Diff | Splinter Review
Attached file stack
''.match(/(:[cR\cC
Flags: needinfo?(jdemooij)
Attached file testcase
The attached testcase asserts js debug shell on m-c changeset b6408c32a170 with --latin1-strings --ion-offthread-compile=off --ion-eager at Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options> autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/5c88c5b4fe07 user: Jan de Mooij date: Wed Jun 25 10:12:20 2014 +0200 summary: Bug 1028867 - Add a --latin1-strings shell flag. r=luke Jan, bug 1028867 seems to have caused this fuzzblocker. I'm not sure if this assert is benign or not, so s-s to be safe first. Please feel free to open up if it isn't. (This is interesting, b.m.o ate the rest of the message when I put in a monkey unicode character. http://www.fileformat.info/info/unicode/char/1f435/index.htm )
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker]
This testcase may be related: Function("print(/( \\\uB0DA ( )})/);\ function c(){}")() $ ./js-dbg-opt-64-prof-ts-darwin-b6408c32a170 --latin1-strings --ion-offthread-compile=off --ion-eager testcase.js Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h Configuration parameters: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>
Summary: Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h → Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h or Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h
Gary is it possible the testcase in comment 0 was truncated? Patch coming up.
Oh you also attached it, got it :)
Attached patch Patch (obsolete) — Splinter Review
Some places where we called sb.reserve() and then appended a TwoByte string so that we lost our reserved space. I checked the callers of StringBuffer.reserve and these are the only ones that need this I think.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8447879 - Flags: review?(luke)
Flags: needinfo?(jdemooij)
Not s-s; requires --latin1-strings.
Group: core-security, javascript-core-security
Attachment #8447857 - Attachment mime type: text/plain → text/plain;charset=utf-8
When latin1->twobyte inflation happens, can we preserve mCapacity so that reserve() just works?
Attached patch Patch v2 (obsolete) — Splinter Review
Ah right, preserving the capacity is much nicer and less error-prone. Somehow I thought it was hard to get a Vector's capacity or something.
Attachment #8447879 - Attachment is obsolete: true
Attachment #8447879 - Flags: review?(luke)
Attachment #8449638 - Flags: review?(luke)
Comment on attachment 8449638 [details] [diff] [review] Patch v2 Review of attachment 8449638 [details] [diff] [review]: ----------------------------------------------------------------- Great!
Attachment #8449638 - Flags: review?(luke) → review+
Comment on attachment 8449638 [details] [diff] [review] Patch v2 This patch has a subtle perf issue; new patch coming up.
Attachment #8449638 - Attachment is obsolete: true
Attached patch Patch v3Splinter Review
Attachment #8449719 - Flags: review?(luke)
Comment on attachment 8449719 [details] [diff] [review] Patch v3 Review of attachment 8449719 [details] [diff] [review]: ----------------------------------------------------------------- Nice job identifying this problem.
Attachment #8449719 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/4e28ce23f4e0
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: