Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h or Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h

RESOLVED FIXED in mozilla33

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla33
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fuzzblocker])

Attachments

(4 attachments, 2 obsolete attachments)

(Reporter)

Description

4 years ago
Created attachment 8447855 [details]
stack

''.match(/(:[cR\cC
Flags: needinfo?(jdemooij)
(Reporter)

Comment 1

4 years ago
Created attachment 8447857 [details]
testcase

The attached testcase asserts js debug shell on m-c changeset b6408c32a170 with --latin1-strings --ion-offthread-compile=off --ion-eager at Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5c88c5b4fe07
user:        Jan de Mooij
date:        Wed Jun 25 10:12:20 2014 +0200
summary:     Bug 1028867 - Add a --latin1-strings shell flag. r=luke

Jan, bug 1028867 seems to have caused this fuzzblocker. I'm not sure if this assert is benign or not, so s-s to be safe first. Please feel free to open up if it isn't.

(This is interesting, b.m.o ate the rest of the message when I put in a monkey unicode character. http://www.fileformat.info/info/unicode/char/1f435/index.htm )
(Reporter)

Updated

4 years ago
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker]
(Reporter)

Comment 2

4 years ago
This testcase may be related:

Function("print(/(        \\\uB0DA        (        )})/);\
function c(){}")()

$ ./js-dbg-opt-64-prof-ts-darwin-b6408c32a170 --latin1-strings --ion-offthread-compile=off --ion-eager testcase.js

Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h

Configuration parameters:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>
Summary: Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h → Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h or Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h
(Reporter)

Comment 3

4 years ago
Created attachment 8447860 [details]
Stack for testcase in comment 2
(Assignee)

Comment 4

4 years ago
Gary is it possible the testcase in comment 0 was truncated?

Patch coming up.
(Assignee)

Comment 5

4 years ago
Oh you also attached it, got it :)
(Assignee)

Comment 6

4 years ago
Created attachment 8447879 [details] [diff] [review]
Patch

Some places where we called sb.reserve() and then appended a TwoByte string so that we lost our reserved space.

I checked the callers of StringBuffer.reserve and these are the only ones that need this I think.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8447879 - Flags: review?(luke)
Flags: needinfo?(jdemooij)
(Assignee)

Comment 7

4 years ago
Not s-s; requires --latin1-strings.
Group: core-security, javascript-core-security
(Reporter)

Updated

4 years ago
Attachment #8447857 - Attachment mime type: text/plain → text/plain;charset=utf-8

Comment 8

4 years ago
When latin1->twobyte inflation happens, can we preserve mCapacity so that reserve() just works?
(Assignee)

Comment 9

4 years ago
Created attachment 8449638 [details] [diff] [review]
Patch v2

Ah right, preserving the capacity is much nicer and less error-prone. Somehow I thought it was hard to get a Vector's capacity or something.
Attachment #8447879 - Attachment is obsolete: true
Attachment #8447879 - Flags: review?(luke)
Attachment #8449638 - Flags: review?(luke)

Comment 10

4 years ago
Comment on attachment 8449638 [details] [diff] [review]
Patch v2

Review of attachment 8449638 [details] [diff] [review]:
-----------------------------------------------------------------

Great!
Attachment #8449638 - Flags: review?(luke) → review+
(Assignee)

Comment 11

4 years ago
Comment on attachment 8449638 [details] [diff] [review]
Patch v2

This patch has a subtle perf issue; new patch coming up.
Attachment #8449638 - Attachment is obsolete: true
(Assignee)

Comment 12

4 years ago
Created attachment 8449719 [details] [diff] [review]
Patch v3
Attachment #8449719 - Flags: review?(luke)

Comment 13

4 years ago
Comment on attachment 8449719 [details] [diff] [review]
Patch v3

Review of attachment 8449719 [details] [diff] [review]:
-----------------------------------------------------------------

Nice job identifying this problem.
Attachment #8449719 - Flags: review?(luke) → review+
(Reporter)

Updated

4 years ago
Blocks: 998392
(Assignee)

Comment 14

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/4e28ce23f4e0
https://hg.mozilla.org/mozilla-central/rev/4e28ce23f4e0
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
You need to log in before you can comment on or make changes to this bug.