Closed Bug 1080542 Opened 10 years ago Closed 10 years ago

Assertion failure: offset < base()->length(), at c:\users\mozilla\debug-builds\mozilla-central\js\src\vm/String.h:678

Categories

(Core :: JavaScript Engine, defect)

x86
All
defect
Not set
normal

Tracking

()

VERIFIED FIXED
mozilla36
Tracking Status
firefox35 --- verified
firefox36 --- verified

People

(Reporter: cbook, Assigned: bhackett1024)

References

()

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

found via bughunter and reproduced on a Windows 7 Debug Trunk Build.

Steps to reproduce:
-> Load http://www.nature.com/ncomms/2014/140731/ncomms5527/full/ncomms5527.html#supplementary-information

--> Assertion failure: offset < base()->length(), at c:\users\mozilla\debug-builds\mozilla-central\js\src\vm/String.h:678


0:000> g
(a18.49c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=08ee9ba0 ecx=67b2e0c2 edx=00000040 esi=05885648 edi=0d19bf50
eip=6571d68a esp=00188a04 ebp=00188a1c iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210212
mozjs!JSDependentString::baseOffset+0xea:
6571d68a c705000000007b000000 mov dword ptr ds:[0],7Bh ds:0023:00000000=????????
0:000> ~* kp

.  0  Id: a18.49c Suspend: 1 Teb: 7ffdf000 Unfrozen
ChildEBP RetAddr  
00188a1c 6574b485 mozjs!JSDependentString::baseOffset(void)+0xea [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\string.h @ 678]
00188a68 657181d3 mozjs!JSDependentString::new_(class js::ExclusiveContext * cx = 0x096a58c0, class JSLinearString * baseArg = 0x0d5d0140, unsigned int start = 0, unsigned int length = 0x10)+0x25 [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\string-inl.h @ 168]
00188aac 64ff8b65 mozjs!js::NewDependentString(struct JSContext * cx = 0x096a58c0, class JSString * baseArg = 0x0d5d0140, unsigned int start = 0, unsigned int length = 0x10)+0x123 [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\string.cpp @ 903]
00188b4c 64fffe71 mozjs!js::CreateRegExpMatchResult(struct JSContext * cx = 0x096a58c0, class JS::Handle<JSString *> input = class JS::Handle<JSString *>, class js::MatchPairs * matches = 0x00188b64, class JS::MutableHandle<JS::Value> rval = class JS::MutableHandle<JS::Value>)+0x1f5 [c:\users\mozilla\debug-builds\mozilla-central\js\src\builtin\regexp.cpp @ 64]
00188b88 64ffff5e mozjs!regexp_exec_impl(struct JSContext * cx = 0x096a58c0, class JS::Handle<JSObject *> regexp = class JS::Handle<JSObject *>, class JS::Handle<JSString *> string = class JS::Handle<JSString *>, js::RegExpStaticsUpdate staticsUpdate = UpdateRegExpStatics (0n0), class JS::MutableHandle<JS::Value> rval = class JS::MutableHandle<JS::Value>)+0x81 [c:\users\mozilla\debug-builds\mozilla-central\js\src\builtin\regexp.cpp @ 655]
00188bdc 64ff802e mozjs!regexp_exec_impl(struct JSContext * cx = 0x096a58c0, class JS::CallArgs args = class JS::CallArgs)+0xce [c:\users\mozilla\debug-builds\mozilla-central\js\src\builtin\regexp.cpp @ 666]
00188bf8 64ff103d mozjs!JS::CallNonGenericMethod(struct JSContext * cx = 0x096a58c0, <function> * Test = 0x64ff9c20, <function> * Impl = 0x64fffe90, class JS::CallArgs args = class JS::CallArgs)+0x3e [c:\users\mozilla\debug-builds\mozilla-central\firefox-debug\dist\include\js\callnongenericmethod.h @ 110]
00188c24 1c6a1621 mozjs!js::regexp_exec(struct JSContext * cx = 0x096a58c0, unsigned int argc = 1, class JS::Value * vp = 0x00188c50)+0x3d [c:\users\mozilla\debug-builds\mozilla-central\js\src\builtin\regexp.cpp @ 673]
WARNING: Frame IP not in any known module. Following frames may be wrong.
00188d2c 64ffaa96 0x1c6a1621
00188d38 00000000 mozjs!js::gc::Cell::address(void)+0x66 [c:\users\mozilla\debug-builds\mozilla-central\js\src\gc\heap.h @ 1194]
Attached file Exception Analysis
http://www.microsoftstore.com/store/msusa/en_US/pdp/Surface-Pro-3-i3-64-gb-tablet/productID.300190600?vid=304047100&WT.mc_id=rtm-Surface-Pro-3-i3-64-gb-tablet is another page where this assertion can be reproduced. 

Brian could you take a look at this assertion failure, thanks!
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
A flipped test was causing the RegExp.exec stub to follow base pointers on undepended strings rather than dependent strings.
Assignee: nobody → bhackett1024
Attachment #8502541 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Blocks: 1066828
Attached file testcase.html
Keywords: testcase
Comment on attachment 8502541 [details] [diff] [review]
patch

Review of attachment 8502541 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch.
Attachment #8502541 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/69c6ed8b8f12
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Brian, seems the regression test/patch was uplifted to aurora and so bughunter is reporting this assertion failure a lot. Would it be possible to get this patch here also to aurora ?
Flags: needinfo?(bhackett1024)
Comment on attachment 8502541 [details] [diff] [review]
patch

Approval Request Comment
[Feature/regressing bug #]: bug 1066828
[User impact if declined]: incorrect behavior
[Describe test coverage new/current, TBPL]: none
[Risks and why]: none
Flags: needinfo?(bhackett1024)
Attachment #8502541 - Flags: approval-mozilla-aurora?
Attachment #8502541 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Reproduced with Nightly 2014-10-09 debug build: ‘Assertion failure: offset < base()->length(), at c:\builds\moz2_slave\m-cen-w32-d-000000000000000000\build\js\src\vm/String.h:678’ is displayed and Fx hangs.
Verified as fixed with Fx DevEd 36.0a2 (Build ID: 20150111140430) and Fx 35.0 Beta (Build ID: 20150108162314) debug builds on Windows 7 64-bit, Mac OS X 10.9.5 and Ubuntu 14.04 32-bit.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.