Closed
Bug 1080542
Opened 10 years ago
Closed 10 years ago
Assertion failure: offset < base()->length(), at c:\users\mozilla\debug-builds\mozilla-central\js\src\vm/String.h:678
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla36
People
(Reporter: cbook, Assigned: bhackett1024)
References
()
Details
(Keywords: assertion, testcase)
Attachments
(3 files)
3.96 KB,
text/plain
|
Details | |
1.12 KB,
patch
|
jandem
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
15.02 KB,
text/html
|
Details |
found via bughunter and reproduced on a Windows 7 Debug Trunk Build. Steps to reproduce: -> Load http://www.nature.com/ncomms/2014/140731/ncomms5527/full/ncomms5527.html#supplementary-information --> Assertion failure: offset < base()->length(), at c:\users\mozilla\debug-builds\mozilla-central\js\src\vm/String.h:678 0:000> g (a18.49c): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=08ee9ba0 ecx=67b2e0c2 edx=00000040 esi=05885648 edi=0d19bf50 eip=6571d68a esp=00188a04 ebp=00188a1c iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210212 mozjs!JSDependentString::baseOffset+0xea: 6571d68a c705000000007b000000 mov dword ptr ds:[0],7Bh ds:0023:00000000=???????? 0:000> ~* kp . 0 Id: a18.49c Suspend: 1 Teb: 7ffdf000 Unfrozen ChildEBP RetAddr 00188a1c 6574b485 mozjs!JSDependentString::baseOffset(void)+0xea [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\string.h @ 678] 00188a68 657181d3 mozjs!JSDependentString::new_(class js::ExclusiveContext * cx = 0x096a58c0, class JSLinearString * baseArg = 0x0d5d0140, unsigned int start = 0, unsigned int length = 0x10)+0x25 [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\string-inl.h @ 168] 00188aac 64ff8b65 mozjs!js::NewDependentString(struct JSContext * cx = 0x096a58c0, class JSString * baseArg = 0x0d5d0140, unsigned int start = 0, unsigned int length = 0x10)+0x123 [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\string.cpp @ 903] 00188b4c 64fffe71 mozjs!js::CreateRegExpMatchResult(struct JSContext * cx = 0x096a58c0, class JS::Handle<JSString *> input = class JS::Handle<JSString *>, class js::MatchPairs * matches = 0x00188b64, class JS::MutableHandle<JS::Value> rval = class JS::MutableHandle<JS::Value>)+0x1f5 [c:\users\mozilla\debug-builds\mozilla-central\js\src\builtin\regexp.cpp @ 64] 00188b88 64ffff5e mozjs!regexp_exec_impl(struct JSContext * cx = 0x096a58c0, class JS::Handle<JSObject *> regexp = class JS::Handle<JSObject *>, class JS::Handle<JSString *> string = class JS::Handle<JSString *>, js::RegExpStaticsUpdate staticsUpdate = UpdateRegExpStatics (0n0), class JS::MutableHandle<JS::Value> rval = class JS::MutableHandle<JS::Value>)+0x81 [c:\users\mozilla\debug-builds\mozilla-central\js\src\builtin\regexp.cpp @ 655] 00188bdc 64ff802e mozjs!regexp_exec_impl(struct JSContext * cx = 0x096a58c0, class JS::CallArgs args = class JS::CallArgs)+0xce [c:\users\mozilla\debug-builds\mozilla-central\js\src\builtin\regexp.cpp @ 666] 00188bf8 64ff103d mozjs!JS::CallNonGenericMethod(struct JSContext * cx = 0x096a58c0, <function> * Test = 0x64ff9c20, <function> * Impl = 0x64fffe90, class JS::CallArgs args = class JS::CallArgs)+0x3e [c:\users\mozilla\debug-builds\mozilla-central\firefox-debug\dist\include\js\callnongenericmethod.h @ 110] 00188c24 1c6a1621 mozjs!js::regexp_exec(struct JSContext * cx = 0x096a58c0, unsigned int argc = 1, class JS::Value * vp = 0x00188c50)+0x3d [c:\users\mozilla\debug-builds\mozilla-central\js\src\builtin\regexp.cpp @ 673] WARNING: Frame IP not in any known module. Following frames may be wrong. 00188d2c 64ffaa96 0x1c6a1621 00188d38 00000000 mozjs!js::gc::Cell::address(void)+0x66 [c:\users\mozilla\debug-builds\mozilla-central\js\src\gc\heap.h @ 1194]
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
http://www.microsoftstore.com/store/msusa/en_US/pdp/Surface-Pro-3-i3-64-gb-tablet/productID.300190600?vid=304047100&WT.mc_id=rtm-Surface-Pro-3-i3-64-gb-tablet is another page where this assertion can be reproduced. Brian could you take a look at this assertion failure, thanks!
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 3•10 years ago
|
||
A flipped test was causing the RegExp.exec stub to follow base pointers on undepended strings rather than dependent strings.
Assignee: nobody → bhackett1024
Attachment #8502541 -
Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Reporter | ||
Comment 4•10 years ago
|
||
Comment 5•10 years ago
|
||
Comment on attachment 8502541 [details] [diff] [review] patch Review of attachment 8502541 [details] [diff] [review]: ----------------------------------------------------------------- Good catch.
Attachment #8502541 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/69c6ed8b8f12
https://hg.mozilla.org/mozilla-central/rev/69c6ed8b8f12
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Reporter | ||
Comment 8•10 years ago
|
||
Brian, seems the regression test/patch was uplifted to aurora and so bughunter is reporting this assertion failure a lot. Would it be possible to get this patch here also to aurora ?
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 9•10 years ago
|
||
Comment on attachment 8502541 [details] [diff] [review] patch Approval Request Comment [Feature/regressing bug #]: bug 1066828 [User impact if declined]: incorrect behavior [Describe test coverage new/current, TBPL]: none [Risks and why]: none
Flags: needinfo?(bhackett1024)
Attachment #8502541 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
status-firefox35:
--- → affected
status-firefox36:
--- → fixed
Updated•10 years ago
|
Attachment #8502541 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 11•9 years ago
|
||
Reproduced with Nightly 2014-10-09 debug build: ‘Assertion failure: offset < base()->length(), at c:\builds\moz2_slave\m-cen-w32-d-000000000000000000\build\js\src\vm/String.h:678’ is displayed and Fx hangs. Verified as fixed with Fx DevEd 36.0a2 (Build ID: 20150111140430) and Fx 35.0 Beta (Build ID: 20150108162314) debug builds on Windows 7 64-bit, Mac OS X 10.9.5 and Ubuntu 14.04 32-bit.
You need to log in
before you can comment on or make changes to this bug.
Description
•