Closed
Bug 1273432
Opened 8 years ago
Closed 8 years ago
Assertion failure: count <= JSString::MAX_LENGTH, at js/src/vm/String.cpp:947
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla49
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | fixed |
People
(Reporter: gkw, Assigned: jonco)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
30.77 KB,
text/plain
|
Details | |
|
1.35 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d0be57e84807 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
try {
x = '';
for (var y in this) {
x += x + 'z';
};
} catch (e) {}
evaluate('', ({
sourceMapURL: x
}));
Backtrace:
0 js-dbg-64-dm-clang-darwin-d0be57e84807 0x000000010e2abac9 char16_t* js::AutoStableStringChars::allocOwnChars<char16_t>(JSContext*, unsigned long) + 233 (String.cpp:947)
1 js-dbg-64-dm-clang-darwin-d0be57e84807 0x000000010e29e24e js::AutoStableStringChars::copyAndInflateLatin1Chars(JSContext*, JS::Handle<JSLinearString*>) + 30 (String.cpp:963)
2 js-dbg-64-dm-clang-darwin-d0be57e84807 0x000000010e29e0cb js::AutoStableStringChars::initTwoByte(JSContext*, JSString*) + 139 (String.cpp:915)
3 js-dbg-64-dm-clang-darwin-d0be57e84807 0x000000010d9de3b4 Evaluate(JSContext*, unsigned int, JS::Value*) + 3668 (js.cpp:1510)
4 js-dbg-64-dm-clang-darwin-d0be57e84807 0x000000010e1cab6e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236)
/snip
For detailed crash information, see attachment.
Assertion failures about lengths of strings scare me, setting s-s pending further analysis.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/41aa5d56a722 user: Jon Coppeard date: Mon Apr 25 13:41:25 2016 +0100 summary: Bug 1259021 - Use in-place storage in AutoStableStringChars to avoid allocation for short strings r=jandem r=Waldo Jon, is bug 1259021 a likely regressor?
Blocks: 1259021
Flags: needinfo?(jcoppeard)
|
Assignee | |
Comment 3•8 years ago
|
||
This is just an off-by-one in the assertion.
Group: javascript-core-security
|
|
Assignee | |
Comment 4•8 years ago
|
||
Update the assertion to take into account space for the null terminator.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8753336 -
Flags: review?(jdemooij)
|
||
Updated•8 years ago
|
Attachment #8753336 -
Flags: review?(jdemooij) → review+
Backed out for bustage: https://treeherder.mozilla.org/logviewer.html#?job_id=28169364&repo=mozilla-inbound https://hg.mozilla.org/integration/mozilla-inbound/rev/486da9da5b8a
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 7•8 years ago
|
||
The test creates the longest possible string and for some reason this makes the test timeout on Win XP only. I can't immediately see how to get around this, so I'm going to land the fix without the test.
Flags: needinfo?(jcoppeard)
|
||
Comment 9•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/666bfc7f00ff
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in
before you can comment on or make changes to this bug.
Description
•