Closed
Bug 1350097
Opened 7 years ago
Closed 7 years ago
Assertion failure: len <= sizeof(fout), at mozglue/misc/Printf.cpp:280
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox52 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | fixed |
People
(Reporter: gkw, Assigned: tromey)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 200182ef1156 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): // Adapted from randomly chosen test: // js/src/tests/test262/language/expressions/exponentiation/applying-the-exp-operator_A11.js dis(function () { x = 1.7976931348623157e308; }) Backtrace: #0 0x00000000004739dd in mozilla::PrintfTarget::cvt_f (this=this@entry=0x7fff57b0fe40, d=1.7976931348623157e+308, fmt0=<optimized out>, fmt1=fmt1@entry=0x10ef6b3 "") at mozglue/misc/Printf.cpp:280 #1 0x000000000047494d in mozilla::PrintfTarget::vprint (this=this@entry=0x7fff57b0fe40, fmt=<optimized out>, fmt@entry=0x10ef6b0 "%lf", ap=ap@entry=0x7fff57b0fe90) at mozglue/misc/Printf.cpp:784 #2 0x0000000000b7a5c2 in js::GenericPrinter::vprintf (this=0x7fff57b10100, fmt=0x10ef6b0 "%lf", ap=0x7fff57b0fe90) at js/src/vm/Printer.cpp:85 #3 0x0000000000b7a6b6 in js::GenericPrinter::printf (this=this@entry=0x7fff57b10100, fmt=fmt@entry=0x10ef6b0 "%lf") at js/src/vm/Printer.cpp:72 #4 0x00000000009f24a2 in (anonymous namespace)::ExpressionDecompiler::decompilePC (this=0x7fff57b10080, pc=0x7f3dabb45fbd "<", defIndex=<optimized out>) at js/src/jsopcode.cpp:1980 /snip For detailed crash information, see attachment.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/20318a73395e parent: 4a8979c4c9df user: Tom Tromey date: Tue Feb 28 10:00:56 2017 -0700 summary: Bug 1334307 - do not allocate in GenericPrinter::vprintf; r=nbp Tom, is bug 1334307 a likely regressor?
Flags: needinfo?(ttromey)
Reporter | ||
Comment 3•7 years ago
|
||
Note to self, the test in js/src/tests/test262/language/expressions/exponentiation/applying-the-exp-operator_A11.js contained: var exponents = []; exponents[3] = Infinity; exponents[2] = 1.7976931348623157E308; //largest (by module) finite number exponents[1] = 1; exponents[0] = 0.000000000000001;
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2) > Tom, is bug 1334307 a likely regressor? Yes, it changed which underlying printf is used for Sprinter::printf, frame #3 in the stack trace. The code here does this: char fout[300]; ... size_t len = SprintfLiteral(fout, fin, d); MOZ_ASSERT(len <= sizeof(fout)); ... where |fin| holds the float format string, in this case "%lf". So this means we're seeing a floating point value that takes more than 300 chars to represent, or maybe a bug in the platform sprintf.
Flags: needinfo?(ttromey)
Assignee | ||
Comment 6•7 years ago
|
||
glibc tries to print the value without exponential notation: (gdb) p fout $2 = "17976931348623157081452742373170435679807056752584499659891747680315726078002853876058955863276687817154045895351438246423432132688946418276846754670353751698604991057655128207624549009038932894407586"...
Assignee | ||
Comment 7•7 years ago
|
||
According to snprintf the value takes 316 characters to represent. It's tempting to just bump up the buffer size a bit.
Comment hidden (mozreview-request) |
Comment 9•7 years ago
|
||
mozreview-review |
Comment on attachment 8850956 [details] Bug 1350097 - handle very long floating point output in cvt_f; https://reviewboard.mozilla.org/r/123468/#review125904 LOL at glibc printing this value out exactly. Let's not overly complicate this code for the sake of an uncommon case; a little bit more stack is OK. ::: mozglue/misc/Printf.cpp:281 (Diff revision 1) > - MOZ_ASSERT(len <= sizeof(fout)); > + if (MOZ_LIKELY(len <= sizeof(fout))) > - > - return emit(fout, len); > + return emit(fout, len); I think just bumping up the buffer size here to 320 or more, adding a comment explaining why this is sufficient, and turning the assert into MOZ_RELEASE_ASSERT would work just as well.
Attachment #8850956 -
Flags: review?(nfroyd)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 11•7 years ago
|
||
Sorry, forgot the release assert. 1 sec...
Comment hidden (mozreview-request) |
Comment 13•7 years ago
|
||
mozreview-review |
Comment on attachment 8850956 [details] Bug 1350097 - handle very long floating point output in cvt_f; https://reviewboard.mozilla.org/r/123468/#review125944
Attachment #8850956 -
Flags: review?(nfroyd) → review+
Comment 14•7 years ago
|
||
hg error in cmd: hg identify upstream -r tip:
Reporter | ||
Comment 15•7 years ago
|
||
Tom, what's next here? It will be nice to have this landed before the weekend.
Flags: needinfo?(ttromey)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 17•7 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #15) > Tom, what's next here? It will be nice to have this landed before the > weekend. Sorry - I was on PTO and neglected to update my bugzilla info to reflect that. I see that landing failed. I've rebased and will retry now.
Flags: needinfo?(ttromey)
Comment 18•7 years ago
|
||
Pushed by ttromey@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/02e8fffc17fb handle very long floating point output in cvt_f; r=froydnj
Comment 19•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/02e8fffc17fb
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•7 years ago
|
Blocks: 1334307
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•