Closed Bug 1736805 Opened 3 months ago Closed 3 months ago

String.prototype.normalize("NFD") gives weird result for specific string

Categories

(Core :: JavaScript: Internationalization API, defect, P1)

Firefox 94
defect

Tracking

()

RESOLVED FIXED
95 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox93 --- unaffected
firefox94 + fixed
firefox95 + fixed

People

(Reporter: joao.nelas, Assigned: anba)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0

Steps to reproduce:

I can reproduce in multiple computers (all Mac) by entering In the console:

" ç ".normalize("NFD")

The specific number of characters is important, but not the specific one. I can change the space to another ascii char, or the ç to another non-ascii char.

Actual results:

it returns

"\ue5e5\ue5e5\ue5e5\ue5e5\ue5e5\ue5e5\ue5e5\ue5e5\ue5e5ç "

Expected results:

it should return basically the same string

" ç "

This happens to me in Developer Edition, not normal Firefox.

And it started happening after version 90 something. I had a less used Mac that was still on that older version and it didn't have the bug, until I updated FF.

I've noticed that the display of the description is collapsing the spaces.

The problematic string is:

"         ç                      ".normalize("NFD")
Component: General → JavaScript: Internationalization API
Assignee: nobody → andrebargull
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Regressed by: 1731080
Priority: -- → P3
Severity: -- → S3

This should be P1 and backported to Beta.

Priority: P3 → P1
Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/6b89503a4811
Register written normalised length. r=platform-i18n-reviewers,gregtatum

Comment on attachment 9247603 [details]
Bug 1736805: Register written normalised length. r=#platform-i18n-reviewers!

Beta/Release Uplift Approval Request

  • User impact if declined: Users can see \ue5e5 (or \ue4e4 in debug mode) in strings returned by String.prototype.normalize. Both are jemalloc poison patterns.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It only sets mozilla::Vector::mLength to the correct value.
  • String changes made/needed:
Attachment #9247603 - Flags: approval-mozilla-beta?

Set release status flags based on info from the regressing bug 1731080

(In reply to André Bargull [:anba] from comment #3)

This should be P1 and backported to Beta.

We've already built the Fx94 RC build. Are you saying this needs to drive an RC respin (i.e. be a dot release level issue)? If so, can you please offer some more context about the impact of the bug as it's not clear to me at the moment.

Flags: needinfo?(andrebargull)

Comment on attachment 9247603 [details]
Bug 1736805: Register written normalised length. r=#platform-i18n-reviewers!

94 is on release now.

Attachment #9247603 - Flags: approval-mozilla-beta? → approval-mozilla-release?

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

We've already built the Fx94 RC build. Are you saying this needs to drive an RC respin (i.e. be a dot release level issue)? If so, can you please offer some more context about the impact of the bug as it's not clear to me at the moment.

Probably yes. We read jemalloc poisoned memory, which is kind of bad. I haven't been able to create a test case which reads anything else than memory set to either 0xe5 or 0x00, but I can't say with 100% confidence that it isn't possible to create a test case which reads freed memory which isn't poisoned.

Flags: needinfo?(andrebargull)
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch

Comment on attachment 9247603 [details]
Bug 1736805: Register written normalised length. r=#platform-i18n-reviewers!

Approved for 94.0rc2.

Attachment #9247603 - Flags: approval-mozilla-release? → approval-mozilla-release+
You need to log in before you can comment on or make changes to this bug.