1782558 - Assertion failure: aValue <= (size_t(1) << (sizeof(size_t) * 8 - 1)) (can't round up -- will overflow!), at dist/include/mozilla/MathAlgorithms.h:391

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

let x = [];
x.length = Math.pow(2, 32) - 1;
x + 1;

Thread 1 "js-dbg-32-linux" received signal SIGSEGV, Segmentation fault.
mozilla::RoundUpPow2 (aValue=4294967294) at /home/skygentoo/shell-cache/js-dbg-32-linux-x86_64-bc1d41e88ae3/objdir-js/dist/include/mozilla/MathAlgorithms.h:390
390	  MOZ_ASSERT(aValue <= (size_t(1) << (sizeof(size_t) * CHAR_BIT - 1)),
(gdb) bt
#0  mozilla::RoundUpPow2 (aValue=4294967294) at /home/skygentoo/shell-cache/js-dbg-32-linux-x86_64-bc1d41e88ae3/objdir-js/dist/include/mozilla/MathAlgorithms.h:390
#1  js::detail::GrowEltsAggressively<1u> (aOldElts=0, aIncr=4294967294) at /home/skygentoo/trees/mozilla-central/js/src/util/StringBuffer.h:39
#2  js::StringBufferAllocPolicy::computeGrowth<1u> (aOldElts=0, aIncr=4294967294) at /home/skygentoo/trees/mozilla-central/js/src/util/StringBuffer.h:94
#3  0x57afb746 in mozilla::detail::ComputeGrowth<js::StringBufferAllocPolicy, 1u>(unsigned int, unsigned int, decltype ((((std::declval<js::StringBufferAllocPolicy>()).(computeGrowth<1u>))(0, 0)),((bool)()))) (aOldElts=0, aIncr=1451055316, aOverloadSelector=<optimized out>)
    at /home/skygentoo/shell-cache/js-dbg-32-linux-x86_64-bc1d41e88ae3/objdir-js/dist/include/mozilla/Vector.h:135
#4  mozilla::Vector<unsigned char, 64u, js::StringBufferAllocPolicy>::growStorageBy (this=0xffff9f20, aIncr=4294967294)
    at /home/skygentoo/shell-cache/js-dbg-32-linux-x86_64-bc1d41e88ae3/objdir-js/dist/include/mozilla/Vector.h:1054
#5  0x57ba2e30 in mozilla::Vector<unsigned char, 64u, js::StringBufferAllocPolicy>::reserve (this=0xffff9f20, aRequest=4294967294)
    at /home/skygentoo/shell-cache/js-dbg-32-linux-x86_64-bc1d41e88ae3/objdir-js/dist/include/mozilla/Vector.h:1115
#6  0x57c13088 in js::StringBuffer::reserve (this=0xffff9f18, len=4294967294) at /home/skygentoo/trees/mozilla-central/js/src/util/StringBuffer.h:197
#7  0x57be437b in js::array_join (cx=<optimized out>, argc=0, vp=0xf6aeb0e0) at /home/skygentoo/trees/mozilla-central/js/src/builtin/Array.cpp:1348
#8  0x57bcd800 in CallJSNative (cx=0xf6a15100, native=0x57be3e10 <js::array_join(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::CallContent, args=...)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:417
#9  0x57bc0430 in js::InternalCallOrConstruct (cx=0xf6a15100, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::CallContent)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:505
#10 0x57bc0e9c in InternalCall (cx=0xf6a15100, args=..., reason=js::CallReason::CallContent) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:572
#11 0x57bb6b79 in js::CallFromStack (cx=0x59228c68 <gMozCrashReason>, cx@entry=0xf6452e50, args=..., reason=1451055316)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:577
#12 Interpret (cx=0x59228c68 <gMozCrashReason>, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:3325
#13 0x57bad162 in js::RunScript (cx=<optimized out>, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:389
#14 0x57bc035b in js::InternalCallOrConstruct (cx=0xf6a15100, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:537
#15 0x57bc0e9c in InternalCall (cx=0xf6a15100, args=..., reason=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:572
#16 0x57bc106e in js::Call (cx=0xf6a15100, fval=..., thisv=..., args=..., rval=..., reason=js::CallReason::Call)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:604
#17 0x57d687ec in js::Call (cx=0xf6a15100, fval=..., thisObj=0xf6900560, rval=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.h:109
#18 0x57df3311 in MaybeCallMethod (cx=<optimized out>, obj=..., id=..., vp=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSObject.cpp:2333
#19 0x57df2e23 in JS::OrdinaryToPrimitive (cx=0xf6a15100, obj=..., hint=JSTYPE_UNDEFINED, vp=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/Barrier.h:1082
#20 0x57df3844 in js::ToPrimitiveSlow (cx=0xf6a15100, preferredType=JSTYPE_UNDEFINED, vp=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSObject.cpp:2476
#21 0x57bc5cd3 in js::ToPrimitive (cx=0xf6a15100, vp=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSObject.h:744
#22 AddOperation (cx=<optimized out>, lhs=..., rhs=..., res=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:1390
#23 0x57bb1d87 in Interpret (cx=0x59228c68 <gMozCrashReason>, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:2765
#24 0x57bad162 in js::RunScript (cx=<optimized out>, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:389
#25 0x57bc268f in js::ExecuteKernel (cx=0xf6a15100, script=..., envChainArg=..., evalInFrame=..., result=...)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:783
#26 0x57bc2a56 in js::Execute (cx=0xf6a15100, script=..., envChain=..., rval=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:815
#27 0x57d21743 in ExecuteScript (cx=0xf6a15100, envChain=..., script=..., rval=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:516
#28 0x57d21915 in JS_ExecuteScript (cx=0xf6a15100, scriptArg=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:540
#29 0x57af25b1 in RunFile (cx=0xf6a15100, filename=<optimized out>, file=0xf781b1b0, compileMethod=CompileUtf8::DontInflate, compileOnly=<optimized out>)
    at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1067
#30 0x57af1dcf in Process (cx=0xf6a15100, filename=<optimized out>, forceTTY=<optimized out>, kind=FileScript)
    at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1655
#31 0x57ac0025 in ProcessArgs (cx=0xf6a15100, op=0xffffca00) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:11038
#32 Shell (cx=0xf6a15100, op=0xffffca00) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:11739
#33 0x57ab8ef0 in main (argc=6, argv=0xffffcba4) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12846
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b014f84dacd0
user:        Steve Fink
date:        Wed Jul 27 22:59:51 2022 +0000
summary:     Bug 1774733 - Allow AllocPolicy to determine Vector growth policy, and be aggressive about StringBuilder allocation strategy to reduce memcpy'ing. r=jandem

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with 'CXX="clang++ -msse2 -mfpmath=sse"' PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig AR=ar 'CC="clang -msse2 -mfpmath=sse"' sh ./configure --host=x86_64-pc-linux-gnu --target=i686-pc-linux --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-bootstrap --disable-tests, tested on m-c rev bc1d41e88ae3.

Not sure if this is s-s. Steve, is bug 1774733 a likely regressor?

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1774733

Comment 2

[Christian Holler (:decoder)]

We're seeing this as well in fuzzing and likely a dup of bug 1782468.

Comment 4

[Steve Fink [:sfink] [:s:]]

Actually, I'm going to un-dupe these for now. I assumed too quickly that the obvious fix would fix all of these, and it doesn't. They may end up being duplicates after all, but I'm not confident anymore. (One may have been entirely due to an added assertion, but it's behaving weirdly so even there I'm not sure atm.)

Comment 5

[Steve Fink [:sfink] [:s:]]

Attachment: Bug 1782558 - Fix overflow when rounding up to power of two during aggressive Vector growth

Comment 6

[Steve Fink [:sfink] [:s:]]

This turns out to not be security sensitive. If the assert weren't there, this would do size_t(1) << 32 which produces zero. Technically, it's undefined behavior, but on my machine it produces zero, on 32-bit ARM the underlying instructions return 0, and generally it seems unlikely to do anything else.

Accidentally running this test case on 64-bit revealed a perf nuisance problem. I'll file a separate bug for that: bug 1783082.

Comment 7

[Pulsebot]

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/761c02dba1d8
Fix overflow when rounding up to power of two during aggressive Vector growth r=jandem

Comment 8

[Cristian Tuns]

Backed out for causing SM bustages on bug1782558-veclen.js

• Backout link
• Push with failures
• Failure Log
• Failure line: TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/bug1782558-veclen.js | /builds/worker/checkouts/gecko/js/src/jit-test/tests/bug1782558-veclen.js:9:1 InternalError: allocation size overflow (code 3, args "") [0.0 s]

Comment 9

[Steve Fink [:sfink] [:s:]]

Doh! I'm an idiot. This is the desired behavior, but I didn't wrap it in a try/catch.

Comment 10

[Pulsebot]

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f6e23687f4a
Fix overflow when rounding up to power of two during aggressive Vector growth r=jandem

Comment 11

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/0f6e23687f4a