AddressSanitizer: negative-size-param: (size=-1728053247)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox123 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: reporter-external, testcase)
Attachments
(2 files)
let x;
for (let i = 0; i < 99; ++i) {
try {
x += "\u7618";
} catch (e) {}
}
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
x += x;
print(x);
==40296==ERROR: AddressSanitizer: negative-size-param: (size=-1728053247)
#0 0x10963fe04 in printf_common(void*, char const*, char*)+0x720 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x1fe04)
#1 0x109640d30 in fprintf+0x78 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x20d30)
#2 0x102bf56dc in PrintInternal(JSContext*, JS::CallArgs const&, js::shell::RCFile*)+0x270 (js-64-asan-darwin-arm64-fd640ad054ea:arm64+0x1000516dc)
#3 0x102bf5330 in Print(JSContext*, unsigned int, JS::Value*)+0x170 (js-64-asan-darwin-arm64-fd640ad054ea:arm64+0x100051330)
#4 0x102e1a86c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)+0x898 (js-64-asan-darwin-arm64-fd640ad054ea:arm64+0x10027686c)
#5 0x104225190 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>)+0xc14 (js-64-asan-darwin-arm64-fd640ad054ea:arm64+0x101681190)
/snip
This goes back to at least m-c rev e963fffcb3a0375f0c08e6c62d4300cbf79fba0b and possibly prior.
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-address-sanitizer --enable-fuzzing --disable-jemalloc --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev fd640ad054ea.
Jan, perhaps you might know how to start looking at this? I'll keep trying later on Linux and try to go further back for bisection, but it's harder and we don't seem to keep ASan builds very long.
|
Reporter | |
Comment 1•1 years ago
•
|
||
Ok, this happens on Linux on latest m-c rev 2a7dd75d1bfc too.
|
|
Reporter | |
Updated•1 years ago
|
|
|
Reporter | |
Comment 2•1 years ago
|
||
This goes back to at least m-c rev e963fffcb3a0375f0c08e6c62d4300cbf79fba0b and possibly prior.
This goes back to at least m-c rev 86ddb9dede42345ce270162c8be81bd257630e82 (mid-May 2022), I cannot yet go back further as more LLVM/Rust versions need to be changed and so on.
|
||
Comment 3•1 years ago
|
||
The test creates a JS string with length 905969664 (~9 million). The print shell function converts this to a UTF8 buffer of size 2566914049, which is larger than INT32_MAX, and then calls fprintf.
I think this is a bug in ASan that was fixed in August: https://github.com/llvm/llvm-project/commit/94b0851aad618397f508e56c63c6f928e4e911b9
Gary, which ASan version(s) are you using?
|
||
Updated•1 years ago
|
|
||
Comment 4•1 years ago
|
||
Probably not worth tagging as a regression if it goes back that far, at least not unless we can pin it down more precisely.
|
|
Reporter | |
Comment 5•1 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #3)
Gary, which ASan version(s) are you using?
I was testing on LLVM 16.0.6, then tested on LLVM 17.0.6 which it still occurs. That said, none of these branches seemingly contain the ASan fix you listed, so I'm trying out LLVM 18 which is still heavily in development on upstream now.
|
|
Reporter | |
Comment 6•1 years ago
|
||
I compiled with LLVM/Clang 18 (git commit 8d817f64) as the default clang, then added --disable-bootstrap (to use default system clang), and the issue went away. The testcase just keeps on printing blank spaces but no longer crashes.
So, yes, LLVM issue. Feel free to open up!
|
|
||
Updated•1 years ago
|
|
|
Reporter | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
Description
•