Closed Bug 336410 Opened 19 years ago Closed 18 years ago

probably an integer overflow in array_toSource

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: guninski, Assigned: mrbkap)

Details

(Keywords: fixed1.8.0.5, verified1.8.1, Whiteboard: [sg:critical?][patch])

Attachments

(5 files, 2 obsolete files)

crash
445 bytes, text/html
Details
Proposed patch
1.64 KB, patch
igor
: review+
igor
: approval-branch-1.8.1+
dveditz
: approval1.8.0.5+
Details | Diff | Splinter Review
for 1.0.x
1.40 KB, patch
Details | Diff | Splinter Review
js1_5/Regress/regress-336410-1.js
2.47 KB, text/plain
Details
js1_5/Regress/regress-336410-2.js
2.47 KB, text/plain
Details
there is probably an integer overflow in array_toSource : var o=[r, r, r, r, r, r, r, r, r]; var rr=o.toSource(); where r occupies 512MB causes this crash: #0 0xffffe410 in ?? () #1 0xbf82364c in ?? () #2 0xb740cff4 in ?? () from /lib/tls/libc.so.6 #3 0xbf823638 in ?? () #4 0xb73717b6 in nanosleep () from /lib/tls/libc.so.6 #5 0xb73715df in sleep () from /lib/tls/libc.so.6 #6 0xb7eae96b in ah_crap_handler (signum=11) at nsSigHandlers.cpp:133 #7 0xb7ec6cc4 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:210 #8 <signal handler called> #9 0xb7dceba5 in QuoteString (sp=0xbf823a98, str=0x87654a8, quote=34) at /opt/joro/firefox/mozilla/js/src/jsopcode.c:438 #10 0xb7dced6c in js_QuoteString (cx=0x875c720, str=0x87654a8, quote=34) at /opt/joro/firefox/mozilla/js/src/jsopcode.c:496 #11 0xb7e015d2 in js_ValueToSource (cx=0x875c720, v=141972652) at /opt/joro/firefox/mozilla/js/src/jsstr.c:2697 #12 0xb7d65d2c in array_join_sub (cx=0x875c720, obj=0x87654a0, op=TO_SOURCE, sep=0x0, rval=0xbf823c98) at /opt/joro/firefox/mozilla/js/src/jsarray.c:510 #13 0xb7d660e1 in array_toSource (cx=0x875c720, obj=0x87654a0, argc=0, argv=0x89228dc, rval=0xbf823c98) at /opt/joro/firefox/mozilla/js/src/jsarray.c:592 #14 0xb7d9b00a in js_Invoke (cx=0x875c720, argc=0, flags=0) memory usage is about 600MB and probably can be made smaller.
Attached file crash
Is this x86_64 Linux running 32-bit Firefox as in bug 335535? Asking in case it's relevant. Don't see a problem (beyond the temporary busy-script freeze) in 32-bit windows.
Assignee: nobody → mrbkap
Component: General → JavaScript Engine
Product: Firefox → Core
Whiteboard: [sg:critical?]
(In reply to comment #2) > Is this x86_64 Linux running 32-bit Firefox as in bug 335535? Asking in case > it's relevant. Don't see a problem (beyond the temporary busy-script freeze) in > 32-bit windows. > according to me this is pure 32 bit issue. i crash on 32 bit linux and 32 bit macosx ppc with the same stack. do you get out of memory error?
this issue is similar to Bug 336409
Flags: in-testsuite+
fwiw, the test for this bug killed either Mac OS X or the VNC server I use to access the boxes. I will be temporarily adding it to my list of tests excluded from the automated runs until it is fixed across 1.8.0, 1.8, 1.9.
my macosx survives this test.
I managed to kill two different Mac OS X boxes using the browser versions of the tests. Did you just run the shell based tests?
(In reply to comment #9) > I managed to kill two different Mac OS X boxes using the browser versions of > the tests. Did you just run the shell based tests? > local browser version of copy of my testscase and a little modified (changed print.. to alert() ) of the 128M testcase in this bug. firefox 1.5.0.3 crashes, but macosx ppc continues normal operation.
Ok, then I guess that answers the question about whether the problem was with the machine as a whole or just with the VNC server.
eventually may be a hardware problem - have you tried running memtest - some linux live cds include it.
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5? → blocking1.8.0.5+
Attached patch Proposed patchSplinter Review
Attachment #225358 - Flags: review?(igor.bukanov)
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [sg:critical?] → [sg:critical?][patch]
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 225358 [details] [diff] [review] Proposed patch Nit: other places use (size_t)-1 as size_t max.
Attachment #225358 - Flags: review?(igor.bukanov) → review+
Attachment #225358 - Flags: approval1.8.0.5?
Attachment #225358 - Flags: approval-branch-1.8.1?(igor.bukanov)
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Attachment #225358 - Flags: approval-branch-1.8.1?(igor.bukanov) → approval-branch-1.8.1+
Comment on attachment 225358 [details] [diff] [review] Proposed patch approved for 1.8.0 branch, a=dveditz for drivers
Attachment #225358 - Flags: approval1.8.0.5? → approval1.8.0.5+
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.5, fixed1.8.1
js1_5/Regress/regress-336410-1.js and js1_5/Regress/regress-336410-2.js windows shell crashes 1.8.0.5, 1.8.1, 1.9a1 windows/linux/mac crashes 1.8.0.5, 1.8.1, 1.9a1 I need someone who knows what is going to check this out.
this still crashes for me even on trunk, so this is not fixed.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to comment #11) > Ok, then I guess that answers the question about whether the problem was with > the machine as a whole or just with the VNC server. > this started to kill my macosx with a spinning wheel, but unusable UI (though the kernel is alive). a reason for this may be applying apple's updates.
removing fixed1.8.0.5, fixed1.8.1
Keywords: fixed1.8.0.5, fixed1.8.1
Back to fixed, Blake says the remaining crash is actually bug 342960.
Status: REOPENED → RESOLVED
Closed: 18 years ago18 years ago
Keywords: fixed1.8.0.5, fixed1.8.1
Resolution: --- → FIXED
is it possible this bug to be invalid and all problems to have been caused by the arena?
I can't reproduce it on windows locally but I am showing crashes in browser tests for 1.8.0.5, 1.8.1a3 and 1.9a1 on windows/macppc/linux. Note that the String.toSource() bug is verified fixed on 1.8.0.5/1.9a1 but not on 1.8.1a3 so if these crashes on 1.8.0.5 and 1.9a1 are real then they are _not bug 342960_. I'll know more hopefully with today's builds. leaving fixed status alone for now.
browser based js1_5/Regress/regress-336410-1.js, js1_5/Regress/regress-336410-2.js crashes on linux 20060707 builds for 1.8.0.5, 1.8.1 and 1.9. Since bug 342960 appears to be fixed for 1.8.0.5 and 1.9, it is not the cause of the crashes here. reopen and removed the fixed* keywords until someone tells me otherwise.
Status: RESOLVED → REOPENED
Keywords: fixed1.8.0.5, fixed1.8.1
Resolution: FIXED → ---
on today linux trunk i don't crash with my testcase after 8 reloads. valgrind seems unusable in this case because it takes at least 4 hours.
per discussion with jay, marcia and dveditz: marking fixed and readding the fixed1.8.0.5 and fixed1.8.1 keywords.
Status: REOPENED → RESOLVED
Closed: 18 years ago18 years ago
Keywords: fixed1.8.0.5, fixed1.8.1
Resolution: --- → FIXED
Attached patch for 1.0.xSplinter Review
1.8, 1.9 windows, mac* do not crash on either testcase. 1.8, 1.9 linux all exit on the test farm with SIGABRT, but I can't reproduce it locally or on the qa farm machines. Whatever the situation it is not this bug, so I will verify. verify fixed 1.8, 1.9
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1verified1.8.1
on linux get out of memory - trunk and branches
modify expected exit code for the shell per bug 358975.
Attachment #221679 - Attachment is obsolete: true
modify expected exit code for the shell per bug 358975.
Attachment #221680 - Attachment is obsolete: true
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-336410-1.js,v <-- regress-336410-1.js /cvsroot/mozilla/js/tests/js1_5/extensions/regress-336410-2.js,v <-- regress-336410-2.js moved to extensions/ since they use toSource
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: