Closed Bug 473709 Opened 14 years ago Closed 14 years ago

"Assertion failure: cursor == (uint8 *)copy->messageArgs[0] + argsCopySize, at jsexn.c" or "Assertion failure: cursor == (uint8 *)copy->messageArgs[0] + argsCopySize, at jsexn.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: gkw, Assigned: mrbkap)

References

Details

(5 keywords, Whiteboard: [sg:critical?] fixed-in-tracemonkey)

Attachments

(6 files, 2 obsolete files)

linux gdb backtrace
8.56 KB, text/plain
Details
Fix
1.78 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
working 1.9.0 patch
1.03 KB, patch
mrbkap
: review+
dveditz
: approval1.9.0.7+
Details | Diff | Splinter Review
e4x/Regress/regress-473709.js
2.25 KB, text/plain
Details
Fix for the 1.8.1 branch
876 bytes, patch
dveditz
: approval1.8.1.next+
Details | Diff | Splinter Review
1.8.0 one, based on the 1.8.1
811 bytes, patch
asac
: approval1.8.0.next+
Details | Diff | Splinter Review
Attached file linux gdb backtrace 
function f() { eval("(function() { switch(x, x) { default: for(x2; <x><y/></x>;) (function(){}) <x><y/></x>;break; case (+<><x><y/></x></>): break;   }; })()"); }
gczeal(2);
f();

asserts debug js trunk shell (with and without -j) and 1.9.0.x debug js shell at Assertion failure: cursor == (uint8 *)copy->messageArgs[0] + argsCopySize, at ../jsexn.cpp:188

Compiling 1.9.0.x opt with gczeal seems to work as expected. Security-sensitive because it involves gczeal.

Thanks Waldo for guiding me along this one.
Flags: blocking1.9.1?
Flags: blocking1.9.0.7?
Summary: "Assertion failure: cursor == (uint8 *)copy->messageArgs[0] + argsCopySize, at jsexn.c" → "Assertion failure: cursor == (uint8 *)copy->messageArgs[0] + argsCopySize, at jsexn.c" or "Assertion failure: cursor == (uint8 *)copy->messageArgs[0] + argsCopySize, at jsexn.cpp"
Attached patch FixSplinter Review 
Easy fix. I gotta say, I like the ability to use stack-based helper classes in js/src now.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #357275 - Flags: review?(jwalden+bmo)
Attachment #357275 - Flags: review?(jwalden+bmo) → review+
Attached patch patch backport (obsolete) — Splinter Review 
Here's the 1.9.0.x patch backport.
Attachment #357288 - Flags: review?(mrbkap)
Attachment #357288 - Flags: approval1.9.0.7?
Attached file diff between trunk and 1.9.0.x patch (obsolete) — 
To ensure nothing creepy sets in. :)
Comment on attachment 357288 [details] [diff] [review]
patch backport

Oops, something wonky in test compiles.

===

cc -o Darwin_DBG.OBJ/jsregexp.o -c -Wall -Wno-format -MMD -g3 -DXP_UNIX -DSVR4 -DSYSV -D_BSD_SOURCE -DPOSIX_SOURCE -DDARWIN -DX86_LINUX  -DDEBUG -DDEBUG_skywalker -DEDITLINE -IDarwin_DBG.OBJ  jsregexp.c
jsregexp.c: In function ‘js_NewRegExpObject’:
jsregexp.c:4310: error: ‘JSAutoTempValueRooter’ undeclared (first use in this function)
jsregexp.c:4310: error: (Each undeclared identifier is reported only once
jsregexp.c:4310: error: for each function it appears in.)
jsregexp.c:4310: error: syntax error before ‘tvr’
make[1]: *** [Darwin_DBG.OBJ/jsregexp.o] Error 1
make: *** [all] Error 2
Attachment #357288 - Attachment is obsolete: true
Attachment #357288 - Flags: review?(mrbkap)
Attachment #357288 - Flags: approval1.9.0.7?
jorendorff on IRC helped me out by telling me that mrbkap's patch "was changing from a C style of doing things to a C++ style of doing things" and suggested the following patch:

Index: jsregexp.c
===================================================================
RCS file: /cvsroot/mozilla/js/src/jsregexp.c,v
retrieving revision 3.200
diff -u -8 -p -r3.200 jsregexp.c
--- jsregexp.c	11 Aug 2008 18:24:13 -0000	3.200
+++ jsregexp.c	16 Jan 2009 03:05:35 -0000
@@ -4303,20 +4303,20 @@ js_NewRegExpObject(JSContext *cx, JSToke
     JSString *str;
     JSObject *obj;
     JSRegExp *re;
     JSTempValueRooter tvr;
 
     str = js_NewStringCopyN(cx, chars, length);
     if (!str)
         return NULL;
+    JS_PUSH_TEMP_ROOT_STRING(cx, str, &tvr);
     re = js_NewRegExp(cx, ts,  str, flags, JS_FALSE);
     if (!re)
         return NULL;
-    JS_PUSH_TEMP_ROOT_STRING(cx, str, &tvr);
     obj = js_NewObject(cx, &js_RegExpClass, NULL, NULL, 0);
     if (!obj || !JS_SetPrivate(cx, obj, re)) {
         js_DestroyRegExp(cx, re);
         obj = NULL;
     }
     if (obj && !js_SetLastIndex(cx, obj, 0))
         obj = NULL;
     JS_POP_TEMP_ROOT(cx, &tvr);


However this causes the following assertion: Assertion failure: (cx)->tempValueRooters == (&pc->tempRoot), at jsparse.c:186 and a backtrace is:

(gdb) bt
#0  JS_Assert (s=0x10939c "(cx)->tempValueRooters == (&pc->tempRoot)", file=0x109340 "jsparse.c", ln=186) at jsutil.c:63
#1  0x000a5111 in js_FinishParseContext (cx=0x2005b0, pc=0xbfffdaa4) at jsparse.c:186
#2  0x000a61f8 in js_CompileScript (cx=0x2005b0, obj=0x17d100, principals=0x0, tcflags=2048, chars=0x202430, length=137, file=0x0, filename=0x201d81 "typein", lineno=1) at jsparse.c:671
#3  0x0008706f in obj_eval (cx=0x2005b0, obj=0x17d000, argc=1, argv=0x80609c, rval=0xbfffdcfc) at jsobj.c:1326
#4  0x0007b7ab in js_Invoke (cx=0x2005b0, argc=1, vp=0x806094, flags=2) at jsinterp.c:1304
#5  0x0006e6ca in js_Interpret (cx=0x2005b0) at jsinterp.c:4864
#6  0x0007c099 in js_Execute (cx=0x2005b0, chain=0x17d000, script=0x2023d0, down=0x0, flags=0, result=0xbffff628) at jsinterp.c:1546
#7  0x0001c910 in JS_ExecuteScript (cx=0x2005b0, obj=0x17d000, script=0x2023d0, rval=0xbffff628) at jsapi.c:4895
#8  0x00002c8b in Process (cx=0x2005b0, obj=0x17d000, filename=0x0, forceTTY=0) at js.c:310
#9  0x000035d8 in ProcessArgs (cx=0x2005b0, obj=0x17d000, argv=0xbffff760, argc=0) at js.c:556
#10 0x00009025 in main (argc=0, argv=0xbffff760, envp=0xbffff764) at js.c:3931
(In reply to comment #6)
> jorendorff on IRC helped me out by telling me that mrbkap's patch "was changing
> from a C style of doing things to a C++ style of doing things" and suggested
> the following patch:
> 
> Index: jsregexp.c
> ===================================================================
> RCS file: /cvsroot/mozilla/js/src/jsregexp.c,v
> retrieving revision 3.200
> diff -u -8 -p -r3.200 jsregexp.c
> --- jsregexp.c    11 Aug 2008 18:24:13 -0000    3.200
> +++ jsregexp.c    16 Jan 2009 03:05:35 -0000
> @@ -4303,20 +4303,20 @@ js_NewRegExpObject(JSContext *cx, JSToke
>      JSString *str;
>      JSObject *obj;
>      JSRegExp *re;
>      JSTempValueRooter tvr;
> 
>      str = js_NewStringCopyN(cx, chars, length);
>      if (!str)
>          return NULL;
> +    JS_PUSH_TEMP_ROOT_STRING(cx, str, &tvr);
>      re = js_NewRegExp(cx, ts,  str, flags, JS_FALSE);
>      if (!re)
>          return NULL;
> -    JS_PUSH_TEMP_ROOT_STRING(cx, str, &tvr);

Don't return without popping the tvr.

/be
Thanks brendan and mrbkap, this is the next iteration of the patch, untested yet though.
Attachment #357289 - Attachment is obsolete: true
Attachment #357302 - Flags: review?(mrbkap)
Attachment #357302 - Flags: approval1.9.0.7?
Attachment #357302 - Flags: review?(mrbkap) → review+
Comment on attachment 357302 [details] [diff] [review]
working 1.9.0 patch

Yep.
I have tested that Gary's patch works in my 1.9.0 tree.
Whiteboard: fixed-in-tracemonkey → fixed-in-tracemonkey [needs 1.9.1 landing, baking]
Flags: blocking1.9.1? → blocking1.9.1+
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.7?
Flags: blocking1.9.0.7+
Whiteboard: fixed-in-tracemonkey [needs 1.9.1 landing, baking] → [sg:critical?] fixed-in-tracemonkey [needs 1.9.1 landing, baking]
http://hg.mozilla.org/mozilla-central/rev/d77738e770cd
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Flags: in-litmus-
Attachment #357302 - Flags: approval1.9.0.7? → approval1.9.0.7+
Comment on attachment 357302 [details] [diff] [review]
working 1.9.0 patch

Approved for 1.9.0.7, a=dveditz for release-drivers.
Flags: blocking1.8.1.next?
Checked into the 1.9.0 branch.
Keywords: fixed1.9.0.7
Whiteboard: [sg:critical?] fixed-in-tracemonkey [needs 1.9.1 landing, baking] → [sg:critical?] fixed-in-tracemonkey [needs 1.9.1 landing]
regressed by bug 443039
Blocks: 443039
Bob, was that comment really meant for this bug?
mrbkap: yes. i just bisected it on x86_64 and thought i would comment it here.
qawanted: bc or gary, do we want or need this on the 1.8.1 branch?
Keywords: qawanted
Dan, yes we do.
Blake, can you work up a 1.8.1 patch?
Flags: blocking1.8.1.next? → blocking1.8.1.next+
Keywords: qawanted
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/c0779e4abe0a
Keywords: fixed1.9.1
Whiteboard: [sg:critical?] fixed-in-tracemonkey [needs 1.9.1 landing] → [sg:critical?] fixed-in-tracemonkey
v 1.9.0, 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.7, fixed1.9.1verified1.9.0.7, verified1.9.1
Attachment #360952 - Flags: approval1.8.1.next?
Flags: wanted1.8.1.x+
Comment on attachment 360952 [details] [diff] [review]
Fix for the 1.8.1 branch

Approved for 1.8.1.21, a=dveditz for release-drivers.
Attachment #360952 - Flags: approval1.8.1.next? → approval1.8.1.next+
Checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8.1.21
Group: core-security
Attachment #363094 - Flags: approval1.8.0.next+
Comment on attachment 363094 [details] [diff] [review]
1.8.0 one, based on the 1.8.1

a=asac for 1.8.0
Flags: blocking1.8.0.next+
http://hg.mozilla.org/tracemonkey/rev/547fc4916d3e
/cvsroot/mozilla/js/tests/e4x/Regress/regress-473709.js,v  <--  regress-473709.js
initial revision: 1.1
Attachment #357302 - Attachment description: untested patch → working 1.9.0 patch
You need to log in before you can comment on or make changes to this bug.