Closed Bug 576891 Opened 11 years ago Closed 11 years ago

Invalid read [@ JSC::Yarr::CharacterClassConstructor::addSorted]

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
major

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: testcase, valgrind, Whiteboard: [sg:low?])

/[&@!)OZ%3,#]/;

Triggers the following Valgrind warning:

> ==95244== Invalid read of size 2
> ==95244==    at 0x1DABFD: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::append(unsigned short const&) (jsvector.h:642)
> ==95244==    by 0x1DACC5: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::insert(unsigned short*, unsigned short const&) (jsvector.h:683)
> ==95244==    by 0x1DAE1D: JSC::Yarr::CharacterClassConstructor::addSorted(js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>&, unsigned short) (RegexCompiler.cpp:180)
> ==95244==    by 0x1DAEDB: JSC::Yarr::CharacterClassConstructor::putChar(unsigned short) (RegexCompiler.cpp:71)
> ==95244==    by 0x1DAFA8: JSC::Yarr::RegexPatternConstructor::atomCharacterClassAtom(unsigned short) (RegexCompiler.cpp:305)
> ==95244==    by 0x1DB078: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::CharacterClassParserDelegate::atomPatternCharacterUnescaped(unsigned short) (RegexParser.h:113)
> ==95244==    by 0x1DC07B: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parseCharacterClass() (RegexParser.h:433)
> ==95244==    by 0x1DCA12: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parseTokens() (RegexParser.h:567)
> ==95244==    by 0x1DCC6F: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parse() (RegexParser.h:652)
> ==95244==    by 0x1DCD0E: int JSC::Yarr::parse<JSC::Yarr::RegexPatternConstructor>(JSC::Yarr::RegexPatternConstructor&, JSString const&, unsigned int) (RegexParser.h:843)
> ==95244==    by 0x1D501D: JSC::Yarr::compileRegex(JSString const&, JSC::Yarr::RegexPattern&) (RegexCompiler.cpp:603)
> ==95244==    by 0x1DCE66: JSC::Yarr::jitCompileRegex(JSC::ExecutableAllocator&, JSC::Yarr::RegexCodeBlock&, JSString const&, unsigned int&, int&, bool&, bool, bool) (RegexJIT.cpp:1487)
> ==95244==  Address 0x608440e is 14 bytes inside a block of size 16 free'd
> ==95244==    at 0x3BB295: realloc (vg_replace_malloc.c:525)
> ==95244==    by 0x1DCD45: js_realloc (jsutil.h:201)
> ==95244==    by 0x1DDBF2: js::SystemAllocPolicy::realloc(void*, unsigned long) (jstl.h:254)
> ==95244==    by 0x1DA95D: js::VectorImpl<unsigned short, 0ul, js::SystemAllocPolicy, true>::growTo(js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>&, unsigned long) (jsvector.h:152)
> ==95244==    by 0x1DAA0C: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::growHeapStorageBy(unsigned long) (jsvector.h:498)
> ==95244==    by 0x1DAB48: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::append(unsigned short const&) (jsvector.h:636)
> ==95244==    by 0x1DACC5: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::insert(unsigned short*, unsigned short const&) (jsvector.h:683)
> ==95244==    by 0x1DAE1D: JSC::Yarr::CharacterClassConstructor::addSorted(js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>&, unsigned short) (RegexCompiler.cpp:180)
> ==95244==    by 0x1DAEDB: JSC::Yarr::CharacterClassConstructor::putChar(unsigned short) (RegexCompiler.cpp:71)
> ==95244==    by 0x1DAFA8: JSC::Yarr::RegexPatternConstructor::atomCharacterClassAtom(unsigned short) (RegexCompiler.cpp:305)
> ==95244==    by 0x1DB078: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::CharacterClassParserDelegate::atomPatternCharacterUnescaped(unsigned short) (RegexParser.h:113)
> ==95244==    by 0x1DC07B: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parseCharacterClass() (RegexParser.h:433)

I do not get any Valgrind warnings when I do the same in JSC, so I'm guessing this bug was introduced with the conversion to js::Vector.
blocking2.0: --- → ?
Could make it repro on 32b build.
blocking2.0: ? → betaN+
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.