Invalid read [@ JSC::Yarr::CharacterClassConstructor::addSorted]

RESOLVED FIXED

Status

()

--
major
RESOLVED FIXED
8 years ago
6 years ago

People

(Reporter: jruderman, Unassigned)

Tracking

({testcase, valgrind})

Trunk
x86
Mac OS X
testcase, valgrind
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 betaN+)

Details

(Whiteboard: [sg:low?])

(Reporter)

Description

8 years ago
/[&@!)OZ%3,#]/;

Triggers the following Valgrind warning:

> ==95244== Invalid read of size 2
> ==95244==    at 0x1DABFD: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::append(unsigned short const&) (jsvector.h:642)
> ==95244==    by 0x1DACC5: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::insert(unsigned short*, unsigned short const&) (jsvector.h:683)
> ==95244==    by 0x1DAE1D: JSC::Yarr::CharacterClassConstructor::addSorted(js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>&, unsigned short) (RegexCompiler.cpp:180)
> ==95244==    by 0x1DAEDB: JSC::Yarr::CharacterClassConstructor::putChar(unsigned short) (RegexCompiler.cpp:71)
> ==95244==    by 0x1DAFA8: JSC::Yarr::RegexPatternConstructor::atomCharacterClassAtom(unsigned short) (RegexCompiler.cpp:305)
> ==95244==    by 0x1DB078: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::CharacterClassParserDelegate::atomPatternCharacterUnescaped(unsigned short) (RegexParser.h:113)
> ==95244==    by 0x1DC07B: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parseCharacterClass() (RegexParser.h:433)
> ==95244==    by 0x1DCA12: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parseTokens() (RegexParser.h:567)
> ==95244==    by 0x1DCC6F: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parse() (RegexParser.h:652)
> ==95244==    by 0x1DCD0E: int JSC::Yarr::parse<JSC::Yarr::RegexPatternConstructor>(JSC::Yarr::RegexPatternConstructor&, JSString const&, unsigned int) (RegexParser.h:843)
> ==95244==    by 0x1D501D: JSC::Yarr::compileRegex(JSString const&, JSC::Yarr::RegexPattern&) (RegexCompiler.cpp:603)
> ==95244==    by 0x1DCE66: JSC::Yarr::jitCompileRegex(JSC::ExecutableAllocator&, JSC::Yarr::RegexCodeBlock&, JSString const&, unsigned int&, int&, bool&, bool, bool) (RegexJIT.cpp:1487)
> ==95244==  Address 0x608440e is 14 bytes inside a block of size 16 free'd
> ==95244==    at 0x3BB295: realloc (vg_replace_malloc.c:525)
> ==95244==    by 0x1DCD45: js_realloc (jsutil.h:201)
> ==95244==    by 0x1DDBF2: js::SystemAllocPolicy::realloc(void*, unsigned long) (jstl.h:254)
> ==95244==    by 0x1DA95D: js::VectorImpl<unsigned short, 0ul, js::SystemAllocPolicy, true>::growTo(js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>&, unsigned long) (jsvector.h:152)
> ==95244==    by 0x1DAA0C: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::growHeapStorageBy(unsigned long) (jsvector.h:498)
> ==95244==    by 0x1DAB48: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::append(unsigned short const&) (jsvector.h:636)
> ==95244==    by 0x1DACC5: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::insert(unsigned short*, unsigned short const&) (jsvector.h:683)
> ==95244==    by 0x1DAE1D: JSC::Yarr::CharacterClassConstructor::addSorted(js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>&, unsigned short) (RegexCompiler.cpp:180)
> ==95244==    by 0x1DAEDB: JSC::Yarr::CharacterClassConstructor::putChar(unsigned short) (RegexCompiler.cpp:71)
> ==95244==    by 0x1DAFA8: JSC::Yarr::RegexPatternConstructor::atomCharacterClassAtom(unsigned short) (RegexCompiler.cpp:305)
> ==95244==    by 0x1DB078: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::CharacterClassParserDelegate::atomPatternCharacterUnescaped(unsigned short) (RegexParser.h:113)
> ==95244==    by 0x1DC07B: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parseCharacterClass() (RegexParser.h:433)

I do not get any Valgrind warnings when I do the same in JSC, so I'm guessing this bug was introduced with the conversion to js::Vector.
blocking2.0: --- → ?
Could make it repro on 32b build.
http://hg.mozilla.org/users/cleary_mozilla.com/tm-yarr-pieces/rev/1a90b6305569
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Updated

8 years ago
blocking2.0: ? → betaN+
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.