Closed Bug 576891 Opened 14 years ago Closed 14 years ago

Invalid read [@ JSC::Yarr::CharacterClassConstructor::addSorted]

Tracking

()

Status:

RESOLVED FIXED

Tracking Flags:

Tracking

Status

blocking2.0

---

betaN+

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: testcase, valgrind, Whiteboard: [sg:low?])

Jesse Ruderman

Reporter

Description

•

14 years ago

/[&@!)OZ%3,#]/; Triggers the following Valgrind warning: > ==95244== Invalid read of size 2 > ==95244== at 0x1DABFD: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::append(unsigned short const&) (jsvector.h:642) > ==95244== by 0x1DACC5: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::insert(unsigned short*, unsigned short const&) (jsvector.h:683) > ==95244== by 0x1DAE1D: JSC::Yarr::CharacterClassConstructor::addSorted(js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>&, unsigned short) (RegexCompiler.cpp:180) > ==95244== by 0x1DAEDB: JSC::Yarr::CharacterClassConstructor::putChar(unsigned short) (RegexCompiler.cpp:71) > ==95244== by 0x1DAFA8: JSC::Yarr::RegexPatternConstructor::atomCharacterClassAtom(unsigned short) (RegexCompiler.cpp:305) > ==95244== by 0x1DB078: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::CharacterClassParserDelegate::atomPatternCharacterUnescaped(unsigned short) (RegexParser.h:113) > ==95244== by 0x1DC07B: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parseCharacterClass() (RegexParser.h:433) > ==95244== by 0x1DCA12: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parseTokens() (RegexParser.h:567) > ==95244== by 0x1DCC6F: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parse() (RegexParser.h:652) > ==95244== by 0x1DCD0E: int JSC::Yarr::parse<JSC::Yarr::RegexPatternConstructor>(JSC::Yarr::RegexPatternConstructor&, JSString const&, unsigned int) (RegexParser.h:843) > ==95244== by 0x1D501D: JSC::Yarr::compileRegex(JSString const&, JSC::Yarr::RegexPattern&) (RegexCompiler.cpp:603) > ==95244== by 0x1DCE66: JSC::Yarr::jitCompileRegex(JSC::ExecutableAllocator&, JSC::Yarr::RegexCodeBlock&, JSString const&, unsigned int&, int&, bool&, bool, bool) (RegexJIT.cpp:1487) > ==95244== Address 0x608440e is 14 bytes inside a block of size 16 free'd > ==95244== at 0x3BB295: realloc (vg_replace_malloc.c:525) > ==95244== by 0x1DCD45: js_realloc (jsutil.h:201) > ==95244== by 0x1DDBF2: js::SystemAllocPolicy::realloc(void*, unsigned long) (jstl.h:254) > ==95244== by 0x1DA95D: js::VectorImpl<unsigned short, 0ul, js::SystemAllocPolicy, true>::growTo(js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>&, unsigned long) (jsvector.h:152) > ==95244== by 0x1DAA0C: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::growHeapStorageBy(unsigned long) (jsvector.h:498) > ==95244== by 0x1DAB48: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::append(unsigned short const&) (jsvector.h:636) > ==95244== by 0x1DACC5: js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>::insert(unsigned short*, unsigned short const&) (jsvector.h:683) > ==95244== by 0x1DAE1D: JSC::Yarr::CharacterClassConstructor::addSorted(js::Vector<unsigned short, 0ul, js::SystemAllocPolicy>&, unsigned short) (RegexCompiler.cpp:180) > ==95244== by 0x1DAEDB: JSC::Yarr::CharacterClassConstructor::putChar(unsigned short) (RegexCompiler.cpp:71) > ==95244== by 0x1DAFA8: JSC::Yarr::RegexPatternConstructor::atomCharacterClassAtom(unsigned short) (RegexCompiler.cpp:305) > ==95244== by 0x1DB078: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::CharacterClassParserDelegate::atomPatternCharacterUnescaped(unsigned short) (RegexParser.h:113) > ==95244== by 0x1DC07B: JSC::Yarr::Parser<JSC::Yarr::RegexPatternConstructor>::parseCharacterClass() (RegexParser.h:433) I do not get any Valgrind warnings when I do the same in JSC, so I'm guessing this bug was introduced with the conversion to js::Vector.

Boris Zbarsky [:bzbarsky]

Updated

•

14 years ago

blocking2.0: --- → ?

Chris Leary [:cdleary] (not checking bugmail)

Comment 1

•

14 years ago

Could make it repro on 32b build.

Chris Leary [:cdleary] (not checking bugmail)

Comment 2

•

14 years ago

http://hg.mozilla.org/users/cleary_mozilla.com/tm-yarr-pieces/rev/1a90b6305569

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

Robert Sayre

Updated

•

14 years ago

blocking2.0: ? → betaN+

Ed Morley [:emorley]

Comment 3

•

12 years ago

https://hg.mozilla.org/mozilla-central/rev/f1c918eaacfa

Christian Holler (:decoder)

Updated

•

12 years ago

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Invalid read [@ JSC::Yarr::CharacterClassConstructor::addSorted]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: testcase, valgrind, Whiteboard: [sg:low?])

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Comment 2

Updated

Comment 3

Updated