Closed Bug 690933 Opened 10 years ago Closed 10 years ago

Assertion failure: log2 < tl::BitSize<size_t>::result, at jstl.h:223 or crash with memory corruption

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla10
Tracking Status
firefox8 --- unaffected
firefox9 + unaffected
firefox10 + fixed
status1.9.2 --- unaffected

People

(Reporter: decoder, Assigned: cdleary)

References

Details

(4 keywords, Whiteboard: [sg:critical?][qa-] js-triage-needed)

Attachments

(1 file)

The following test asserts/crashes on mozilla-central revision 1463dc6308a8 (options -m -n), tested on 32 bit:


var fe="vv";
for (i=0; i<24; i++)
  fe += fe;
var fu=new Function(
  fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,
  fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,
  "done"
);


Stepping through the assert causes glibc to terminate:

Program received signal SIGABRT, Aborted.
*** glibc detected *** /srv/repos/mozilla-central/js/src/debug32/js: malloc(): memory corruption: 0x084fbcc8 ***
======= Backtrace: =========
[...]
Hm, the original test also asserts, it's

mozilla-central/js/src/tests/js1_5/Function/regress-338121-02.js 

Isn't that test run with the normal test suite?
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   77764:4d10127fd106
user:        Chris Leary <cdleary@mozilla.com>
date:        Thu Sep 22 13:22:30 2011 -0700
summary:     Bug 684039: rewrite JS LIFO allocator, avoids thrashing. (r=luke)
If the bisected regression is correct this should affect Firefox 9 and not Firefox 8.
Assignee: general → cdleary
Keywords: regression
Blocks: 684039
Attached patch Overflow checks.Splinter Review
I think this is only trunk (mozilla10, like on the bisected bug).

The tests were being skipped because of bug 644241 comment 34. (No good way to specify jstest runs as expected-to-OOM.)
Attachment #566031 - Flags: review?(luke)
Attachment #566031 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/ae2293392154
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical?] js-triage-needed → [sg:critical?][qa-] js-triage-needed
Verified fixed on Firefox 10.
No shipping version had this bug, we can unhide it.
Group: core-security
Status: RESOLVED → VERIFIED
Covered by the jit-test in comment 2.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.