Assertion failure: log2 < tl::BitSize<size_t>::result, at jstl.h:223 or crash with memory corruption

VERIFIED FIXED in Firefox 10

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: cdleary)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla10
x86
Linux
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox8 unaffected, firefox9+ unaffected, firefox10+ fixed, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical?][qa-] js-triage-needed)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test asserts/crashes on mozilla-central revision 1463dc6308a8 (options -m -n), tested on 32 bit:


var fe="vv";
for (i=0; i<24; i++)
  fe += fe;
var fu=new Function(
  fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,
  fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,
  "done"
);


Stepping through the assert causes glibc to terminate:

Program received signal SIGABRT, Aborted.
*** glibc detected *** /srv/repos/mozilla-central/js/src/debug32/js: malloc(): memory corruption: 0x084fbcc8 ***
======= Backtrace: =========
[...]
(Reporter)

Comment 1

6 years ago
Hm, the original test also asserts, it's

mozilla-central/js/src/tests/js1_5/Function/regress-338121-02.js 

Isn't that test run with the normal test suite?
(Reporter)

Comment 2

6 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   77764:4d10127fd106
user:        Chris Leary <cdleary@mozilla.com>
date:        Thu Sep 22 13:22:30 2011 -0700
summary:     Bug 684039: rewrite JS LIFO allocator, avoids thrashing. (r=luke)
If the bisected regression is correct this should affect Firefox 9 and not Firefox 8.
Assignee: general → cdleary
status-firefox10: --- → affected
status-firefox8: --- → unaffected
status-firefox9: --- → affected
tracking-firefox10: --- → +
tracking-firefox9: --- → +
Keywords: regression
Blocks: 684039
Created attachment 566031 [details] [diff] [review]
Overflow checks.

I think this is only trunk (mozilla10, like on the bisected bug).

The tests were being skipped because of bug 644241 comment 34. (No good way to specify jstest runs as expected-to-OOM.)
Attachment #566031 - Flags: review?(luke)

Updated

6 years ago
Attachment #566031 - Flags: review?(luke) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/ae2293392154
Target Milestone: --- → mozilla10
https://hg.mozilla.org/mozilla-central/rev/ae2293392154
Status: NEW → RESOLVED
Last Resolved: 6 years ago
status-firefox10: affected → fixed
Resolution: --- → FIXED

Updated

6 years ago
status-firefox9: affected → unaffected
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical?] js-triage-needed → [sg:critical?][qa-] js-triage-needed
(Reporter)

Comment 8

6 years ago
Verified fixed on Firefox 10.
No shipping version had this bug, we can unhide it.
Group: core-security
status1.9.2: --- → unaffected
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 10

4 years ago
Covered by the jit-test in comment 2.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.