As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 690933 - Assertion failure: log2 < tl::BitSize<size_t>::result, at jstl.h:223 or crash with memory corruption
: Assertion failure: log2 < tl::BitSize<size_t>::result, at jstl.h:223 or crash...
[sg:critical?][qa-] js-triage-needed
: assertion, crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla10
Assigned To: Chris Leary [:cdleary] (not checking bugmail)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz 684039
  Show dependency treegraph
Reported: 2011-09-30 14:58 PDT by Christian Holler (:decoder)
Modified: 2013-03-11 08:53 PDT (History)
7 users (show)
choller: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Overflow checks. (5.74 KB, patch)
2011-10-10 14:28 PDT, Chris Leary [:cdleary] (not checking bugmail)
luke: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2011-09-30 14:58:26 PDT
The following test asserts/crashes on mozilla-central revision 1463dc6308a8 (options -m -n), tested on 32 bit:

var fe="vv";
for (i=0; i<24; i++)
  fe += fe;
var fu=new Function(
  fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,
  fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,

Stepping through the assert causes glibc to terminate:

Program received signal SIGABRT, Aborted.
*** glibc detected *** /srv/repos/mozilla-central/js/src/debug32/js: malloc(): memory corruption: 0x084fbcc8 ***
======= Backtrace: =========
Comment 1 User image Christian Holler (:decoder) 2011-09-30 15:06:44 PDT
Hm, the original test also asserts, it's


Isn't that test run with the normal test suite?
Comment 2 User image Christian Holler (:decoder) 2011-10-01 05:39:23 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   77764:4d10127fd106
user:        Chris Leary <>
date:        Thu Sep 22 13:22:30 2011 -0700
summary:     Bug 684039: rewrite JS LIFO allocator, avoids thrashing. (r=luke)
Comment 3 User image Daniel Veditz [:dveditz] 2011-10-06 13:13:53 PDT
If the bisected regression is correct this should affect Firefox 9 and not Firefox 8.
Comment 4 User image Chris Leary [:cdleary] (not checking bugmail) 2011-10-10 14:28:39 PDT
Created attachment 566031 [details] [diff] [review]
Overflow checks.

I think this is only trunk (mozilla10, like on the bisected bug).

The tests were being skipped because of bug 644241 comment 34. (No good way to specify jstest runs as expected-to-OOM.)
Comment 5 User image Chris Leary [:cdleary] (not checking bugmail) 2011-10-11 11:03:53 PDT
Comment 6 User image Justin Wood (:Callek) 2011-10-11 16:36:30 PDT
Comment 7 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-11-21 17:31:00 PST
Can someone who is already set up to reproduce this bug please verify the fix?
Comment 8 User image Christian Holler (:decoder) 2011-11-21 17:43:17 PST
Verified fixed on Firefox 10.
Comment 9 User image Daniel Veditz [:dveditz] 2012-01-12 17:03:03 PST
No shipping version had this bug, we can unhide it.
Comment 10 User image Christian Holler (:decoder) 2013-03-11 08:53:35 PDT
Covered by the jit-test in comment 2.

Note You need to log in before you can comment on or make changes to this bug.