Assertion failure: canAllocUnaligned(n), at js/src/ds/LifoAlloc.cpp:100 or Crash [@ __memcpy_ssse3_rep]

VERIFIED FIXED in Firefox 10

Status

()

defect
--
critical
VERIFIED FIXED
8 years ago
6 years ago

People

(Reporter: decoder, Assigned: cdleary)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla12
x86
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox10 verified, firefox11+ verified, firefox12+ unaffected, firefox-esr1010+ verified, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical][qa+:ashughes] js-triage-done, crash signature)

Attachments

(1 attachment)

Reporter

Description

8 years ago
The following test asserts on mozilla-central revision f98c57415d8d (options -m -n -a), 32 bit:


try {
  var str = '0123456789';
  for (var icount = 0; icount < 24; let(icount, printStatus) (function() gczeal(2))[1]++)
        str = str + str;
} catch(ex) {
  new XML ( str, false, (new RegExp('[0-9]{3}')).test('23 2 34 78 9 09'));
}
this.toSource();


Furthermore this test crashes on optimized 32 bit versions:

#0  __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1309
#1  0x081b8f43 in js::LifoAlloc::reallocUnaligned (this=0xf7b0a364, origPtr=0xe73bd018, origSize=167772162, incr=167772162) at /usr/include/bits/string3.h:52
#2  0x080f6090 in SprintEnsureBuffer (sp=0xffffce30, len=<value optimized out>) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:752
#3  0x080f6b19 in js::SprintPut (sp=0xffffce30, s=0x8330ae8 "\"", len=1) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:784
#4  0x080f6de0 in SprintCString (sp=0xffffce30, format=0x827a9c6 "%c") at /srv/repos/mozilla-central/js/src/jsopcode.cpp:804
#5  js::Sprint (sp=0xffffce30, format=0x827a9c6 "%c") at /srv/repos/mozilla-central/js/src/jsopcode.cpp:840
#6  0x080f72c9 in QuoteString (sp=0xffffce30, str=<value optimized out>, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:922
#7  0x080f7361 in js_QuoteString (cx=0x8327358, str=0xf740d180, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:940
#8  0x0812b49e in js_ValueToSource (cx=0x8327358, v=...) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3351
#9  0x080ea30b in obj_toSource (cx=0x8327358, argc=0, vp=0xf76ea058) at /srv/repos/mozilla-central/js/src/jsobj.cpp:669
#10 0x080cd14c in CallJSNative (cx=0x8327358, args=..., construct=js::NO_CONSTRUCT) at ../jscntxtinlines.h:311


S-s and sg:critical due to obvious memory hazard.
Very low risk, requesting Aurora approval, beta not affected.
Assignee: general → christopher.leary
Status: NEW → ASSIGNED
Attachment #583016 - Flags: review?(luke)
Attachment #583016 - Flags: approval-mozilla-aurora?

Updated

8 years ago
Attachment #583016 - Flags: review?(luke) → review+
Merged by Ed Morley
https://hg.mozilla.org/mozilla-central/rev/cb95ada7b4b4

LifoAlloc.cpp doesn't exist in Firefox 10 so I'm assuming that version is unaffected by this bug.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Keywords: regression
Resolution: --- → FIXED
Target Milestone: --- → mozilla12

Comment 4

8 years ago
Comment on attachment 583016 [details] [diff] [review]
Overflow check in unaligned case.

[triage comment]
Approved for aurora. Please land as soon as you can.
Attachment #583016 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 583016 [details] [diff] [review]
Overflow check in unaligned case.

We merged on the 20th so I now need beta approval as well.
Attachment #583016 - Flags: approval-mozilla-beta?

Comment 6

8 years ago
Comment on attachment 583016 [details] [diff] [review]
Overflow check in unaligned case.

[triage comment]
Approved for beta as well. Sorry, I should have asked if it applied there too.
Attachment #583016 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
https://hg.mozilla.org/releases/mozilla-beta/rev/438310f9f812

Changed the tracking flags because this made it into mozilla-central before Fx11 merged to aurora.
Whiteboard: [sg:critical] js-triage-needed → [sg:critical][qa+] js-triage-needed
Whiteboard: [sg:critical][qa+] js-triage-needed → [sg:critical][qa+] js-triage-done
Verified fixed in Firefox 11.0b6
Verified in nightly (finally).
Status: RESOLVED → VERIFIED
Group: core-security
Verified fixed in Firefox 10 and ESR:10
Whiteboard: [sg:critical][qa+] js-triage-done → [sg:critical][qa+:ashughes] js-triage-done
Reporter

Comment 11

6 years ago
Didn't manage to rewrite the test such that it doesn't require E4X, in-testsuite-.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.