Last Comment Bug 712169 - Assertion failure: canAllocUnaligned(n), at js/src/ds/LifoAlloc.cpp:100 or Crash [@ __memcpy_ssse3_rep]
: Assertion failure: canAllocUnaligned(n), at js/src/ds/LifoAlloc.cpp:100 or Cr...
Status: VERIFIED FIXED
[sg:critical][qa+:ashughes] js-triage...
: assertion, crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla12
Assigned To: Chris Leary [:cdleary] (not checking bugmail)
:
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-12-19 16:31 PST by Christian Holler (:decoder)
Modified: 2013-03-11 09:18 PDT (History)
11 users (show)
choller: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
verified
+
verified
+
unaffected
10+
verified
unaffected


Attachments
Overflow check in unaligned case. (637 bytes, patch)
2011-12-19 16:54 PST, Chris Leary [:cdleary] (not checking bugmail)
luke: review+
christian: approval‑mozilla‑aurora+
christian: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-12-19 16:31:14 PST
The following test asserts on mozilla-central revision f98c57415d8d (options -m -n -a), 32 bit:


try {
  var str = '0123456789';
  for (var icount = 0; icount < 24; let(icount, printStatus) (function() gczeal(2))[1]++)
        str = str + str;
} catch(ex) {
  new XML ( str, false, (new RegExp('[0-9]{3}')).test('23 2 34 78 9 09'));
}
this.toSource();


Furthermore this test crashes on optimized 32 bit versions:

#0  __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1309
#1  0x081b8f43 in js::LifoAlloc::reallocUnaligned (this=0xf7b0a364, origPtr=0xe73bd018, origSize=167772162, incr=167772162) at /usr/include/bits/string3.h:52
#2  0x080f6090 in SprintEnsureBuffer (sp=0xffffce30, len=<value optimized out>) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:752
#3  0x080f6b19 in js::SprintPut (sp=0xffffce30, s=0x8330ae8 "\"", len=1) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:784
#4  0x080f6de0 in SprintCString (sp=0xffffce30, format=0x827a9c6 "%c") at /srv/repos/mozilla-central/js/src/jsopcode.cpp:804
#5  js::Sprint (sp=0xffffce30, format=0x827a9c6 "%c") at /srv/repos/mozilla-central/js/src/jsopcode.cpp:840
#6  0x080f72c9 in QuoteString (sp=0xffffce30, str=<value optimized out>, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:922
#7  0x080f7361 in js_QuoteString (cx=0x8327358, str=0xf740d180, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:940
#8  0x0812b49e in js_ValueToSource (cx=0x8327358, v=...) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3351
#9  0x080ea30b in obj_toSource (cx=0x8327358, argc=0, vp=0xf76ea058) at /srv/repos/mozilla-central/js/src/jsobj.cpp:669
#10 0x080cd14c in CallJSNative (cx=0x8327358, args=..., construct=js::NO_CONSTRUCT) at ../jscntxtinlines.h:311


S-s and sg:critical due to obvious memory hazard.
Comment 1 Chris Leary [:cdleary] (not checking bugmail) 2011-12-19 16:54:16 PST
Created attachment 583016 [details] [diff] [review]
Overflow check in unaligned case.

Very low risk, requesting Aurora approval, beta not affected.
Comment 2 Chris Leary [:cdleary] (not checking bugmail) 2011-12-20 14:26:39 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/cb95ada7b4b4
Comment 3 Daniel Veditz [:dveditz] 2011-12-21 13:49:18 PST
Merged by Ed Morley
https://hg.mozilla.org/mozilla-central/rev/cb95ada7b4b4

LifoAlloc.cpp doesn't exist in Firefox 10 so I'm assuming that version is unaffected by this bug.
Comment 4 christian 2011-12-21 16:00:32 PST
Comment on attachment 583016 [details] [diff] [review]
Overflow check in unaligned case.

[triage comment]
Approved for aurora. Please land as soon as you can.
Comment 5 Chris Leary [:cdleary] (not checking bugmail) 2011-12-21 16:16:03 PST
Comment on attachment 583016 [details] [diff] [review]
Overflow check in unaligned case.

We merged on the 20th so I now need beta approval as well.
Comment 6 christian 2011-12-21 16:35:04 PST
Comment on attachment 583016 [details] [diff] [review]
Overflow check in unaligned case.

[triage comment]
Approved for beta as well. Sorry, I should have asked if it applied there too.
Comment 7 Chris Leary [:cdleary] (not checking bugmail) 2011-12-21 21:58:30 PST
https://hg.mozilla.org/releases/mozilla-beta/rev/438310f9f812

Changed the tracking flags because this made it into mozilla-central before Fx11 merged to aurora.
Comment 8 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-03-07 14:07:10 PST
Verified fixed in Firefox 11.0b6
Comment 9 Al Billings [:abillings] 2012-03-16 16:02:37 PDT
Verified in nightly (finally).
Comment 10 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-31 15:54:23 PDT
Verified fixed in Firefox 10 and ESR:10
Comment 11 Christian Holler (:decoder) 2013-03-11 09:18:04 PDT
Didn't manage to rewrite the test such that it doesn't require E4X, in-testsuite-.

Note You need to log in before you can comment on or make changes to this bug.