Closed
Bug 712169
Opened 13 years ago
Closed 13 years ago
Assertion failure: canAllocUnaligned(n), at js/src/ds/LifoAlloc.cpp:100 or Crash [@ __memcpy_ssse3_rep]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla12
| Tracking | Status | |
|---|---|---|
| firefox10 | --- | verified |
| firefox11 | + | verified |
| firefox12 | + | unaffected |
| firefox-esr10 | 10+ | verified |
| status1.9.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: cdleary)
Details
(4 keywords, Whiteboard: [sg:critical][qa+:ashughes] js-triage-done)
Crash Data
Attachments
(1 file)
|
637 bytes,
patch
|
luke
:
review+
christian
:
approval-mozilla-aurora+
christian
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision f98c57415d8d (options -m -n -a), 32 bit:
try {
var str = '0123456789';
for (var icount = 0; icount < 24; let(icount, printStatus) (function() gczeal(2))[1]++)
str = str + str;
} catch(ex) {
new XML ( str, false, (new RegExp('[0-9]{3}')).test('23 2 34 78 9 09'));
}
this.toSource();
Furthermore this test crashes on optimized 32 bit versions:
#0 __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1309
#1 0x081b8f43 in js::LifoAlloc::reallocUnaligned (this=0xf7b0a364, origPtr=0xe73bd018, origSize=167772162, incr=167772162) at /usr/include/bits/string3.h:52
#2 0x080f6090 in SprintEnsureBuffer (sp=0xffffce30, len=<value optimized out>) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:752
#3 0x080f6b19 in js::SprintPut (sp=0xffffce30, s=0x8330ae8 "\"", len=1) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:784
#4 0x080f6de0 in SprintCString (sp=0xffffce30, format=0x827a9c6 "%c") at /srv/repos/mozilla-central/js/src/jsopcode.cpp:804
#5 js::Sprint (sp=0xffffce30, format=0x827a9c6 "%c") at /srv/repos/mozilla-central/js/src/jsopcode.cpp:840
#6 0x080f72c9 in QuoteString (sp=0xffffce30, str=<value optimized out>, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:922
#7 0x080f7361 in js_QuoteString (cx=0x8327358, str=0xf740d180, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:940
#8 0x0812b49e in js_ValueToSource (cx=0x8327358, v=...) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3351
#9 0x080ea30b in obj_toSource (cx=0x8327358, argc=0, vp=0xf76ea058) at /srv/repos/mozilla-central/js/src/jsobj.cpp:669
#10 0x080cd14c in CallJSNative (cx=0x8327358, args=..., construct=js::NO_CONSTRUCT) at ../jscntxtinlines.h:311
S-s and sg:critical due to obvious memory hazard.
|
Assignee | |
Comment 1•13 years ago
|
||
Very low risk, requesting Aurora approval, beta not affected.
Assignee: general → christopher.leary
Status: NEW → ASSIGNED
Attachment #583016 -
Flags: review?(luke)
Attachment #583016 -
Flags: approval-mozilla-aurora?
|
||
Updated•13 years ago
|
Attachment #583016 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 2•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cb95ada7b4b4
|
||
Comment 3•13 years ago
|
||
Merged by Ed Morley https://hg.mozilla.org/mozilla-central/rev/cb95ada7b4b4 LifoAlloc.cpp doesn't exist in Firefox 10 so I'm assuming that version is unaffected by this bug.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
status1.9.2:
--- → unaffected
status-firefox10:
--- → unaffected
status-firefox11:
--- → affected
status-firefox12:
--- → fixed
tracking-firefox11:
--- → +
tracking-firefox12:
--- → +
Keywords: regression
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Comment on attachment 583016 [details] [diff] [review] Overflow check in unaligned case. [triage comment] Approved for aurora. Please land as soon as you can.
Attachment #583016 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 5•13 years ago
|
||
Comment on attachment 583016 [details] [diff] [review] Overflow check in unaligned case. We merged on the 20th so I now need beta approval as well.
Attachment #583016 -
Flags: approval-mozilla-beta?
Comment on attachment 583016 [details] [diff] [review] Overflow check in unaligned case. [triage comment] Approved for beta as well. Sorry, I should have asked if it applied there too.
Attachment #583016 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
Assignee | |
Comment 7•13 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/438310f9f812 Changed the tracking flags because this made it into mozilla-central before Fx11 merged to aurora.
Whiteboard: [sg:critical] js-triage-needed → [sg:critical][qa+] js-triage-needed
Whiteboard: [sg:critical][qa+] js-triage-needed → [sg:critical][qa+] js-triage-done
Verified fixed in Firefox 11.0b6
|
||
Updated•13 years ago
|
status-firefox-esr10:
--- → fixed
|
|
||
Updated•13 years ago
|
tracking-firefox-esr10:
--- → 10+
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Comment 10•12 years ago
|
||
Verified fixed in Firefox 10 and ESR:10
Whiteboard: [sg:critical][qa+] js-triage-done → [sg:critical][qa+:ashughes] js-triage-done
|
Reporter | |
Comment 11•12 years ago
|
||
Didn't manage to rewrite the test such that it doesn't require E4X, in-testsuite-.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•