Assertion failure: canAllocUnaligned(n), at js/src/ds/LifoAlloc.cpp:100 or Crash [@ __memcpy_ssse3_rep]

VERIFIED FIXED in Firefox 10

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: cdleary)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla12
x86
Linux
assertion, crash, regression, testcase
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox10 verified, firefox11+ verified, firefox12+ unaffected, firefox-esr1010+ verified, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical][qa+:ashughes] js-triage-done, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test asserts on mozilla-central revision f98c57415d8d (options -m -n -a), 32 bit:


try {
  var str = '0123456789';
  for (var icount = 0; icount < 24; let(icount, printStatus) (function() gczeal(2))[1]++)
        str = str + str;
} catch(ex) {
  new XML ( str, false, (new RegExp('[0-9]{3}')).test('23 2 34 78 9 09'));
}
this.toSource();


Furthermore this test crashes on optimized 32 bit versions:

#0  __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1309
#1  0x081b8f43 in js::LifoAlloc::reallocUnaligned (this=0xf7b0a364, origPtr=0xe73bd018, origSize=167772162, incr=167772162) at /usr/include/bits/string3.h:52
#2  0x080f6090 in SprintEnsureBuffer (sp=0xffffce30, len=<value optimized out>) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:752
#3  0x080f6b19 in js::SprintPut (sp=0xffffce30, s=0x8330ae8 "\"", len=1) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:784
#4  0x080f6de0 in SprintCString (sp=0xffffce30, format=0x827a9c6 "%c") at /srv/repos/mozilla-central/js/src/jsopcode.cpp:804
#5  js::Sprint (sp=0xffffce30, format=0x827a9c6 "%c") at /srv/repos/mozilla-central/js/src/jsopcode.cpp:840
#6  0x080f72c9 in QuoteString (sp=0xffffce30, str=<value optimized out>, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:922
#7  0x080f7361 in js_QuoteString (cx=0x8327358, str=0xf740d180, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:940
#8  0x0812b49e in js_ValueToSource (cx=0x8327358, v=...) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3351
#9  0x080ea30b in obj_toSource (cx=0x8327358, argc=0, vp=0xf76ea058) at /srv/repos/mozilla-central/js/src/jsobj.cpp:669
#10 0x080cd14c in CallJSNative (cx=0x8327358, args=..., construct=js::NO_CONSTRUCT) at ../jscntxtinlines.h:311


S-s and sg:critical due to obvious memory hazard.
Created attachment 583016 [details] [diff] [review]
Overflow check in unaligned case.

Very low risk, requesting Aurora approval, beta not affected.
Assignee: general → christopher.leary
Status: NEW → ASSIGNED
Attachment #583016 - Flags: review?(luke)
Attachment #583016 - Flags: approval-mozilla-aurora?

Updated

6 years ago
Attachment #583016 - Flags: review?(luke) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/cb95ada7b4b4
Merged by Ed Morley
https://hg.mozilla.org/mozilla-central/rev/cb95ada7b4b4

LifoAlloc.cpp doesn't exist in Firefox 10 so I'm assuming that version is unaffected by this bug.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
status1.9.2: --- → unaffected
status-firefox10: --- → unaffected
status-firefox11: --- → affected
status-firefox12: --- → fixed
tracking-firefox11: --- → +
tracking-firefox12: --- → +
Keywords: regression
Resolution: --- → FIXED
Target Milestone: --- → mozilla12

Comment 4

6 years ago
Comment on attachment 583016 [details] [diff] [review]
Overflow check in unaligned case.

[triage comment]
Approved for aurora. Please land as soon as you can.
Attachment #583016 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 583016 [details] [diff] [review]
Overflow check in unaligned case.

We merged on the 20th so I now need beta approval as well.
Attachment #583016 - Flags: approval-mozilla-beta?

Comment 6

6 years ago
Comment on attachment 583016 [details] [diff] [review]
Overflow check in unaligned case.

[triage comment]
Approved for beta as well. Sorry, I should have asked if it applied there too.
Attachment #583016 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
https://hg.mozilla.org/releases/mozilla-beta/rev/438310f9f812

Changed the tracking flags because this made it into mozilla-central before Fx11 merged to aurora.
status-firefox10: unaffected → fixed
status-firefox11: affected → fixed
status-firefox12: fixed → unaffected
Whiteboard: [sg:critical] js-triage-needed → [sg:critical][qa+] js-triage-needed
Whiteboard: [sg:critical][qa+] js-triage-needed → [sg:critical][qa+] js-triage-done
Verified fixed in Firefox 11.0b6
status-firefox11: fixed → verified

Updated

6 years ago
status-firefox-esr10: --- → fixed

Updated

5 years ago
tracking-firefox-esr10: --- → 10+
Verified in nightly (finally).
Status: RESOLVED → VERIFIED
Group: core-security
Verified fixed in Firefox 10 and ESR:10
status-firefox-esr10: fixed → verified
status-firefox10: fixed → verified
Whiteboard: [sg:critical][qa+] js-triage-done → [sg:critical][qa+:ashughes] js-triage-done
(Reporter)

Comment 11

4 years ago
Didn't manage to rewrite the test such that it doesn't require E4X, in-testsuite-.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.