Closed
Bug 917593
Opened 12 years ago
Closed 12 years ago
Structured clone read fails EndianUtils::assertNoOverlap when trying to deserialize zero-length strings
Categories
(Core :: MFBT, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
People
(Reporter: bholley, Unassigned)
References
Details
Attachments
(1 file, 1 obsolete file)
1.79 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
I'm pretty sure this is an MFBT bug. I'll attach a patch.
The stack looks like this:
#0 mozilla::detail::EndianUtils::assertNoOverlap (dest=0x125187888, src=0x125187888, count=0) at Endian.h:241
#1 0x0000000105a26dc4 in mozilla::detail::EndianUtils::copyAndSwapFrom<(mozilla::detail::Endianness)0, (mozilla::detail::Endianness)0, unsigned short> (dest=0x125187888, src=0x125187888, count=0) at Endian.h:317
#2 0x0000000105a26d85 in mozilla::detail::Endian<(mozilla::detail::Endianness)0>::copyAndSwapFromLittleEndian<unsigned short> (dest=0x125187888, src=0x125187888, count=0) at Endian.h:485
#3 0x0000000105a1e965 in copyAndSwapFromLittleEndian (dest=0x125187888, src=0x125187888, nelems=0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:453
#4 0x0000000105a1f76d in js::SCInput::readArray<unsigned short> (this=0x7fff5fbf8590, p=0x125187888, nelems=0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:477
#5 0x0000000105a19d32 in js::SCInput::readChars (this=0x7fff5fbf8590, p=0x125187888, nchars=0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:492
#6 0x0000000105a1b8f4 in JSStructuredCloneReader::readString (this=0x7fff5fbf8458, nchars=0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:1003
#7 0x0000000105a1c51e in JSStructuredCloneReader::startRead (this=0x7fff5fbf8458, vp=0x7fff5fbf8748) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:1188
#8 0x0000000105a193b7 in JSStructuredCloneReader::read (this=0x7fff5fbf8458, vp=0x7fff5fbf8748) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:1403
#9 0x0000000105a192e1 in js::ReadStructuredClone (cx=0x11ec13100, data=0x125187880, nbytes=8, vp=0x7fff5fbf8748, cb=0x10861c290, cbClosure=0x0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:295
#10 0x0000000105a1d62f in JS_ReadStructuredClone (cx=0x11ec13100, buf=0x125187880, nbytes=8, version=2, vp=0x7fff5fbf8748, optionalCallbacks=0x10861c290, closure=0x0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:1445
#11 0x0000000105a1dd41 in JSAutoStructuredCloneBuffer::read (this=0x7fff5fbf8768, cx=0x11ec13100, vp=0x7fff5fbf8748, optionalCallbacks=0x10861c290, closure=0x0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:1584
#12 0x0000000102bb103e in (anonymous namespace)::MessageEvent::GetProperty (aCx=0x11ec13100, aObj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5fbf8f10}, aIdval={<js::HandleBase<jsid>> = {<No data fields>}, ptr = 0x7fff5fbf88d8}, aVp={<js::MutableHandleBase<JS::Value>> = {<js::MutableValueOperations<JS::MutableHandle<JS::Value> >> = {<js::UnbarrieredMutableValueOperations<JS::MutableHandle<JS::Value> >> = {<js::ValueOperations<JS::MutableHandle<JS::Value> >> = {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}, ptr = 0x10fcbb0a8}) at /files/mozilla/repos/b/dom/workers/Events.cpp:542
Reporter | ||
Comment 1•12 years ago
|
||
Attachment #806332 -
Flags: review?
Reporter | ||
Updated•12 years ago
|
Attachment #806332 -
Flags: review? → review?(jwalden+bmo)
Reporter | ||
Comment 2•12 years ago
|
||
Updated per IRC discussion.
Attachment #806336 -
Flags: review?(jwalden+bmo)
Reporter | ||
Updated•12 years ago
|
Attachment #806332 -
Attachment is obsolete: true
Attachment #806332 -
Flags: review?(jwalden+bmo)
Updated•12 years ago
|
Attachment #806336 -
Flags: review?(jwalden+bmo) → review+
Reporter | ||
Comment 3•12 years ago
|
||
Reporter | ||
Comment 4•12 years ago
|
||
Comment 5•12 years ago
|
||
Backed out for near perma-fail on Windows debug.
https://hg.mozilla.org/integration/mozilla-inbound/rev/1f690939a3a5
https://tbpl.mozilla.org/php/getParsedLog.php?id=28302818&tree=Mozilla-Inbound
Reporter | ||
Comment 6•12 years ago
|
||
Looks like there were some alignment issues. Used Aligned2<uint64_t>, and repushing to try to make sure all is good on windows:
https://tbpl.mozilla.org/?tree=Try&rev=0e31c2173706
Reporter | ||
Comment 7•12 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #6)
> Looks like there were some alignment issues. Used Aligned2<uint64_t>, and
> repushing to try to make sure all is good on windows:
>
> https://tbpl.mozilla.org/?tree=Try&rev=0e31c2173706
Looks like it's still failing. Waldo, any idea what I'm doing wrong?
Flags: needinfo?(jwalden+bmo)
Comment 9•12 years ago
|
||
None at all (and I can't reproduce it locally, either). Maybe try putting |uint64_t arr[] = { 0xDEADBEEF, 0xBEEFCAEC };| at top level, then use |arr|? Could be some sort of thing about using a local non-array, or about using something union-y (definitely using AlignedStorage is overkill and unnecessary complexity here).
Flags: needinfo?(jwalden+bmo)
Reporter | ||
Comment 10•12 years ago
|
||
(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #9)
> None at all (and I can't reproduce it locally, either). Maybe try putting
> |uint64_t arr[] = { 0xDEADBEEF, 0xBEEFCAEC };| at top level, then use |arr|?
> Could be some sort of thing about using a local non-array, or about using
> something union-y (definitely using AlignedStorage is overkill and
> unnecessary complexity here).
How about I just land this fix without the test? I'm only touching an assertion.
Flags: needinfo?(jwalden+bmo)
Reporter | ||
Comment 12•12 years ago
|
||
Landed without the test:
https://hg.mozilla.org/integration/mozilla-inbound/rev/01198082967c
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in
before you can comment on or make changes to this bug.
Description
•