Closed Bug 917593 Opened 12 years ago Closed 12 years ago

Structured clone read fails EndianUtils::assertNoOverlap when trying to deserialize zero-length strings

Categories

(Core :: MFBT, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla27

People

(Reporter: bholley, Unassigned)

References

Details

Attachments

(1 file, 1 obsolete file)

I'm pretty sure this is an MFBT bug. I'll attach a patch. The stack looks like this: #0 mozilla::detail::EndianUtils::assertNoOverlap (dest=0x125187888, src=0x125187888, count=0) at Endian.h:241 #1 0x0000000105a26dc4 in mozilla::detail::EndianUtils::copyAndSwapFrom<(mozilla::detail::Endianness)0, (mozilla::detail::Endianness)0, unsigned short> (dest=0x125187888, src=0x125187888, count=0) at Endian.h:317 #2 0x0000000105a26d85 in mozilla::detail::Endian<(mozilla::detail::Endianness)0>::copyAndSwapFromLittleEndian<unsigned short> (dest=0x125187888, src=0x125187888, count=0) at Endian.h:485 #3 0x0000000105a1e965 in copyAndSwapFromLittleEndian (dest=0x125187888, src=0x125187888, nelems=0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:453 #4 0x0000000105a1f76d in js::SCInput::readArray<unsigned short> (this=0x7fff5fbf8590, p=0x125187888, nelems=0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:477 #5 0x0000000105a19d32 in js::SCInput::readChars (this=0x7fff5fbf8590, p=0x125187888, nchars=0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:492 #6 0x0000000105a1b8f4 in JSStructuredCloneReader::readString (this=0x7fff5fbf8458, nchars=0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:1003 #7 0x0000000105a1c51e in JSStructuredCloneReader::startRead (this=0x7fff5fbf8458, vp=0x7fff5fbf8748) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:1188 #8 0x0000000105a193b7 in JSStructuredCloneReader::read (this=0x7fff5fbf8458, vp=0x7fff5fbf8748) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:1403 #9 0x0000000105a192e1 in js::ReadStructuredClone (cx=0x11ec13100, data=0x125187880, nbytes=8, vp=0x7fff5fbf8748, cb=0x10861c290, cbClosure=0x0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:295 #10 0x0000000105a1d62f in JS_ReadStructuredClone (cx=0x11ec13100, buf=0x125187880, nbytes=8, version=2, vp=0x7fff5fbf8748, optionalCallbacks=0x10861c290, closure=0x0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:1445 #11 0x0000000105a1dd41 in JSAutoStructuredCloneBuffer::read (this=0x7fff5fbf8768, cx=0x11ec13100, vp=0x7fff5fbf8748, optionalCallbacks=0x10861c290, closure=0x0) at /files/mozilla/repos/b/js/src/vm/StructuredClone.cpp:1584 #12 0x0000000102bb103e in (anonymous namespace)::MessageEvent::GetProperty (aCx=0x11ec13100, aObj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5fbf8f10}, aIdval={<js::HandleBase<jsid>> = {<No data fields>}, ptr = 0x7fff5fbf88d8}, aVp={<js::MutableHandleBase<JS::Value>> = {<js::MutableValueOperations<JS::MutableHandle<JS::Value> >> = {<js::UnbarrieredMutableValueOperations<JS::MutableHandle<JS::Value> >> = {<js::ValueOperations<JS::MutableHandle<JS::Value> >> = {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}, ptr = 0x10fcbb0a8}) at /files/mozilla/repos/b/dom/workers/Events.cpp:542
Attachment #806332 - Flags: review?
Attachment #806332 - Flags: review? → review?(jwalden+bmo)
Updated per IRC discussion.
Attachment #806336 - Flags: review?(jwalden+bmo)
Attachment #806332 - Attachment is obsolete: true
Attachment #806332 - Flags: review?(jwalden+bmo)
Attachment #806336 - Flags: review?(jwalden+bmo) → review+
Looks like there were some alignment issues. Used Aligned2<uint64_t>, and repushing to try to make sure all is good on windows: https://tbpl.mozilla.org/?tree=Try&rev=0e31c2173706
(In reply to Bobby Holley (:bholley) from comment #6) > Looks like there were some alignment issues. Used Aligned2<uint64_t>, and > repushing to try to make sure all is good on windows: > > https://tbpl.mozilla.org/?tree=Try&rev=0e31c2173706 Looks like it's still failing. Waldo, any idea what I'm doing wrong?
Flags: needinfo?(jwalden+bmo)
None at all (and I can't reproduce it locally, either). Maybe try putting |uint64_t arr[] = { 0xDEADBEEF, 0xBEEFCAEC };| at top level, then use |arr|? Could be some sort of thing about using a local non-array, or about using something union-y (definitely using AlignedStorage is overkill and unnecessary complexity here).
Flags: needinfo?(jwalden+bmo)
(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #9) > None at all (and I can't reproduce it locally, either). Maybe try putting > |uint64_t arr[] = { 0xDEADBEEF, 0xBEEFCAEC };| at top level, then use |arr|? > Could be some sort of thing about using a local non-array, or about using > something union-y (definitely using AlignedStorage is overkill and > unnecessary complexity here). How about I just land this fix without the test? I'm only touching an assertion.
Flags: needinfo?(jwalden+bmo)
Sure.
Flags: needinfo?(jwalden+bmo)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: