Closed
Bug 1032067
Opened 10 years ago
Closed 10 years ago
Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h or Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla33
People
(Reporter: gkw, Assigned: jandem)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])
Attachments
(4 files, 2 obsolete files)
''.match(/(:[cR\cC
Flags: needinfo?(jdemooij)
![]() |
Reporter | |
Comment 1•10 years ago
|
||
The attached testcase asserts js debug shell on m-c changeset b6408c32a170 with --latin1-strings --ion-offthread-compile=off --ion-eager at Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options> autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/5c88c5b4fe07 user: Jan de Mooij date: Wed Jun 25 10:12:20 2014 +0200 summary: Bug 1028867 - Add a --latin1-strings shell flag. r=luke Jan, bug 1028867 seems to have caused this fuzzblocker. I'm not sure if this assert is benign or not, so s-s to be safe first. Please feel free to open up if it isn't. (This is interesting, b.m.o ate the rest of the message when I put in a monkey unicode character. http://www.fileformat.info/info/unicode/char/1f435/index.htm )
![]() |
Reporter | |
Updated•10 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker]
![]() |
Reporter | |
Comment 2•10 years ago
|
||
This testcase may be related: Function("print(/( \\\uB0DA ( )})/);\ function c(){}")() $ ./js-dbg-opt-64-prof-ts-darwin-b6408c32a170 --latin1-strings --ion-offthread-compile=off --ion-eager testcase.js Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h Configuration parameters: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>
Summary: Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h → Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h or Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h
![]() |
Reporter | |
Comment 3•10 years ago
|
||
Assignee | ||
Comment 4•10 years ago
|
||
Gary is it possible the testcase in comment 0 was truncated? Patch coming up.
Assignee | ||
Comment 5•10 years ago
|
||
Oh you also attached it, got it :)
Assignee | ||
Comment 6•10 years ago
|
||
Some places where we called sb.reserve() and then appended a TwoByte string so that we lost our reserved space. I checked the callers of StringBuffer.reserve and these are the only ones that need this I think.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8447879 -
Flags: review?(luke)
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 7•10 years ago
|
||
Not s-s; requires --latin1-strings.
Group: core-security, javascript-core-security
![]() |
Reporter | |
Updated•10 years ago
|
Attachment #8447857 -
Attachment mime type: text/plain → text/plain;charset=utf-8
![]() |
||
Comment 8•10 years ago
|
||
When latin1->twobyte inflation happens, can we preserve mCapacity so that reserve() just works?
Assignee | ||
Comment 9•10 years ago
|
||
Ah right, preserving the capacity is much nicer and less error-prone. Somehow I thought it was hard to get a Vector's capacity or something.
Attachment #8447879 -
Attachment is obsolete: true
Attachment #8447879 -
Flags: review?(luke)
Attachment #8449638 -
Flags: review?(luke)
![]() |
||
Comment 10•10 years ago
|
||
Comment on attachment 8449638 [details] [diff] [review] Patch v2 Review of attachment 8449638 [details] [diff] [review]: ----------------------------------------------------------------- Great!
Attachment #8449638 -
Flags: review?(luke) → review+
Assignee | ||
Comment 11•10 years ago
|
||
Comment on attachment 8449638 [details] [diff] [review] Patch v2 This patch has a subtle perf issue; new patch coming up.
Attachment #8449638 -
Attachment is obsolete: true
Assignee | ||
Comment 12•10 years ago
|
||
Attachment #8449719 -
Flags: review?(luke)
![]() |
||
Comment 13•10 years ago
|
||
Comment on attachment 8449719 [details] [diff] [review] Patch v3 Review of attachment 8449719 [details] [diff] [review]: ----------------------------------------------------------------- Nice job identifying this problem.
Attachment #8449719 -
Flags: review?(luke) → review+
![]() |
Reporter | |
Updated•10 years ago
|
Blocks: latin1strings
Assignee | ||
Comment 14•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4e28ce23f4e0
Comment 15•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4e28ce23f4e0
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
You need to log in
before you can comment on or make changes to this bug.
Description
•