Closed Bug 1032067 Opened 10 years ago Closed 10 years ago

Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h or Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla33

People

(Reporter: gkw, Assigned: jandem)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(4 files, 2 obsolete files)

stack
(deleted), text/plain
Details
testcase
(deleted), text/plain;charset=utf-8
Details
Stack for testcase in comment 2
(deleted), text/plain
Details
Patch v3
(deleted), patch
luke
: review+
Details | Diff | Splinter Review
Attached file stack (deleted) — 
''.match(/(:[cR\cC
Flags: needinfo?(jdemooij)
Attached file testcase (deleted) — 
The attached testcase asserts js debug shell on m-c changeset b6408c32a170 with --latin1-strings --ion-offthread-compile=off --ion-eager at Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5c88c5b4fe07
user:        Jan de Mooij
date:        Wed Jun 25 10:12:20 2014 +0200
summary:     Bug 1028867 - Add a --latin1-strings shell flag. r=luke

Jan, bug 1028867 seems to have caused this fuzzblocker. I'm not sure if this assert is benign or not, so s-s to be safe first. Please feel free to open up if it isn't.

(This is interesting, b.m.o ate the rest of the message when I put in a monkey unicode character. http://www.fileformat.info/info/unicode/char/1f435/index.htm )
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker]
This testcase may be related:

Function("print(/(        \\\uB0DA        (        )})/);\
function c(){}")()

$ ./js-dbg-opt-64-prof-ts-darwin-b6408c32a170 --latin1-strings --ion-offthread-compile=off --ion-eager testcase.js

Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h

Configuration parameters:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>
Summary: Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h → Assertion failure: mLength + insLength <= mReserved, at dist/include/mozilla/Vector.h or Assertion failure: mLength + 1 <= mReserved, at dist/include/mozilla/Vector.h
Gary is it possible the testcase in comment 0 was truncated?

Patch coming up.
Oh you also attached it, got it :)
Attached patch Patch (obsolete) (deleted) — Splinter Review 
Some places where we called sb.reserve() and then appended a TwoByte string so that we lost our reserved space.

I checked the callers of StringBuffer.reserve and these are the only ones that need this I think.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8447879 - Flags: review?(luke)
Flags: needinfo?(jdemooij)
Not s-s; requires --latin1-strings.
Group: core-security, javascript-core-security
Attachment #8447857 - Attachment mime type: text/plain → text/plain;charset=utf-8
When latin1->twobyte inflation happens, can we preserve mCapacity so that reserve() just works?
Attached patch Patch v2 (obsolete) (deleted) — Splinter Review 
Ah right, preserving the capacity is much nicer and less error-prone. Somehow I thought it was hard to get a Vector's capacity or something.
Attachment #8447879 - Attachment is obsolete: true
Attachment #8447879 - Flags: review?(luke)
Attachment #8449638 - Flags: review?(luke)
Comment on attachment 8449638 [details] [diff] [review]
Patch v2

Review of attachment 8449638 [details] [diff] [review]:
-----------------------------------------------------------------

Great!
Attachment #8449638 - Flags: review?(luke) → review+
Comment on attachment 8449638 [details] [diff] [review]
Patch v2

This patch has a subtle perf issue; new patch coming up.
Attachment #8449638 - Attachment is obsolete: true
Attached patch Patch v3 (deleted) — Splinter Review 

        Attachment #8449719 -
        Flags: review?(luke)

    
    

    
  
Comment on attachment 8449719 [details] [diff] [review]
Patch v3

Review of attachment 8449719 [details] [diff] [review]:
-----------------------------------------------------------------

Nice job identifying this problem.

        Attachment #8449719 -
        Flags: review?(luke) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/4e28ce23f4e0
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla33

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: