Closed Bug 1640487 Opened 5 years ago Closed 4 years ago

Crash with RegExp named capture groups, likely missing typeset information

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla78

Tracking Flags:

Tracking

Status

firefox-esr68

---

unaffected

firefox76

---

unaffected

firefox77

---

unaffected

firefox78

---

fixed

People

(Reporter: anba, Assigned: iain)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files)

Bug 1640487: Fix initializedNamedCaptures r=tcampbell 4 years ago Iain Ireland [:iain] (deleted), text/x-phabricator-request		Details
Bug 1640487: Add testcase r=tcampbell 4 years ago Iain Ireland [:iain] (deleted), text/x-phabricator-request		Details

André Bargull [:anba]

Reporter

Description

•

5 years ago

The following test case crashes when run with --ion-offthread-compile=off:

var re = /(?<x>a)|b/;

function f(j) {
    for (var i = 0; i <= 10_000; ++i) {
        var s = String.fromCharCode(0x61 + (i === 10_000 && j === 2));
        var e = re.exec(s);
        if (e.groups.x !== "a") print(i,j);
    }
}

for (var i = 0; i <= 2; ++i) print(f(i));

I suspect bad type-set information comes into play here.

André Bargull [:anba]

Reporter

Comment 1

•

5 years ago

Adding AddTypePropertyId(cx, templateObject, id, UndefinedValue()); after NativeDefineDataProperty in RegExpShared::initializeNamedCaptures could be a likely fix.

Iain Ireland [:iain]

Assignee

Comment 2

•

4 years ago

Good catch!

Iain Ireland [:iain]

Assignee

Comment 3

•

4 years ago

Attached file Bug 1640487: Fix initializedNamedCaptures r=tcampbell (deleted) — Details

Phabricator Automation

Updated

•

4 years ago

Assignee: nobody → iireland

Status: NEW → ASSIGNED

Daniel Veditz [:dveditz]

Updated

•

4 years ago

Group: core-security → javascript-core-security

Iain Ireland [:iain]

Assignee

Comment 4

•

4 years ago

This bug was introduced when we added named captures in bug 1362154 and is only present in Nightly.

Severity: -- → S3

status-firefox76: --- → unaffected

status-firefox77: --- → unaffected

status-firefox-esr68: --- → unaffected

Priority: -- → P1

Regressed by: 1362154

BMO Automation

Updated

•

4 years ago

Has Regression Range: --- → yes

Keywords: regression

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 5

•

4 years ago

https://hg.mozilla.org/integration/autoland/rev/3c8d8a1bb961096c9f2e2e6a5642ce580b60e62b
https://hg.mozilla.org/mozilla-central/rev/3c8d8a1bb961

Group: javascript-core-security → core-security-release

Status: ASSIGNED → RESOLVED

Closed: 4 years ago

status-firefox78: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla78

Iain Ireland [:iain]

Assignee

Comment 6

•

4 years ago

Attached file Bug 1640487: Add testcase r=tcampbell (deleted) — Details

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 7

•

4 years ago

Add testcase:
https://hg.mozilla.org/integration/autoland/rev/457f22865596486f79d5f8bee6cc046569a422c3
https://hg.mozilla.org/mozilla-central/rev/457f22865596

Flags: in-testsuite+

Daniel Veditz [:dveditz]

Updated

•

4 years ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Crash with RegExp named capture groups, likely missing typeset information

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Tracking

()

People

(Reporter: anba, Assigned: iain)

References

(Regression)

Details

(Keywords: regression)

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Comment 3

Updated

Updated

Comment 4

Updated

Comment 5

Comment 6

Comment 7

Updated

Attachment

General

Description

File Name

Content Type