Crash [@ js::CreateRegExpMatchResult] with GC and possible memory corruption
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox76 | --- | unaffected |
| firefox77 | --- | unaffected |
| firefox78 | --- | fixed |
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect,confirmed])
Crash Data
Attachments
(4 files)
The following testcase crashes on mozilla-central revision 20200524-3334d8dff757 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
Object.defineProperty(this, "x", {});
gczeal(14, 10);
"bab".match(/.(?<a>a)(.)/);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555558b69c0 in js::CreateRegExpMatchResult(JSContext*, JS::Handle<js::RegExpShared*>, JS::Handle<JSString*>, js::MatchPairs const&, JS::MutableHandle<JS::Value>) ()
#1 0x00005555558be629 in RegExpMatcherImpl(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, JS::MutableHandle<JS::Value>) ()
#2 0x00005555558be094 in js::RegExpMatcher(JSContext*, unsigned int, JS::Value*) ()
#3 0x00005555559366a2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#14 0x00005555557addae in main ()
rax 0x7ffff6027018 140737320742936
rbx 0x7ffff4a33730 140737297725232
rcx 0x3082fde7e000 53339163713536
rdx 0x3082fde00000 53339163197440
rsi 0x2 2
rdi 0x7ffff6027000 140737320742912
rbp 0x7fffffffb910 140737488337168
rsp 0x7fffffffb850 140737488336976
r8 0x7fffffffb6e8 140737488336616
r9 0x246550200088 40017554571400
r10 0x4 4
r11 0x3082fde78190 53339163689360
r12 0x7ffff6027000 140737320742912
r13 0x7fffffffb940 140737488337216
r14 0x7ffff6088338 140737321141048
r15 0x3 3
rip 0x5555558b69c0 <js::CreateRegExpMatchResult(JSContext*, JS::Handle<js::RegExpShared*>, JS::Handle<JSString*>, js::MatchPairs const&, JS::MutableHandle<JS::Value>)+512>
=> 0x5555558b69c0 <_ZN2js23CreateRegExpMatchResultEP9JSContextN2JS6HandleIPNS_12RegExpSharedEEENS3_IP8JSStringEERKNS_10MatchPairsENS2_13MutableHandleINS2_5ValueEEE+512>: cmpq $0x0,0x8(%rcx)
0x5555558b69c5 <_ZN2js23CreateRegExpMatchResultEP9JSContextN2JS6HandleIPNS_12RegExpSharedEEENS3_IP8JSStringEERKNS_10MatchPairsENS2_13MutableHandleINS2_5ValueEEE+517>: jne 0x5555558b69dd <_ZN2js23CreateRegExpMatchResultEP9JSContextN2JS6HandleIPNS_12RegExpSharedEEENS3_IP8JSStringEERKNS_10MatchPairsENS2_13MutableHandleINS2_5ValueEEE+541>
Marking s-s because this involves GC and the crash address looks broken/corrupted.
|
Reporter | |
Comment 1•4 years ago
|
||
|
Assignee | |
Comment 2•4 years ago
|
||
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 3•4 years ago
|
||
The lifetime of the template is tied to the lifetime of the RegExpShared, and every RegExpShared is tenured, so there's no point allocating this in the nursery.
Depends on D76754
|
||
Updated•4 years ago
|
|
|
||
Comment 4•4 years ago
|
||
|
|
Assignee | |
Comment 5•4 years ago
|
||
This bug was introduced when we added named captures in bug 1362154 and is only present in Nightly.
|
||
Updated•4 years ago
|
|
||
Comment 6•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/cfa8da7b210d4c21ccdb934a804e0f5e0d72d762
https://hg.mozilla.org/integration/autoland/rev/86a7a98d3d0f759c486824badf9b461899c7c562
https://hg.mozilla.org/mozilla-central/rev/cfa8da7b210d
https://hg.mozilla.org/mozilla-central/rev/86a7a98d3d0f
|
|
Assignee | |
Comment 7•4 years ago
|
||
|
|
||
Comment 8•4 years ago
|
||
Add testcase:
https://hg.mozilla.org/integration/autoland/rev/d5cc480a68830eb9f3c30042331092857810e9df
https://hg.mozilla.org/mozilla-central/rev/d5cc480a6883
|
||
Updated•4 years ago
|
Description
•