Crash [@ v8::internal::ActionNode::StorePosition] with too much recursion
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: decoder, Assigned: iain)
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])
Crash Data
Attachments
(1 file)
|
(deleted),
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 20200726-f4703bddd567 (opt build, run with --fuzzing-safe --ion-offthread-compile=off test.js):
evalInWorker(`
var interestingCaptureNums = [(1 << 14),
(1 << 16)]
for (let i83 of interestingCaptureNums) {
var source = Array(i83).join("(") + "a" + Array(i83).join(")");
RegExp(source).exec();
}
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x571dfe62 in v8::internal::ActionNode::StorePosition(int, bool, v8::internal::RegExpNode*) ()
#0 0x571dfe62 in v8::internal::ActionNode::StorePosition(int, bool, v8::internal::RegExpNode*) ()
#1 0x56ca3412 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#2 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#3 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#4 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#5 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#6 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#7 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#8 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#9 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#10 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
[...]
#127 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
eax 0x94af5300 -1800449280
ebx 0x5860e000 1482743808
ecx 0xf4bdc510 -188889840
edx 0x7e21 32289
esi 0xf509fa88 -183895416
edi 0x7e20 32288
ebp 0xf721b018 4146180120
esp 0xf721aff0 4146180080
eip 0x571dfe62 <v8::internal::ActionNode::StorePosition(int, bool, v8::internal::RegExpNode*)+18>
=> 0x571dfe62 <_ZN2v88internal10ActionNode13StorePositionEibPNS0_10RegExpNodeE+18>: call 0x571dfe67 <_ZN2v88internal10ActionNode13StorePositionEibPNS0_10RegExpNodeE+23>
0x571dfe67 <_ZN2v88internal10ActionNode13StorePositionEibPNS0_10RegExpNodeE+23>: pop %ebx
I am seeing this particular crash on 32-bit but also on ARM64 (where it is a top crasher without signature, making this a high priority fuzzblocker). I am also seeing over-recursion crashes on x86 64-bit but having trouble to isolate them so far.
|
Reporter | |
Comment 1•4 years ago
|
||
Not sure if this is in any way related to bug 1652356, but setting needinfo? from Iain in case he knows.
|
Assignee | |
Comment 3•4 years ago
|
||
This testcase doesn't crash for me locally, but sfink was having similar issues in bug 1644513, and the old unlanded patch attached to that bug fixed them (with a tiny bit of tweaking to enable it for 64-bit). I suspect that it will also help fuzzing. I've uploaded an updated copy of the patch to bug 1644513.
decoder: If you can verify that the patch attached to bug 1644513 fixes the known issues locally, we can try landing that and see how far that gets us.
|
||
Updated•4 years ago
|
|
|
||
Comment 4•4 years ago
|
||
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 5•4 years ago
|
||
This is fixed by bug 1644513.
|
|
||
Updated•4 years ago
|
|
|
||
Comment 6•4 years ago
|
||
|
||
Updated•4 years ago
|
Description
•