Closed Bug 1775005 Opened 2 years ago Closed 2 years ago

Crash in v8::internal::RegExpDisjunction::ToNode with recursion

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Version:
Firefox 102
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1779849

People

(Reporter: exploit, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

test.js
(deleted), text/javascript
Details
Attached file test.js (deleted) —

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36

Steps to reproduce:

Attached testcase crashes on startup.
version/build info: gecko-dev/commit 94c7a9798630f81af3f5de929b7703ff3b707331(gecko-dev's beta branch) built with fuzzilli build option(https://github.com/googleprojectzero/fuzzilli/blob/3f0d246a47f39e066ab560f3bb23e2fe47a25850/Targets/Spidermonkey/fuzzbuild.sh).

Actual results:

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3704505==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7fffff7feff8 (pc 0x555557341978 bp 0x7fffff7ff010 sp 0x7fffff7ff000 T3704505)
    #0 0x555557341978 in ucase_toFullFolding_71 /home/builder/firefox/intl/icu/source/common/ucase.cpp:1444
    #1 0x55555718c828 in _cmpFold(char16_t const*, int, char16_t const*, int, unsigned int, int*, int*, UErrorCode*) /home/builder/firefox/intl/icu/source/common/ustrcase.cpp:1696:21
    #2 0x55555718c029 in u_strcmpFold_71 /home/builder/firefox/intl/icu/source/common/ustrcase.cpp:1844:12
    #3 0x555557174d3a in icu_71::UnicodeString::doCaseCompare(int, int, char16_t const*, int, int, unsigned int) const /home/builder/firefox/intl/icu/source/common/unistr_case.cpp:72:20
    #4 0x5555566a7c2a in icu_71::UnicodeString::doCaseCompare(int, int, icu_71::UnicodeString const&, int, int, unsigned int) const /home/builder/firefox/js/src/fuzzbuild_OPT.OBJ/dist/include/unicode/unistr.h:4099:12
    #5 0x5555566a7c2a in icu_71::UnicodeString::caseCompare(icu_71::UnicodeString const&, unsigned int) const /home/builder/firefox/js/src/fuzzbuild_OPT.OBJ/dist/include/unicode/unistr.h:4105:10
    #6 0x5555566a7c2a in v8::internal::CompareFirstCharCaseInsensitve(v8::internal::RegExpTree* const*, v8::internal::RegExpTree* const*) /home/builder/firefox/js/src/irregexp/imported/regexp-compiler-tonode.cc:461:21
    #7 0x5555566c7809 in void v8::internal::ZoneList<v8::internal::RegExpTree*>::StableSort<int (*)(v8::internal::RegExpTree* const*, v8::internal::RegExpTree* const*)>(int (*)(v8::internal::RegExpTree* const*, v8::internal::RegExpTree* const*), unsigned long, unsigned long)::'lambda'(v8::internal::RegExpTree* const&, v8::internal::RegExpTree* const&, bool*)::operator()(v8::internal::RegExpTree* const&, v8::internal::RegExpTree* const&, bool*) const /home/builder/firefox/js/src/irregexp/util/ZoneShim.h:216:22
    #8 0x5555566c7809 in bool js::MergeSort<v8::internal::RegExpTree*, void v8::internal::ZoneList<v8::internal::RegExpTree*>::StableSort<int (*)(v8::internal::RegExpTree* const*, v8::internal::RegExpTree* const*)>(int (*)(v8::internal::RegExpTree* const*, v8::internal::RegExpTree* const*), unsigned long, unsigned long)::'lambda'(v8::internal::RegExpTree* const&, v8::internal::RegExpTree* const&, bool*)>(int (**)(v8::internal::RegExpTree* const*, v8::internal::RegExpTree* const*), unsigned long, int (**)(v8::internal::RegExpTree* const*, v8::internal::RegExpTree* const*), void v8::internal::ZoneList<v8::internal::RegExpTree*>::StableSort<int (*)(v8::internal::RegExpTree* const*, v8::internal::RegExpTree* const*)>(int (*)(v8::internal::RegExpTree* const*, v8::internal::RegExpTree* const*), unsigned long, unsigned long)::'lambda'(v8::internal::RegExpTree* const&, v8::internal::RegExpTree* const&, bool*)) /home/builder/firefox/js/src/ds/Sort.h:105:14
    #9 0x5555566a8284 in void v8::internal::ZoneList<v8::internal::RegExpTree*>::StableSort<int (*)(v8::internal::RegExpTree* const*, v8::internal::RegExpTree* const*)>(int (*)(v8::internal::RegExpTree* const*, v8::internal::RegExpTree* const*), unsigned long, unsigned long) /home/builder/firefox/js/src/irregexp/util/ZoneShim.h:219:5
    #10 0x5555566a7ebe in v8::internal::RegExpDisjunction::SortConsecutiveAtoms(v8::internal::RegExpCompiler*) /home/builder/firefox/js/src/irregexp/imported/regexp-compiler-tonode.cc
    #11 0x5555566ac3b8 in v8::internal::RegExpDisjunction::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) /home/builder/firefox/js/src/irregexp/imported/regexp-compiler-tonode.cc:721:36
    #12 0x5555566aed86 in v8::internal::RegExpAlternative::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) /home/builder/firefox/js/src/irregexp/imported/regexp-compiler-tonode.cc:1038:34
    #13 0x5555566ac422 in v8::internal::RegExpDisjunction::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) /home/builder/firefox/js/src/irregexp/imported/regexp-compiler-tonode.cc:725:35
[recursion...]

This is https://bugs.chromium.org/p/v8/issues/detail?id=12472. An Irregexp update should fix this issue.

Iain, do we have any bug to track irregexp update?

Blocks: sm-runtime
Severity: -- → S3
Flags: needinfo?(iireland)
Priority: -- → P3
Depends on: 1779849

We do now.

Flags: needinfo?(iireland)
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: