Assertion failure: (RegExpMacroAssembler::kMaxRegister) >= (next_register_ - 1), at irregexp/imported/regexp-compiler.cc:253
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox-esr102 | --- | unaffected |
firefox103 | --- | unaffected |
firefox104 | --- | unaffected |
firefox105 | --- | wontfix |
firefox106 | --- | verified |
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(5 files)
The following testcase crashes on mozilla-central revision 20220804-23d50b5617de (debug build, run with --fuzzing-safe --no-threads --fast-warmup):
v4 = new Uint8ClampedArray(65537);
v5 = v4.join(Uint32Array);
v6 = [v5];
v7 = {__proto__:v6};
v8 = "function".match(v7);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555576ba4b4 in v8::internal::RegExpCompiler::RegExpCompiler(v8::internal::Isolate*, v8::internal::Zone*, int, JS::RegExpFlags, bool) ()
#1 0x00005555576a58bf in js::irregexp::CompilePattern(JSContext*, JS::MutableHandle<js::RegExpShared*>, JS::Handle<JSLinearString*>, js::RegExpShared::CodeKind) ()
#2 0x000055555705da44 in js::RegExpShared::execute(JSContext*, JS::MutableHandle<js::RegExpShared*>, JS::Handle<JSLinearString*>, unsigned long, js::VectorMatchPairs*) ()
#3 0x0000555556cc0224 in ExecuteRegExp(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, js::VectorMatchPairs*) ()
#4 0x0000555556cbeaca in RegExpMatcherImpl(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, JS::MutableHandle<JS::Value>) ()
#5 0x0000555556cbe68f in js::RegExpMatcher(JSContext*, unsigned int, JS::Value*) ()
#6 0x0000555556d39088 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#17 0x0000555556b91bc4 in main ()
rax 0x5555557a65ae 93824994665902
rbx 0x7fffffffade0 140737488334304
rcx 0x5555582a5790 93825039751056
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffac00 140737488333824
rsp 0x7fffffffabd0 140737488333776
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x0 0
r13 0x0 0
r14 0x7fffffffac98 140737488333976
r15 0x7ffff60062e0 140737320608480
rip 0x5555576ba4b4 <v8::internal::RegExpCompiler::RegExpCompiler(v8::internal::Isolate*, v8::internal::Zone*, int, JS::RegExpFlags, bool)+228>
=> 0x5555576ba4b4 <_ZN2v88internal14RegExpCompilerC2EPNS0_7IsolateEPNS0_4ZoneEiN2JS11RegExpFlagsEb+228>: movl $0xfd,0x0
0x5555576ba4bf <_ZN2v88internal14RegExpCompilerC2EPNS0_7IsolateEPNS0_4ZoneEiN2JS11RegExpFlagsEb+239>: callq 0x555556c28160 <abort>
Assert looks potentially dangerous, marking s-s until investigated.
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
Comment 3•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220807214336-328d2ccc6eb9.
The bug appears to have been introduced in the following build range:
Start: 7e7bca63bd09fe0d2f246d09293b2fb42b275569 (20220803180216)
End: 72cd1237f80d04cb8039a358c29de80512232f7d (20220803181019)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7e7bca63bd09fe0d2f246d09293b2fb42b275569&tochange=72cd1237f80d04cb8039a358c29de80512232f7d
Comment 4•2 years ago
|
||
Set release status flags based on info from the regressing bug 1779849
Comment 5•2 years ago
|
||
:iain, since you are the author of the regressor, bug 1779849, could you take a look?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 6•2 years ago
|
||
This is not security-sensitive. The failing assertion verifies that we have enforced an arbitrary limit on the number of captures in a regular expression. While refactoring, upstream irregexp accidentally modified a check in the parser, with the effect that the limit was doubled while parsing (but still enforced as 1 << 16
while compiling). In practice, such regular expressions will generally overflow the stack / otherwise exceed size limits.
I've reported the bug upstream and put up a patch; once it lands upstream, I'll refresh our import.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 7•2 years ago
|
||
Set release status flags based on info from the regressing bug 1779849
Assignee | ||
Comment 9•2 years ago
|
||
This pulls in changes from upstream that fix bug 1783555 and bug 1783830.
Updated•2 years ago
|
Assignee | ||
Comment 10•2 years ago
|
||
Prior to this update, irregexp used ByteArray to represent an array of 16-bit values. It's been rewritten upstream to be more strongly typed, so now we also have to implement FixedIntegerArray<T> as a subclass of ByteArray.
Depends on D155913
Assignee | ||
Comment 11•2 years ago
|
||
Depends on D155914
Comment 12•2 years ago
|
||
Comment 13•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/efd4d34fc66d
https://hg.mozilla.org/mozilla-central/rev/edd5096b7383
https://hg.mozilla.org/mozilla-central/rev/632414fdc4ff
Assignee | ||
Updated•2 years ago
|
Comment 14•2 years ago
|
||
The patch landed in nightly and beta is affected.
:iain, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox105
towontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 15•2 years ago
|
||
As described in comment 6, this bug is unlikely to have any effect in release builds. Bug 1783830, which we fixed at the same time, has been around for a long time without causing noticeable problems.
This can ride the trains.
Comment 16•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220831093258-11e997d3cf78.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•