Closed
Bug 682572
Opened 13 years ago
Closed 13 years ago
YARR Assertion failure: (matchBegin == -1) || (matchBegin <= matchEnd) (or optimized crash [@ JSC::Yarr::Interpreter::checkCasedCharacter])
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 682252
Tracking | Status | |
---|---|---|
firefox6 | - | unaffected |
firefox7 | - | wontfix |
firefox8 | - | wontfix |
status1.9.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: dmandelin)
References
Details
(4 keywords, Whiteboard: [sg:high][js-triage-needed])
Crash Data
The following test crashes (YARR assert) on mozilla-central (tested revision 7054f0e3e70e) when run with options "-j -m". Test was produced by LangFuzz with the regular expression extension: re = new RegExp("((..)|(.))((..)|a*)+?((..)|(.))((..)|\\4+?)dAME", "gi"); var str = "aaaaaaNULLaaaaa\\n"; var execResult = re.exec(str); Optimized shell furthermore crashes dangerously: ==6447== Invalid read of size 2 ==6447== at 0x51F045: JSC::Yarr::Interpreter::checkCasedCharacter(int, int, int) (YarrInterpreter.cpp:212) ==6447== by 0x51FCE1: JSC::Yarr::Interpreter::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool, bool) (YarrInterpreter.cpp:1168) ==6447== by 0x5202D8: JSC::Yarr::Interpreter::interpret() (YarrInterpreter.cpp:1401) ==6447== by 0x51EB52: JSC::Yarr::interpret(JSC::Yarr::BytecodePattern*, unsigned short const*, unsigned int, unsigned int, int*) (YarrInterpreter.cpp:1901) ==6447== by 0x414BD9: js::RegExp::executeInternal(JSContext*, js::RegExpStatics*, JSString*, unsigned long*, bool, js::Value*) (jsregexpinlines.h:371) ==6447== by 0x489765: ExecuteRegExp(JSContext*, ExecType, unsigned int, js::Value*) (jsregexpinlines.h:167) ==6447== by 0x51019C: CallCompiler::generateNativeStub() (jscntxtinlines.h:281) ==6447== by 0x50F291: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1033) ==6447== by 0x4024700: ??? ==6447== by 0x4F177B: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:687) ==6447== by 0x44A8CA: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:611) ==6447== by 0x44B0F2: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, js::Value const&, js::ExecuteType, js::StackFrame*, js::Value*) (jsinterp.cpp:911) ==6447== Address 0x2041039ce is not stack'd, malloc'd or (recently) free'd Bisect shows the same revision as bug 679986 and bug 682252 (the YARR import): The first bad revision is: changeset: 70607:cc36a234d0d6 user: David Mandelin <dmandelin@mozilla.com> date: Thu May 12 18:39:47 2011 -0700 summary: Bug 625600: Update Yarr import to WebKit rev 86639, r=cdleary,dvander Given the similarity of tests (both require back referencing) and crash, this could be a duplicate of bug 682252. Further investigation is required here to verify this.
Assignee | ||
Updated•13 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][js-triage-needed]
Updated•13 years ago
|
Assignee | ||
Updated•13 years ago
|
Assignee: general → dmandelin
Updated•13 years ago
|
status1.9.2:
--- → unaffected
Comment 1•13 years ago
|
||
Does this also affect webkit like bug 682252?
Updated•13 years ago
|
status-firefox10:
--- → affected
tracking-firefox10:
--- → +
Reporter | ||
Comment 2•13 years ago
|
||
Cannot reproduce this anymore on tip and the fixing revision is the same as in bug 682252. Marking as duplicate and adjusting sg:rating to that bug.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical?][js-triage-needed] → [sg:high][js-triage-needed]
tracking original.
status-firefox10:
affected → ---
status-firefox9:
affected → ---
tracking-firefox10:
+ → ---
tracking-firefox9:
+ → ---
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•