Closed Bug 682572 Opened 13 years ago Closed 13 years ago

YARR Assertion failure: (matchBegin == -1) || (matchBegin <= matchEnd) (or optimized crash [@ JSC::Yarr::Interpreter::checkCasedCharacter])

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 682252
Tracking Flags:
Tracking Status
firefox6 - unaffected
firefox7 - wontfix
firefox8 - wontfix
status1.9.2 --- unaffected

People

(Reporter: decoder, Assigned: dmandelin)

References

Details

(4 keywords, Whiteboard: [sg:high][js-triage-needed])

Crash Data

The following test crashes (YARR assert) on mozilla-central (tested revision 7054f0e3e70e) when run with options "-j -m". Test was produced by LangFuzz with the regular expression extension:


re = new RegExp("((..)|(.))((..)|a*)+?((..)|(.))((..)|\\4+?)dAME", "gi");
var str = "aaaaaaNULLaaaaa\\n";
var execResult = re.exec(str);


Optimized shell furthermore crashes dangerously:

==6447== Invalid read of size 2
==6447==    at 0x51F045: JSC::Yarr::Interpreter::checkCasedCharacter(int, int, int) (YarrInterpreter.cpp:212)
==6447==    by 0x51FCE1: JSC::Yarr::Interpreter::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool, bool) (YarrInterpreter.cpp:1168)
==6447==    by 0x5202D8: JSC::Yarr::Interpreter::interpret() (YarrInterpreter.cpp:1401)
==6447==    by 0x51EB52: JSC::Yarr::interpret(JSC::Yarr::BytecodePattern*, unsigned short const*, unsigned int, unsigned int, int*) (YarrInterpreter.cpp:1901)
==6447==    by 0x414BD9: js::RegExp::executeInternal(JSContext*, js::RegExpStatics*, JSString*, unsigned long*, bool, js::Value*) (jsregexpinlines.h:371)
==6447==    by 0x489765: ExecuteRegExp(JSContext*, ExecType, unsigned int, js::Value*) (jsregexpinlines.h:167)
==6447==    by 0x51019C: CallCompiler::generateNativeStub() (jscntxtinlines.h:281)
==6447==    by 0x50F291: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1033)
==6447==    by 0x4024700: ???
==6447==    by 0x4F177B: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:687)
==6447==    by 0x44A8CA: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:611)
==6447==    by 0x44B0F2: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, js::Value const&, js::ExecuteType, js::StackFrame*, js::Value*) (jsinterp.cpp:911)
==6447==  Address 0x2041039ce is not stack'd, malloc'd or (recently) free'd


Bisect shows the same revision as bug 679986 and bug 682252 (the YARR import):

The first bad revision is:
changeset:   70607:cc36a234d0d6
user:        David Mandelin <dmandelin@mozilla.com>
date:        Thu May 12 18:39:47 2011 -0700
summary:     Bug 625600: Update Yarr import to WebKit rev 86639, r=cdleary,dvander

Given the similarity of tests (both require back referencing) and crash, this could be a duplicate of bug 682252. Further investigation is required here to verify this.
Whiteboard: [sg:critical?] → [sg:critical?][js-triage-needed]
Assignee: general → dmandelin
Does this also affect webkit like bug 682252?
Cannot reproduce this anymore on tip and the fixing revision is the same as in bug 682252. Marking as duplicate and adjusting sg:rating to that bug.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical?][js-triage-needed] → [sg:high][js-triage-needed]
tracking original.
status-firefox10: affected → ---
status-firefox9: affected → ---
tracking-firefox10: + → ---
tracking-firefox9: + → ---
Group: core-security
You need to log in before you can comment on or make changes to this bug.