Closed
Bug 1263118
Opened 8 years ago
Closed 8 years ago
Crash [@ js::RegExpGetSubstitution] or Assertion failure: aIndex < mLength, at dist/include/mozilla/Vector.h:452
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox47 | --- | unaffected |
firefox48 | --- | verified |
People
(Reporter: gkw, Assigned: arai)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])
Attachments
(2 files)
24.65 KB,
text/plain
|
Details | |
1.81 KB,
patch
|
till
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 06678484909c (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): See attachment. Backtrace: 0 js-dbg-64-dm-clang-darwin-06678484909c 0x0000000100659b6c mozilla::Vector<JS::Value, 8ul, js::TempAllocPolicy>::operator[](unsigned long) + 156 (Vector.h:452) 1 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010003f4fe bool InterpretDollar<unsigned char>(JSLinearString*, JSLinearString*, unsigned long, unsigned long, JS::AutoVectorRooter<JS::Value>&, JSLinearString*, unsigned char const*, unsigned char const*, unsigned char const*, JSSubString*, unsigned long*) + 334 (RegExp.cpp:1184) 2 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010003dd22 js::RegExpGetSubstitution(JSContext*, JS::Handle<JSLinearString*>, JS::Handle<JSLinearString*>, unsigned long, JS::Handle<JSObject*>, JS::Handle<JSLinearString*>, unsigned long, JS::MutableHandle<JS::Value>) + 1666 (RegExp.cpp:1228) 3 js-dbg-64-dm-clang-darwin-06678484909c 0x0000000100863e85 intrinsic_RegExpGetSubstitution(JSContext*, unsigned int, JS::Value*) + 629 (RootingAPI.h:667) 4 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007d599e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236) 5 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010079cd5e js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 702 (Interpreter.cpp:464) 6 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007bb654 Interpret(JSContext*, js::RunState&) + 48324 (Interpreter.cpp:2807) 7 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007af8c7 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426) 8 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010079ccfd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 9 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007bb654 Interpret(JSContext*, js::RunState&) + 48324 (Interpreter.cpp:2807) 10 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007af8c7 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426) 11 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010079ccfd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 12 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007bb654 Interpret(JSContext*, js::RunState&) + 48324 (Interpreter.cpp:2807) 13 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007af8c7 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426) 14 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007c7864 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1124 (Interpreter.cpp:682) 15 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007c7be5 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667) 16 js-dbg-64-dm-clang-darwin-06678484909c 0x0000000100594a61 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4372) 17 js-dbg-64-dm-clang-darwin-06678484909c 0x0000000100594cd2 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:667) 18 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001000202d9 Process(JSContext*, char const*, bool, FileKind) + 3609 (js.cpp:530) 19 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010000593b main + 11739 (js.cpp:6732) 20 js-dbg-64-dm-clang-darwin-06678484909c 0x0000000100000ba4 start + 52 This is happening often => [fuzzblocker]
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/c5e0ea1a1ed2 user: Tooru Fujisawa date: Sat Sep 05 22:01:41 2015 +0900 summary: Bug 887016 - Part 11: Implement RegExp.prototype[@@replace] and call it from String.prototype.replace. r=h4writer,till arai-san, is bug 887016 a likely regressor? (note that this seemed to have just landed only a day or two ago)
Reporter | ||
Comment 3•8 years ago
|
||
I might or might not have time to further reduce this 650-700 line testcase, but this testcase is reproducible, so posting first.
Assignee | ||
Comment 5•8 years ago
|
||
I had to check if there's at least one capture, for "$+"
Assignee: nobody → arai.unmht
Flags: needinfo?(arai.unmht)
Attachment #8739402 -
Flags: review?(till)
Comment 6•8 years ago
|
||
Comment on attachment 8739402 [details] [diff] [review] Fix replace substitution without any capture. Review of attachment 8739402 [details] [diff] [review]: ----------------------------------------------------------------- I wish the language would allow us to catch things like this automatically.
Attachment #8739402 -
Flags: review?(till) → review+
Assignee | ||
Comment 7•8 years ago
|
||
Thank you for quick review :D Just for clarification, this is a regression from bug 887016, that is recent nightly-only bug. I'll land this shortly.
Assignee | ||
Comment 8•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/48efe647808f65c862cdb671ac78a64605988785 Bug 1263118 - Fix replace substitution without any capture. r=till
Comment 9•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/48efe647808f
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Updated•8 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Status: RESOLVED → VERIFIED
Comment 10•8 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•