Closed Bug 1263341 Opened 9 years ago Closed 9 years ago

Assertion failure: lastIndex >= 0 && size_t(lastIndex) <= input->length(), at js/src/builtin/RegExp.cpp:841

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox47 --- unaffected
firefox48 --- verified

People

(Reporter: gkw, Assigned: arai)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Check lastIndex in non-global replace.
2.01 KB, patch
till
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 06678484909c (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): x = /[^]/y; "y".replace(x, 0); "".replace(x, 0); Backtrace: 0 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010003d053 ExecuteRegExp(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, bool, js::MatchPairs*, unsigned long*, js::RegExpStaticsUpdate) + 979 (RegExp.cpp:841) 1 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010003b470 js::RegExpMatcher(JSContext*, unsigned int, JS::Value*) + 832 (RegExp.cpp:894) 2 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007d599e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236) 3 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010079cd5e js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 702 (Interpreter.cpp:464) 4 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007bb654 Interpret(JSContext*, js::RunState&) + 48324 (Interpreter.cpp:2807) 5 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007af8c7 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426) 6 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010079ccfd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 7 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007bb654 Interpret(JSContext*, js::RunState&) + 48324 (Interpreter.cpp:2807) 8 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007af8c7 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426) 9 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010079ccfd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 10 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007bb654 Interpret(JSContext*, js::RunState&) + 48324 (Interpreter.cpp:2807) 11 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007af8c7 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426) 12 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010079ccfd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 13 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007bb654 Interpret(JSContext*, js::RunState&) + 48324 (Interpreter.cpp:2807) 14 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007af8c7 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426) 15 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007c7864 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1124 (Interpreter.cpp:682) 16 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001007c7be5 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667) 17 js-dbg-64-dm-clang-darwin-06678484909c 0x0000000100594a61 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4372) 18 js-dbg-64-dm-clang-darwin-06678484909c 0x0000000100594cd2 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:667) 19 js-dbg-64-dm-clang-darwin-06678484909c 0x00000001000202d9 Process(JSContext*, char const*, bool, FileKind) + 3609 (js.cpp:530) 20 js-dbg-64-dm-clang-darwin-06678484909c 0x000000010000593b main + 11739 (js.cpp:6732) 21 js-dbg-64-dm-clang-darwin-06678484909c 0x0000000100000ba4 start + 52 Marking s-s due to potentially scary assertion. This assertion still reproduces with the latest m-i rev 4ed4a5de51d0.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/c5e0ea1a1ed2 user: Tooru Fujisawa date: Sat Sep 05 22:01:41 2015 +0900 summary: Bug 887016 - Part 11: Implement RegExp.prototype[@@replace] and call it from String.prototype.replace. r=h4writer,till arai-san, is bug 887016 a likely regressor?
Blocks: 887016
status-firefox47: --- → unaffected
Flags: needinfo?(arai.unmht)
I forgot to copy lastIndex check and ToLength, from RegExpBuiltinExec to RegExpLocalReplaceOpt.
Assignee: nobody → arai.unmht
Flags: needinfo?(arai.unmht)
Attachment #8739629 - Flags: review?(till)
Comment on attachment 8739629 [details] [diff] [review] Check lastIndex in non-global replace. Review of attachment 8739629 [details] [diff] [review]: ----------------------------------------------------------------- r=me with feedback addressed. ::: js/src/builtin/RegExp.js @@ +482,5 @@ > > + var lastIndex; > + if (sticky) { > + lastIndex = ToLength(rx.lastIndex); > + if (lastIndex < 0 || lastIndex > lengthS) { ToLength already ensures that the result is >= 0, so no need to check for that.
Attachment #8739629 - Flags: review?(till) → review+
Thank you! This is also a recent nightly-only regression from bug 887016. will land this shortly.
https://hg.mozilla.org/mozilla-central/rev/7da431420a16
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox48: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Group: javascript-core-security → core-security-release
Status: RESOLVED → VERIFIED
status-firefox48: fixedverified
JSBugMon: This bug has been automatically verified fixed.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: