1271857 - Assertion failure: len != 0, at js/src/builtin/RegExp.cpp:1478

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 1579b9e2e50f (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --ion-limit-script-size=off):

setJitCompilerOption("ion.forceinlineCaches", 1);
for (var i = 0; i < 1; i++) {
    var text = "function (){}";
    text.replace(/x/, "12")
    text.replace(/y/, "")
}

Backtrace:

0   js-dbg-64-dm-clang-darwin-1579b9e2e50f	0x0000000104b59668 js::GetFirstDollarIndexRawFlat(JSLinearString*) + 248 (RegExp.cpp:1478)
1   js-dbg-64-dm-clang-darwin-1579b9e2e50f	0x0000000104ee6927 js::jit::MGetFirstDollarIndex::foldsTo(js::jit::TempAllocator&) + 87 (Value.h:776)
2   js-dbg-64-dm-clang-darwin-1579b9e2e50f	0x0000000104ffa824 js::jit::ValueNumberer::visitDefinition(js::jit::MDefinition*) + 372 (ValueNumbering.cpp:618)
3   js-dbg-64-dm-clang-darwin-1579b9e2e50f	0x0000000104ffb875 js::jit::ValueNumberer::visitBlock(js::jit::MBasicBlock*, js::jit::MBasicBlock const*) + 469 (ValueNumbering.cpp:989)
4   js-dbg-64-dm-clang-darwin-1579b9e2e50f	0x0000000104ffbb0b js::jit::ValueNumberer::visitDominatorTree(js::jit::MBasicBlock*) + 315 (ValueNumbering.cpp:1032)

For detailed crash information, see attachment.

Recent RegExp bugs have been s-s so I'm treating this no different pending further analysis.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d1b90728ce14
user:        Tooru Fujisawa
date:        Mon May 09 20:48:26 2016 +0900
summary:     Bug 1108382 - Remove non-standard flag argument from String.prototype.{search,match,replace}. r=till

Arai-san, is bug 1108382 a likely regressor?

Also, this is happening regularly within jsfunfuzz itself, so setting [fuzzblocker].

Comment 3

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Note that this testcase seems to require --ion-limit-script-size=off.

Comment 5

[Tooru Fujisawa [:arai]]

Thank you :)

this is a regression from bug 1263490.
Looks like, the constant folding happens with empty string, where constant empty string won't cause it in normal case.

Anyway, the assertion is just for performance reason, to avoid calling native function from JS code in unnecessary case, and failing the assertion doesn't mean any security flaw.
We can move the assertion to js::GetFirstDollarIndex from js::GetFirstDollarIndexRawFlat, as js::GetFirstDollarIndexRawFlat is used also from constant folding but js::GetFirstDollarIndex is called only from JS code.

Comment 6

[Tooru Fujisawa [:arai]]

Attachment: Move the assertion for text length from GetFirstDollarIndexRawFlat to GetFirstDollarIndex.

Just moved the assertion to the entry point for self-hosting intrinsic.

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Tooru Fujisawa [:arai] from comment #5)
> Anyway, the assertion is just for performance reason, to avoid calling
> native function from JS code in unnecessary case, and failing the assertion
> doesn't mean any security flaw.

Opening up.

Comment 8

[Tooru Fujisawa [:arai]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/71fd71704676df43d1f373be32394ae56fd6258b
Bug 1271857 - Move the assertion for text length from GetFirstDollarIndexRawFlat to GetFirstDollarIndex. r=h4writer

Comment 9

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/71fd71704676