Closed
Bug 1455954
Opened 6 years ago
Closed 6 years ago
Differential Testing: Different output message involving regex
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox60 | --- | unaffected |
firefox61 | --- | wontfix |
firefox62 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(Keywords: testcase)
Attachments
(1 file)
823 bytes,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
try { var count = 0; ((function f(x) { var r = /\2/; if (r.exec("") == null) { count++; } if (count > 4000 && count < 4100) { print(count); } if (x == 0) {; return null; }; return f(x - 1); })(5000)); } catch (e) {} $ ./js-32-dm-linux-8d4cf28964f6 --fuzzing-safe --no-threads --ion-eager testcase.js /snip 4095 4096 4097 4098 4099 $ $ ./js-32-dm-linux-8d4cf28964f6 --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js /snip 4020 4021 4022 4023 4024 $ or when run again: /snip 4025 4026 4027 4028 4029 ReportOverRecursed called $ or when run a third time (thus inconsistent results): /snip 4021 4022 4023 4024 4025 4026 $ Tested this on m-c rev 8d4cf28964f6. My configure flags are: CC="gcc -m32 -msse2 -mfpmath=sse" CXX="g++ -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh ./configure --target=i686-pc-linux --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u -m funfuzz.js.compile_shell -b "--32 --enable-more-deterministic" -r 8d4cf28964f6 $ gcc --version gcc (Ubuntu/Linaro 6.3.0-18ubuntu2~16.04) 6.3.0 20170519 This happened on Ubuntu Linux 16.04. autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7a682f7ab2f5 user: Jan de Mooij date: Fri Mar 23 15:55:38 2018 +0100 summary: Bug 1447996 - Don't GC when hitting overrecursion in RegExpCompiler; make the static analysis detect this. r=sfink Setting s-s to be safe as bug 1447996 was initially filed as s-s. However, I think that this might not need to be (might just be some overrecursion thing), but I'll let Jan decide. Jan, is bug 1447996 a likely regressor?
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 1•6 years ago
|
||
Yeah, this looks harmless, we likely need to print "ReportOverRecursed called" in RegExpCompiler::CheckOverRecursed in more-deterministic builds, before we call SetRegExpTooBig(). I'll take a closer look tomorrow.
Updated•6 years ago
|
Group: javascript-core-security
Reporter | ||
Comment 2•6 years ago
|
||
try { (function f(x) { if (x > 0) r = RegExp("^.{") s = print("".match(r)); f(x); a = {} })(99) } catch {} This prints "null" multiple times, but the number of times it is printed is different. $ ./js-64-dm-linux-b1628ac71fcc --fuzzing-safe --no-threads --baseline-eager --no-ion 2870117.js > out.txt $ wc -l out.txt 6468 out.txt $ ./js-64-dm-linux-b1628ac71fcc --fuzzing-safe --baseline-eager --no-ion 2870117.js > out2.txt $ wc -l out2.txt 6473 out2.txt Tested on 64-bit opt deterministic builds on m-c rev b1628ac71fcc. I'm guessing this is the same issue, so merely posting here.
Assignee | ||
Comment 3•6 years ago
|
||
Gary, sorry for the delay. This just prints the overrecursed message to stderr in RegExpCompiler::CheckOverRecursed in more-deterministic builds.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8973965 -
Flags: review?(sphink)
Updated•6 years ago
|
Priority: -- → P1
Comment 4•6 years ago
|
||
Comment on attachment 8973965 [details] [diff] [review] Patch Review of attachment 8973965 [details] [diff] [review]: ----------------------------------------------------------------- WFM
Attachment #8973965 -
Flags: review?(sphink) → review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/19b42c0e8916 Print to stderr in more-deterministic builds when irregexp overrecursion check fails. r=sfink
Comment 6•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/19b42c0e8916
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox62:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Updated•6 years ago
|
status-firefox60:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•