Open
Bug 1464281
Opened 7 years ago
Updated 3 years ago
(msan) use of uninitialized value in CreateRegExpMatchResult
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox62 | --- | fix-optional |
People
(Reporter: sfink, Unassigned)
References
(Blocks 2 open bugs)
Details
(msan) use of uninitialized value in CreateRegExpMatchResult
https://hg.mozilla.org/integration/mozilla-inbound/file/635e4b97033/js/src/builtin/RegExp.cpp#l68
==70987==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x6d057c in js::CreateRegExpMatchResult(JSContext*, JS::Handle<JSString*>, js::MatchPairs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/RegExp.cpp:68:13
#1 0x6e1b70 in RegExpMatcherImpl /builds/worker/workspace/build/src/js/src/builtin/RegExp.cpp:996:12
#2 0x6e1b70 in js::RegExpMatcher(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/RegExp.cpp:1019
#3 0xa370f3 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
#4 0xa370f3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:471
#5 0xa12b1f in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:526:12
#6 0xa12b1f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3093
#7 0x9fdea8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:421:12
#8 0xa3c9a3 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:704:15
#9 0xa3d2e7 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:736:12
#10 0x1e2f69d in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4853:19
#11 0x1e2e7f8 in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, char const*, unsigned long, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4893:15
#12 0x4d2023 in ProcessArgs /builds/worker/workspace/build/src/js/src/shell/js.cpp:8451:18
#13 0x4d2023 in Shell /builds/worker/workspace/build/src/js/src/shell/js.cpp:8866
#14 0x4d2023 in main /builds/worker/workspace/build/src/js/src/shell/js.cpp:9339
#15 0x7ffff63afeac in __libc_start_main /build/eglibc-ZYONVs/eglibc-2.13/csu/libc-start.c:244
#16 0x43aea4 in _start (/builds/worker/workspace/build/src/obj-spider/dist/bin/js+0x43aea4)
Uninitialized value was created by an allocation of 'matches.i' in the stack frame of function '_ZN2js13RegExpMatcherEP9JSContextjPN2JS5ValueE'
#0 0x6e16a0 in js::RegExpMatcher(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/RegExp.cpp:1005
SUMMARY: MemorySanitizer: use-of-uninitialized-value /builds/worker/workspace/build/src/js/src/builtin/RegExp.cpp:68:13 in js::CreateRegExpMatchResult(JSContext*, JS::Handle<JSString*>, js::MatchPairs const&, JS::MutableHandle<JS::Value>)
|
||
Updated•7 years ago
|
status-firefox62:
--- → fix-optional
Priority: -- → P2
|
||
Comment 1•7 years ago
|
||
This issue prevents MSAN from running the jsreftests, because some of the "skip-if" reftest conditions executed by XULInfoTester contain regular expression matching. Which means we already get a MSAN failure in XULInfoTester, which is then turned into a Python exception [2] tearing down the complete jsreftests setup process. As an alternative to fixing this issue directly, we could also pass "--no-native-regexp" here [3] to disable JIT compilation of RegExps.
(The source of this bug is probably just that VectorMatchPairs::allocOrExpandArray() creates uninitialized memory here [4], which is only later properly initialized by the RegExp JIT. But MSAN is never notified that the JIT took care of initializing the memory, so MSAN still reports an error.)
[1] https://searchfox.org/mozilla-central/rev/ed2763bea882619ccb48b0aecc54e523d2bdd2ae/js/src/tests/non262/Array/regress-157652.js#1
[2] https://searchfox.org/mozilla-central/rev/ed2763bea882619ccb48b0aecc54e523d2bdd2ae/js/src/tests/lib/manifest.py#113-115
[3] https://searchfox.org/mozilla-central/rev/ed2763bea882619ccb48b0aecc54e523d2bdd2ae/js/src/tests/lib/manifest.py#99-102
[4] https://searchfox.org/mozilla-central/rev/ed2763bea882619ccb48b0aecc54e523d2bdd2ae/js/src/vm/RegExpObject.cpp#89
|
||
Updated•3 years ago
|
Blocks: msan-maintenance
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•