Crash [@ v8::internal::ActionNode::StorePosition] or Assertion failure: (RegExpMacroAssembler::kMaxRegister) >= (next_register_ - 1), at new-regexp/regexp-compiler.cc:236
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox76 | --- | unaffected |
| firefox77 | --- | unaffected |
| firefox78 | --- | verified |
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200514-045d696faa87 (opt build, run with --fuzzing-safe --ion-offthread-compile=off test.js):
evalInWorker(`
var source = Array(50000).join("(") + "a" + Array(50000).join(")");
var r28 = RegExp(source);
r28.test("\\\\x80");
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005606c3c429b1 in v8::internal::ActionNode::StorePosition(int, bool, v8::internal::RegExpNode*) ()
#1 0x00005606c3c3af14 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#2 0x00005606c3c3af23 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#3 0x00005606c3c3af23 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
[...]
#127 0x00005606c3c3af23 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
rax 0x42ca89756c183600 4812810289216501248
rbx 0xd358 54104
rcx 0xd359 54105
rdx 0x7f84bf89b680 140208125884032
rsi 0x1 1
rdi 0xd359 54105
rbp 0x7f84c08c0020 140208142811168
rsp 0x7f84c08bfff0 140208142811120
r8 0x6966 26982
r9 0x0 0
r10 0x32 50
r11 0x246 582
r12 0x7f84bf89b680 140208125884032
r13 0x7f84c09fd1a0 140208144109984
r14 0x1 1
r15 0xd359 54105
rip 0x5606c3c429b1 <v8::internal::ActionNode::StorePosition(int, bool, v8::internal::RegExpNode*)+33>
=> 0x5606c3c429b1 <_ZN2v88internal10ActionNode13StorePositionEibPNS0_10RegExpNodeE+33>: mov %rax,-0x28(%rbp)
0x5606c3c429b5 <_ZN2v88internal10ActionNode13StorePositionEibPNS0_10RegExpNodeE+37>: mov 0x38(%rdx),%rax
Note that this doesn't reproduce with eval/evaluate, it only seems to crash in workers. The crash looks like over-recursion but the assertion failure looks potentially harmful to me, so marking s-s until triaged.
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 2•5 years ago
|
||
This fails for me regardless of whether it's eval, evalInWorker, or just executed on its own.
This isn't a security issue. We're just triggering a sanity check assertion in the RegExpCompiler constructor that verifies that the input isn't too huge. The fix is to check the size and throw a "regexp too big" error before we invoke the compiler.
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 3•5 years ago
|
||
The RegExpCompiler constructor asserts that the number of registers (aka local stack slots) needed to store all the captures for a regexp does not exceed the maximum number of registers (1 << 16). The parser already enforces a maximum number of captures, but the cap is too high. For n captures, we need (n+1)*2 registers: 1 for the beginning and end of each capture, plus the implicit "entire match" capture.
If the number of captures in a regexp is between (1<<15) - 1 and 1<<16, the parser will not report an error, but the compiler will assert. We could fix this by checking the number of captures, like V8 does here, but we get better error messages if we just adjust maxCaptures.
|
||
Updated•5 years ago
|
|
|
||
Comment 5•5 years ago
|
||
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
|
|
||
Updated•5 years ago
|
|
|
||
Comment 7•5 years ago
|
||
Description
•