Closed Bug 1640473 Opened 5 years ago Closed 5 years ago

Assertion failure: !inDictionary() with many named captures

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox76 --- unaffected
firefox77 --- unaffected
firefox78 --- fixed

People

(Reporter: anba, Assigned: iain)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files)

Bug 1640473: Support too many named captures r=tcampbell
47 bytes, text/x-phabricator-request
Details | Review
Bug 1640473: Add testcase r=tcampbell
47 bytes, text/x-phabricator-request
Details | Review

Test case:

var s = "";
for (var i = 0; i < 1000; ++i) {
    s += `(?<_${i.toString(32)}>)`;
}
s += "a";

var r = RegExp(s);
var e = r.exec("a");

Asserts with:

Assertion failure: !inDictionary(), at /home/andre/hg/mozilla-inbound/js/src/vm/Shape.h:1301

Stack trace:

#0  0x0000555556b15185 in js::Shape::slotSpan(JSClass const*) const (this=<optimised out>, clasp=<optimised out>) at /home/andre/hg/mozilla-inbound/js/src/vm/Shape.h:1301
#1  0x0000555556b15185 in js::Shape::slotSpan() const (this=<optimised out>) at /home/andre/hg/mozilla-inbound/js/src/vm/Shape.h:1309
#2  0x0000555556b14875 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>)
    (cx=0x7ffff5924000, kind=js::gc::AllocKind::OBJECT0_BACKGROUND, heap=js::gc::DefaultHeap, shape=..., group=...) at /home/andre/hg/mozilla-inbound/js/src/vm/NativeObject-inl.h:505
#3  0x0000555556b12c1b in js::PlainObject::createWithTemplate(JSContext*, JS::Handle<js::PlainObject*>) (cx=0x7ffff5924000, templateObject=...)
    at /home/andre/hg/mozilla-inbound/js/src/vm/PlainObject-inl.h:41
#4  0x0000555556b0623e in js::CreateRegExpMatchResult(JSContext*, JS::Handle<js::RegExpShared*>, JS::Handle<JSString*>, js::MatchPairs const&, JS::MutableHandle<JS::Value>)
    (cx=0x7ffff5924000, re=..., input=..., matches=..., rval=...) at /home/andre/hg/mozilla-inbound/js/src/builtin/RegExp.cpp:89
#5  0x0000555556b0caf9 in RegExpMatcherImpl(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, JS::MutableHandle<JS::Value>)
    (cx=0x7ffff5924000, regexp=..., string="a", lastIndex=<optimised out>, rval=...) at /home/andre/hg/mozilla-inbound/js/src/builtin/RegExp.cpp:1080
#6  0x0000555556b0c664 in js::RegExpMatcher(JSContext*, unsigned int, JS::Value*) (cx=0x7ffff5924000, argc=<optimised out>, vp=<optimised out>)
    at /home/andre/hg/mozilla-inbound/js/src/builtin/RegExp.cpp:1101
#7  0x0000555556b46992 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)
    (cx=0x7ffff5924000, native=0x555556b0c400 <js::RegExpMatcher(JSContext*, unsigned int, JS::Value*)>, reason=<optimised out>, args=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:493
#8  0x0000555556b35bc6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)
    (cx=0x7ffff6e93540 <_IO_2_1_stderr_>, args=..., construct=<optimised out>, reason=js::CallReason::Call) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:585
#9  0x0000555556b2a579 in js::CallFromStack(JSContext*, JS::CallArgs const&) (cx=0x7ffff6e93540 <_IO_2_1_stderr_>, args=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:652
#10 0x0000555556b2a579 in Interpret(JSContext*, js::RunState&) (cx=0x7ffff6e93540 <_IO_2_1_stderr_>, state=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:3312
#11 0x0000555556b21002 in js::RunScript(JSContext*, js::RunState&) (cx=0x7ffff5924000, state=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:465
#12 0x0000555556b35adc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) (cx=0x7ffff5924000, args=..., construct=<optimised out>, reason=<optimised out>)
    at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:620
#13 0x0000555557528024 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>)
    (cx=0x7ffff5924000, frame=0x7fffffffb3b8, stub=0x7ffff59868c0, argc=<optimised out>, vp=0x7fffffffb360, res=...) at /home/andre/hg/mozilla-inbound/js/src/jit/BaselineIC.cpp:2990
....

This is a silly thing to support, but I'd rather support it here than push an irregexp patch upstream to make it possible to reject this as a syntax error.

Assignee: nobody → iireland
Status: NEW → ASSIGNED

Ugh, dictionary mode.

Good catch, Anba.

Group: core-security → javascript-core-security

Depends on D76751

This bug was introduced when we added named captures in bug 1362154 and is only present in Nightly.

Severity: -- → S3
status-firefox76: --- → unaffected
status-firefox77: --- → unaffected
status-firefox-esr68: --- → unaffected
Priority: -- → P1
Regressed by: 1362154
Has Regression Range: --- → yes
Keywords: regression

https://hg.mozilla.org/integration/autoland/rev/33de24707e9f608899c744b02b53a82c5563c73b
https://hg.mozilla.org/mozilla-central/rev/33de24707e9f

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox78: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: