1653212 - Issue parsing Latin1 String with number and `_` delimiter in the js shell

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P2)

Description

[Carl Smith]

The following sample triggers an assertion failure:

function main() {
str = String.fromCharCode(0xff);
console.log(parse("1_" + str.toLocaleString()))
}
main();

Assertion failure: cp.isSome(), at /home/builder/firefox/js/src/util/Text.cpp:420

This is caused by the parse builtin in the jsshell, which reads the string with the Latin1 charset, then casts it to UTF-8 and then parses it (https://searchfox.org/mozilla-central/source/js/src/shell/js.cpp#5274). It then encounters the 1 and starts to parse a number, where _ can be used as a delimiter to make the number more readable and expects another number after the _. This fails which causes it to report an error in https://searchfox.org/mozilla-central/source/js/src/frontend/TokenStream.cpp#2420, which then tries to parse it as an UTF-8 string. This causes an infinite loop or an assertion failure in the DecodeOneUtf8CodePointInline function while trying to print an error message.

Comment 1

[André Bargull [:anba]]

Caused by bug 1612515 (https://phabricator.services.mozilla.com/D64170).

Comment 2

[Jason Orendorff [:jorendorff]]

Thank you, Carl.

Shorter test case: parse("1_\xff")

What was I thinking when I reviewed this?

    const Latin1Char* chars_ = stableChars.latin1Range().begin().get();
    auto chars = reinterpret_cast<const mozilla::Utf8Unit*>(chars_);

Comment 3

[Jason Orendorff [:jorendorff]]

Arai, would you mind taking this? We shouldn't leave it like that.

Comment 4

[Tooru Fujisawa [:arai]]

Attachment: Bug 1653212 - Use raw latin1 string only when it is ASCII. r?nbp!

Comment 5

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/c0d402ca2111
Use raw latin1 string only when it is ASCII. r=nbp

Comment 6

[Razvan Maries]

https://hg.mozilla.org/mozilla-central/rev/c0d402ca2111