Closed Bug 1655404 Opened 4 years ago Closed 4 years ago

Crash [@ v8::internal::ActionNode::StorePosition] with too much recursion

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1644513
Tracking Flags:
Tracking Status
firefox80 --- wontfix
firefox81 --- fixed

People

(Reporter: decoder, Assigned: iain)

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])

Crash Data

Attachments

(1 file)

Testcase
247 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20200726-f4703bddd567 (opt build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

evalInWorker(`
var interestingCaptureNums = [(1 << 14),
                              (1 << 16)]
for (let i83 of interestingCaptureNums) {
        var source = Array(i83).join("(") + "a" + Array(i83).join(")");
        RegExp(source).exec();
}
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x571dfe62 in v8::internal::ActionNode::StorePosition(int, bool, v8::internal::RegExpNode*) ()
#0  0x571dfe62 in v8::internal::ActionNode::StorePosition(int, bool, v8::internal::RegExpNode*) ()
#1  0x56ca3412 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#2  0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#3  0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#4  0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#5  0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#6  0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#7  0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#8  0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#9  0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
#10 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
[...]
#127 0x56ca3422 in v8::internal::RegExpCapture::ToNode(v8::internal::RegExpCompiler*, v8::internal::RegExpNode*) ()
eax	0x94af5300	-1800449280
ebx	0x5860e000	1482743808
ecx	0xf4bdc510	-188889840
edx	0x7e21	32289
esi	0xf509fa88	-183895416
edi	0x7e20	32288
ebp	0xf721b018	4146180120
esp	0xf721aff0	4146180080
eip	0x571dfe62 <v8::internal::ActionNode::StorePosition(int, bool, v8::internal::RegExpNode*)+18>
=> 0x571dfe62 <_ZN2v88internal10ActionNode13StorePositionEibPNS0_10RegExpNodeE+18>:	call   0x571dfe67 <_ZN2v88internal10ActionNode13StorePositionEibPNS0_10RegExpNodeE+23>
   0x571dfe67 <_ZN2v88internal10ActionNode13StorePositionEibPNS0_10RegExpNodeE+23>:	pop    %ebx

I am seeing this particular crash on 32-bit but also on ARM64 (where it is a top crasher without signature, making this a high priority fuzzblocker). I am also seeing over-recursion crashes on x86 64-bit but having trouble to isolate them so far.

Attached file Testcase

Not sure if this is in any way related to bug 1652356, but setting needinfo? from Iain in case he knows.

Flags: needinfo?(iireland)

This testcase doesn't crash for me locally, but sfink was having similar issues in bug 1644513, and the old unlanded patch attached to that bug fixed them (with a tiny bit of tweaking to enable it for 64-bit). I suspect that it will also help fuzzing. I've uploaded an updated copy of the patch to bug 1644513.

decoder: If you can verify that the patch attached to bug 1644513 fixes the known issues locally, we can try landing that and see how far that gets us.

Assignee: nobody → iireland
Flags: needinfo?(iireland) → needinfo?(choller)
Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200727203201-932240e49142. The bug appears to have been introduced in the following build range: > Start: 61a83cc0b74b43117a9fa6d92c3d693ea03bbffc (20200511214706) > End: 0db4052181f50970fc18383df98eeb40ab7ce684 (20200512040410) > Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=61a83cc0b74b43117a9fa6d92c3d693ea03bbffc&tochange=0db4052181f50970fc18383df98eeb40ab7ce684

This is fixed by bug 1644513.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(choller)
Resolution: --- → DUPLICATE
Keywords: bugmon
Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker] → [fuzzblocker]
Bugmon Analysis: Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: