Closed Bug 1783555 Opened 2 years ago Closed 2 years ago

Assertion failure: (RegExpMacroAssembler::kMaxRegister) >= (next_register_ - 1), at irregexp/imported/regexp-compiler.cc:253

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox103 --- unaffected
firefox104 --- unaffected
firefox105 --- wontfix
firefox106 --- verified

People

(Reporter: decoder, Assigned: iain)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(5 files)

Detailed Crash Information
2.96 KB, text/plain
Details
Testcase
120 bytes, text/plain
Details
Bug 1783555: Update irregexp (Aug 2022) r=sfink
48 bytes, text/x-phabricator-request
Details | Review
Bug 1783555: Implement FixedIntegerArray r=sfink
48 bytes, text/x-phabricator-request
Details | Review
Bug 1783555: Add testcase r=sfink
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20220804-23d50b5617de (debug build, run with --fuzzing-safe --no-threads --fast-warmup):

v4 = new Uint8ClampedArray(65537);
v5 = v4.join(Uint32Array);
v6 = [v5];
v7 = {__proto__:v6};
v8 = "function".match(v7);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555576ba4b4 in v8::internal::RegExpCompiler::RegExpCompiler(v8::internal::Isolate*, v8::internal::Zone*, int, JS::RegExpFlags, bool) ()
#1  0x00005555576a58bf in js::irregexp::CompilePattern(JSContext*, JS::MutableHandle<js::RegExpShared*>, JS::Handle<JSLinearString*>, js::RegExpShared::CodeKind) ()
#2  0x000055555705da44 in js::RegExpShared::execute(JSContext*, JS::MutableHandle<js::RegExpShared*>, JS::Handle<JSLinearString*>, unsigned long, js::VectorMatchPairs*) ()
#3  0x0000555556cc0224 in ExecuteRegExp(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, js::VectorMatchPairs*) ()
#4  0x0000555556cbeaca in RegExpMatcherImpl(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, JS::MutableHandle<JS::Value>) ()
#5  0x0000555556cbe68f in js::RegExpMatcher(JSContext*, unsigned int, JS::Value*) ()
#6  0x0000555556d39088 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#17 0x0000555556b91bc4 in main ()
rax	0x5555557a65ae	93824994665902
rbx	0x7fffffffade0	140737488334304
rcx	0x5555582a5790	93825039751056
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffac00	140737488333824
rsp	0x7fffffffabd0	140737488333776
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x0	0
r13	0x0	0
r14	0x7fffffffac98	140737488333976
r15	0x7ffff60062e0	140737320608480
rip	0x5555576ba4b4 <v8::internal::RegExpCompiler::RegExpCompiler(v8::internal::Isolate*, v8::internal::Zone*, int, JS::RegExpFlags, bool)+228>
=> 0x5555576ba4b4 <_ZN2v88internal14RegExpCompilerC2EPNS0_7IsolateEPNS0_4ZoneEiN2JS11RegExpFlagsEb+228>:	movl   $0xfd,0x0
   0x5555576ba4bf <_ZN2v88internal14RegExpCompilerC2EPNS0_7IsolateEPNS0_4ZoneEiN2JS11RegExpFlagsEb+239>:	callq  0x555556c28160 <abort>

Assert looks potentially dangerous, marking s-s until investigated.

Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220807214336-328d2ccc6eb9.

The bug appears to have been introduced in the following build range:




Start: 7e7bca63bd09fe0d2f246d09293b2fb42b275569 (20220803180216)

End: 72cd1237f80d04cb8039a358c29de80512232f7d (20220803181019)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7e7bca63bd09fe0d2f246d09293b2fb42b275569&tochange=72cd1237f80d04cb8039a358c29de80512232f7d




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Regressed by: 1779849

    
    

    
  
Set release status flags based on info from the regressing bug 1779849



          status-firefox103:
          --- → unaffected

          status-firefox104:
          --- → unaffected

          status-firefox-esr102:
          --- → unaffected

          status-firefox-esr91:
          --- → unaffected

    
    

    
  
:iain, since you are the author of the regressor, bug 1779849, could you take a look?

For more information, please visit auto_nag documentation.


Flags: needinfo?(iireland)

    
    

    
  
This is not security-sensitive. The failing assertion verifies that we have enforced an arbitrary limit on the number of captures in a regular expression. While refactoring, upstream irregexp accidentally modified a check in the parser, with the effect that the limit was doubled while parsing (but still enforced as 1 << 16 while compiling). In practice, such regular expressions will generally overflow the stack / otherwise exceed size limits.


I've reported the bug upstream and put up a patch; once it lands upstream, I'll refresh our import.


Group: javascript-core-security
Flags: needinfo?(iireland)
Severity: -- → S3
Priority: -- → P2
See Also:  → 1783830

    
    

    
  
Set release status flags based on info from the regressing bug 1779849



          status-firefox106:
          --- → affected

    
    

    
  
Looks like the fix landed upstream now?


Flags: needinfo?(iireland)

    
    

    
  


  
This pulls in changes from upstream that fix bug 1783555 and bug 1783830.


Assignee: nobody → iireland
Status: NEW → ASSIGNED

    
    

    
  


  
Prior to this update, irregexp used ByteArray to represent an array of 16-bit values. It's been rewritten upstream to be more strongly typed, so now we also have to implement FixedIntegerArray<T> as a subclass of ByteArray.


Depends on D155913



    
    

    
  


  
Depends on D155914



    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/efd4d34fc66d

https://hg.mozilla.org/mozilla-central/rev/edd5096b7383

https://hg.mozilla.org/mozilla-central/rev/632414fdc4ff


Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox106:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch

    
  
Flags: needinfo?(iireland)

    
    

    
  
The patch landed in nightly and beta is affected.

:iain, is this bug important enough to require an uplift?


    

  • If yes, please nominate the patch for beta approval.
    • 

  • If no, please set status-firefox105 to wontfix.
    • 



For more information, please visit auto_nag documentation.


Flags: needinfo?(iireland)

    
    

    
  
As described in comment 6, this bug is unlikely to have any effect in release builds. Bug 1783830, which we fixed at the same time, has been around for a long time without causing noticeable problems.


This can ride the trains.



          status-firefox105:
          affectedwontfix
Flags: needinfo?(iireland)

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20220831093258-11e997d3cf78.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox106:
          fixedverified
Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: