Closed Bug 1863390 Opened 2 years ago Closed 2 years ago

Assertion failure: !JSInlineString::lengthFits<JS::Latin1Char>(length), at vm/StringType-inl.h:203

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox119 --- unaffected
firefox120 --- unaffected
firefox121 --- fixed

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect])

Attachments

(3 files)

Detailed Crash Information
1.37 KB, text/plain
Details
Testcase
140 bytes, text/plain
Details
Bug 1863390: Handle case when dependent string is latin-1. r=jandem!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20231106-925231a8fb5e (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

function a(b) {      
  return ('\uffff' + b).replace(/\uffff/, this)
}
function c(d) {
  for (e = 0;; e++) 
    d.substring(0, e)
}
c(a());

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555573fbdd8 in JSRope::JSRope(JSString*, JSString*, unsigned long) ()
#1  0x0000555557398ce2 in JSRope* JSRope::new_<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType, unsigned long, js::gc::Heap) ()
#2  0x00005555573980d3 in js::SubstringKernel(JSContext*, JS::Handle<JSString*>, int, int) ()
#3  0x00003f722b5c4b9e in ?? ()
[...]
#9  0x0000000000000000 in ?? ()
rax	0x55555591f3e0	93824996209632
rbx	0x10	16
rcx	0x55555898edc8	93825046998472
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffca30	140737488341552
rsp	0x7fffffffca30	140737488341552
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f92840	140737353689152
r10	0x2	2
r11	0x0	0
r12	0x0	0
r13	0x313886008a8	3382427257000
r14	0x7fffffffcad0	140737488341712
r15	0x7fffffffcaf0	140737488341744
rip	0x5555573fbdd8 <JSRope::JSRope(JSString*, JSString*, unsigned long)+472>
=> 0x5555573fbdd8 <_ZN6JSRopeC2EP8JSStringS1_m+472>:	movl   $0xcb,0x0
   0x5555573fbde3 <_ZN6JSRopeC2EP8JSStringS1_m+483>:	callq  0x555556f349c0 <abort>
Attached file Testcase

Unable to reproduce bug 1863390 using build mozilla-central 20231106094018-925231a8fb5e. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

anba, I think this is the new assertion failing?

Flags: needinfo?(andrebargull)

Yes, it's a regression from bug 1803855. But it's also not security-sensitive, so we can unhide this bug.

Simplified test case:

var left = "left-rope-child";
var right = newString("right-rope-child", {twoByte: true});
var s = newRope(left, right);
var r = s.substring(0, left.length + 1);
Flags: needinfo?(andrebargull)
Group: javascript-core-security
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Severity: -- → S3
Priority: -- → P1
Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/2b10a37f9a23 Handle case when dependent string is latin-1. r=jandem

Backed out for causing JSRope related SM bustages.

Flags: needinfo?(andrebargull)
Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/af9d30c92582 Handle case when dependent string is latin-1. r=jandem
Flags: needinfo?(andrebargull)

https://hg.mozilla.org/mozilla-central/rev/af9d30c92582

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox121: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: