1921421 - Hit MOZ_CRASH(Mode modifiers not supported) at js/src/irregexp/RegExpAPI.cpp:120

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The attached testcase crashes on mozilla-central revision 20240922-568e5a283867.

Backtrace:

==20392==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7d1638a2ec70 bp 0x7ffece0f7230 sp 0x7ffece0f7220 T0)
==20392==The signal is caused by a WRITE memory access.
    #0 0x7d1638a2ec70 in js::irregexp::ErrorNumber(v8::internal::RegExpError) /js/src/irregexp/RegExpAPI.cpp:120:7
    #1 0x7d1638a2e03f in void js::irregexp::ReportSyntaxError<unsigned char const>(js::frontend::TokenStreamAnyChars&, mozilla::Maybe<unsigned int>, mozilla::Maybe<JS::ColumnNumberOneOrigin>, v8::internal::RegExpCompileData&, unsigned char const*, unsigned long, ...) /js/src/irregexp/RegExpAPI.cpp:204:26
    #2 0x7d1638a1926d in ReportSyntaxError /js/src/irregexp/RegExpAPI.cpp:294:5
    #3 0x7d1638a1926d in js::irregexp::CheckPatternSyntax(JSContext*, unsigned long, js::frontend::TokenStreamAnyChars&, JS::Handle<JSAtom*>, JS::RegExpFlags) /js/src/irregexp/RegExpAPI.cpp
    #4 0x7d16380395a0 in js::RegExpObject::create(JSContext*, JS::Handle<JSAtom*>, JS::RegExpFlags, js::NewObjectKind) /js/src/vm/RegExpObject.cpp:240:10
    #5 0x7d1637b75cd9 in JSStructuredCloneReader::startRead(JS::MutableHandle<JS::Value>, JSStructuredCloneReader::ShouldAtomizeStrings) /js/src/vm/StructuredClone.cpp:3174:29
    #6 0x7d1637b5dce8 in JSStructuredCloneReader::read(JS::MutableHandle<JS::Value>, unsigned long) /js/src/vm/StructuredClone.cpp:3942:8
    #7 0x7d1637b5d7dc in ReadStructuredClone(JSContext*, JSStructuredCloneData const&, JS::StructuredCloneScope, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) /js/src/vm/StructuredClone.cpp:796:12
    #8 0x7d1637b82e70 in JS_ReadStructuredClone(JSContext*, JSStructuredCloneData const&, unsigned int, JS::StructuredCloneScope, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) /js/src/vm/StructuredClone.cpp:4094:10
    #9 0x7d162f8bbfd7 in ReadFromBuffer /dom/base/StructuredCloneHolder.cpp:429:8
    #10 0x7d162f8bbfd7 in mozilla::dom::StructuredCloneHolder::ReadFromBuffer(nsIGlobalObject*, JSContext*, JSStructuredCloneData&, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) /dom/base/StructuredCloneHolder.cpp:415:3
    #11 0x7d1634d9cda4 in Read /dom/ipc/StructuredCloneData.cpp:115:3
    #12 0x7d1634d9cda4 in mozilla::dom::ipc::StructuredCloneData::Read(JSContext*, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /dom/ipc/StructuredCloneData.cpp:103:3
    #13 0x7d16290e9a07 in FuzzingRunDomSC(unsigned char const*, unsigned long) /dom/base/fuzztest/FuzzStructuredClone.cpp:62:10
    [...]

To reproduce the issue, perform the following steps:

1. Download the attached testcase, save as "test.bin".
   2a. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
   2b. Alternatively you can download builds from TC using python -mfuzzfetch -a --fuzzing --target firefox gtest (see https://github.com/MozillaSecurity/fuzzfetch).
2. Run FUZZER=StructuredCloneReaderDOM objdir/dist/bin/firefox test.bin

This popped up only recently, though I can't see immediately why. It looks like we are passing in regexp flags that we don't actually support - I assume regular JS we somehow error out earlier before reaching this? Looks like a safe MOZ_CRASH to me though.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Jan de Mooij [:jandem]]

Shell test case:

// Run with --enable-regexp-modifiers
var re = /(?--/;

Likely a regression from bug 1913752.

This feature isn't enabled by default in the shell because the regexp features still use the JitOptions API instead of the new JS::Prefs system that uses the browser pref values.

Comment 4

[Dan Minor [:dminor]]

I'll have a look.

Comment 5

[Dan Minor [:dminor]]

Attachment: Bug 1921421 - Add error message for RegExpError::kMultipleFlagDashes; r=jandem!

This adds an error message and testcase for RegExpError::kMultipleFlagDashes,
which appears to not be tested by test262. The error message matches what is
used in V8.

Comment 6

[Pulsebot]

Pushed by dminor@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9dec9b7d7f1f
Add error message for RegExpError::kMultipleFlagDashes; r=jandem

Comment 7

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/9dec9b7d7f1f

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:dminor, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox132 to wontfix.

For more information, please visit BugBot documentation.

Comment 9

[Dan Minor [:dminor]]

Comment on attachment 9428362 [details]
Bug 1921421 - Add error message for RegExpError::kMultipleFlagDashes; r=jandem!

Beta/Release Uplift Approval Request

• User impact if declined: What should be a JavaScript syntax error results in a crash.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This just replaces a MOZ_CRASH with code to generate a Syntax Error, it's very low risk.
• String changes made/needed: None
• Is Android affected?: Yes

Comment 10

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9428362 [details]
Bug 1921421 - Add error message for RegExpError::kMultipleFlagDashes; r=jandem!

Approved for 132.0b3.

Comment 11

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/59fa2c127ea8