Closed Bug 1948718 Opened 27 days ago Closed 18 days ago

Assertion failure: (kMaxRegister) >= (register_index), at irregexp/imported/regexp-bytecode-generator.cc:78

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1932542
Tracking Flags:
Tracking Status
firefox137 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Detailed Crash Information
3.08 KB, text/plain
Details
Testcase
87 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20250217-508a834f0ff7 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

const r91 = RegExp(("()?").repeat(32767));
("").match(/(?:(?=g)).{2147483648,}/ + r91);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557a82653 in v8::internal::RegExpBytecodeGenerator::WriteCurrentPositionToRegister(int, int) ()
#1  0x0000555557aa073b in v8::internal::ActionNode::Emit(v8::internal::RegExpCompiler*, v8::internal::Trace*) ()
#2  0x0000555557a9506a in v8::internal::RegExpCompiler::Assemble(v8::internal::Isolate*, v8::internal::RegExpMacroAssembler*, v8::internal::RegExpNode*, int, v8::internal::Handle<v8::internal::String>) ()
#3  0x0000555557a7e101 in js::irregexp::CompilePattern(JSContext*, JS::MutableHandle<js::RegExpShared*>, JS::Handle<JSLinearString*>, js::RegExpShared::CodeKind) ()
#4  0x00005555573b2004 in js::RegExpShared::execute(JSContext*, JS::MutableHandle<js::RegExpShared*>, JS::Handle<JSLinearString*>, unsigned long, js::VectorMatchPairs*) ()
#5  0x0000555556feb5a9 in ExecuteRegExp(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, js::VectorMatchPairs*) ()
#6  0x0000555556fdbd6a in RegExpMatcherImpl(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, JS::MutableHandle<JS::Value>) ()
#7  0x0000555556fdb8cc in js::RegExpMatcher(JSContext*, unsigned int, JS::Value*) ()
#8  0x000055555703b7b5 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#18 0x0000555556ea6f0e in Shell(JSContext*, js::cli::OptionParser*) ()
#19 0x0000555556e9d478 in main ()
rax	0x0	0
rbx	0x0	0
rcx	0x4e	78
rdx	0x1	1
rsi	0x0	0
rdi	0x7ffff7bee7d0	140737349871568
rbp	0x7fffffffb1b0	140737488335280
rsp	0x7fffffffb180	140737488335232
r8	0x0	0
r9	0x3	3
r10	0x0	0
r11	0x0	0
r12	0x7ffff4603dc0	140737293336000
r13	0xaaaaaaaaaaaaaaaa	-6148914691236517206
r14	0x7fffffffb2d0	140737488335568
r15	0x7ffff2083cc8	140737254014152
rip	0x555557a82653 <v8::internal::RegExpBytecodeGenerator::WriteCurrentPositionToRegister(int, int)+675>
=> 0x555557a82653 <_ZN2v88internal23RegExpBytecodeGenerator30WriteCurrentPositionToRegisterEii+675>:	mov    %rcx,(%rax)
   0x555557a82656 <_ZN2v88internal23RegExpBytecodeGenerator30WriteCurrentPositionToRegisterEii+678>:	callq  0x555556f3b9c0 <abort>

Marking s-s because this looks like a debug-only check on available registers, it is unclear if that could maybe clobber a register or cause other issues.

Attached file Testcase

Verified bug as reproducible on mozilla-central 20250217153514-749544d5d463.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 0313ecc4bd47cda36843a53c22c9f7c94ab27250 (20241120044454)
End: 508a834f0ff79106c6275478fd256464c39ef368 (20250217092040)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Iain for first peek

Blocks: Irregexp
Flags: needinfo?(iireland)
Priority: -- → P3
Severity: -- → S3

Oh, this is actually just the testcase from bug 1932542, which we reported upstream. It turns out that when we pulled in the fix, we got the part that reported the error, but missed some code outside of irregexp to propagate the error further.

This is still not a security concern: in a release build without this assertion, the compilation would be thrown away at the end anyway.

I should have landed the testcase when we pulled in the fix. I'll do that now.

(Note that bug 1929939 was also fixed in the same irregexp update. We don't have to land a test for that, because the reporter added test262 coverage.)

Group: javascript-core-security
Flags: needinfo?(iireland)
Status: NEW → RESOLVED
Closed: 18 days ago
Duplicate of bug: 1932542
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: