As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 375711 - "Assertion failure: c <= cs->length" [@ AddCharacterRangeToCharSet] with /[Q-b]/i
: "Assertion failure: c <= cs->length" [@ AddCharacterRangeToCharSet] with /[Q-...
: crash, testcase, verified1.8.0.12, verified1.8.1.4
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: 346230
  Show dependency treegraph
Reported: 2007-03-28 11:24 PDT by Jesse Ruderman
Modified: 2011-06-13 10:01 PDT (History)
6 users (show)
dveditz: blocking1.8.1.4+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.12+
dveditz: wanted1.8.0.x+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Wrong file (873 bytes, patch)
2007-03-29 09:47 PDT, Blake Kaplan (:mrbkap)
no flags Details | Diff | Splinter Review
Right file (1.56 KB, patch)
2007-03-29 09:48 PDT, Blake Kaplan (:mrbkap)
crowderbt: review+
Details | Diff | Splinter Review
Patch to check in (1.56 KB, patch)
2007-03-29 11:18 PDT, Blake Kaplan (:mrbkap)
mrbkap: review+
dveditz: approval1.8.1.4+
dveditz: approval1.8.0.12+
Details | Diff | Splinter Review
ecma_3/RegExp/regress-375111.js (2.40 KB, text/plain)
2007-04-03 21:16 PDT, Bob Clary [:bc:]
no flags Details
ecma_3/RegExp/regress-375711.js (2.40 KB, text/plain)
2007-04-05 14:51 PDT, Bob Clary [:bc:]
no flags Details

Description User image Jesse Ruderman 2007-03-28 11:24:04 PDT
js> /[Q-b]/i.exec("")
Assertion failure: c <= cs->length, at jsregexp.c:2219

Security-sensitive for now because the code involved is playing with bit arrays.

0   js 	0x000c6904 JS_Assert + 70 (jsutil.c:60)
1   js 	0x000aa9ec AddCharacterRangeToCharSet + 111 (jsregexp.c:2235)
2   js 	0x000ab4ad ProcessCharSet + 2516 (jsregexp.c:2431)
3   js 	0x000ae558 InitMatch + 636 (jsregexp.c:3320)
4   js 	0x000ae752 js_ExecuteRegExp + 435 (jsregexp.c:3369)
5   js 	0x000b02e7 regexp_exec_sub + 1047 (jsregexp.c:4121)
6   js 	0x000b045b regexp_exec + 53 (jsregexp.c:4137)
7   js 	0x000574f3 js_Invoke + 2954 (jsinterp.c:1353)
Comment 1 User image Blake Kaplan (:mrbkap) 2007-03-29 09:47:41 PDT
Created attachment 260022 [details] [diff] [review]
Wrong file

We need to upcase before we deal with character ranges when calculating the bitmap size since that's what ProcessCharSet does.
Comment 2 User image Blake Kaplan (:mrbkap) 2007-03-29 09:48:27 PDT
Created attachment 260023 [details] [diff] [review]
Right file
Comment 3 User image Brian Crowder 2007-03-29 10:16:59 PDT
Comment on attachment 260023 [details] [diff] [review]
Right file

+        if (state->flags & JSREG_FOLD) {
+            c = JS_MAX(upcase((jschar)localMax), downcase((jschar)localMax));

House-style on casts would be |(jschar) localMax|  (ie., with a space between cast closing-paren and the variable name, correct?
Comment 4 User image Blake Kaplan (:mrbkap) 2007-03-29 11:18:13 PDT
Created attachment 260033 [details] [diff] [review]
Patch to check in
Comment 5 User image Blake Kaplan (:mrbkap) 2007-03-29 11:19:29 PDT
Fix checked into trunk.
Comment 6 User image Blake Kaplan (:mrbkap) 2007-03-29 11:20:34 PDT
Comment on attachment 260033 [details] [diff] [review]
Patch to check in

This fixes what I believe is a potentially-exploitable bug by simply moving existing code around.
Comment 7 User image chris hofmann 2007-03-29 14:22:13 PDT
adding some branch nomination flags so it gets looked at after a bit of backing on the trunk
Comment 8 User image Daniel Veditz [:dveditz] 2007-03-30 10:42:29 PDT
Comment on attachment 260033 [details] [diff] [review]
Patch to check in

approved for and, a=dveditz for release-drivers
Comment 9 User image Bob Clary [:bc:] 2007-04-03 21:16:38 PDT
Created attachment 260547 [details]
Comment 10 User image Bob Clary [:bc:] 2007-04-05 14:51:39 PDT
Created attachment 260763 [details]

correct test name and bug number. I need a slurpee.
Comment 11 User image Bob Clary [:bc:] 2007-04-06 10:17:28 PDT
verified fixed linux, windows, mac* shell 20070406
Comment 12 User image Daniel Veditz [:dveditz] 2007-04-26 16:38:14 PDT
Blake: any chance you can check this in over the weekend once you're done with finals? We're planning on doing the branch RC1 builds on Monday (4/30)
Comment 13 User image Blake Kaplan (:mrbkap) 2007-04-26 20:19:20 PDT
Fixed on branches.
Comment 14 User image Bob Clary [:bc:] 2007-04-27 18:40:21 PDT
verified fixed 1.8.0 1.8.1 1.9.0 windows/linux/mac* 20070427
Comment 15 User image Bob Clary [:bc:] 2007-06-14 15:04:41 PDT
/cvsroot/mozilla/js/tests/ecma_3/RegExp/regress-375711.js,v  <--  regress-375711.js
initial revision: 1.1

Note You need to log in before you can comment on or make changes to this bug.