Closed Bug 427244 Opened 17 years ago Closed 17 years ago

Assertion failure: (c2 <= cs->length) && (c1 <= c2), at jsregexp.c:2218 using complex Unicode character class in regexp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.8 Branch
Platform:
x86
FreeBSD
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 416933

People

(Reporter: saper, Unassigned)

References

(
URL
)

Details

(Keywords: assertion, crash, testcase)

Attachments

(1 file)

testcase
43 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.8.1.12) Gecko/20080403 SeaMonkey/1.1.8 Mnenhy/0.7.5.0
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.8.1.12) Gecko/20080403 SeaMonkey/1.1.8 Mnenhy/0.7.5.0

A greasemonkey javascript tool to edit MediaWiki-based sites called "wikiEd" attempts to determine a so-called "interwiki link" that may contain unicode characters using regular expression.

Script source:
http://userscripts.org/scripts/review/12529?format=txt (large, over 100KB!)
grep for "p2.match"

I am using a debug build.

Reproducible: Always

Steps to Reproduce:
1. Create regular expression with character class containing Unicode characters where character with higher codepoint is after character with lower codepoint (I think it's something like "[Z-A]" in Unicode)
2. Execute expression

Actual Results:  
Backtrace:

#5  0x0000000800a14751 in JS_Assert (s=Variable "s" is not available.
) at jsutil.c:63
#6  0x00000008009fd800 in AddCharacterRangeToCharSet (cs=0x1066640, c1=8364, c2=195) at jsregexp.c:2218
#7  0x00000008009ff488 in ProcessCharSet (gData=0x7fffffffc1c0, charSet=0x1066640) at jsregexp.c:2409
#8  0x00000008009ffb3a in js_ExecuteRegExp (cx=0x195e400, re=0x1739cf0, str=0x1260f50, indexp=0x7fffffffc2e0, test=1, rval=0x7fffffffc490)
    at jsregexp.c:3259
#9  0x0000000800a1273b in match_or_replace (cx=0x195e400, obj=Variable "obj" is not available.
) at jsstr.c:1245
#10 0x0000000800a12803 in str_match (cx=Variable "cx" is not available.
) at jsstr.c:1301
#11 0x00000008009be7fe in js_Invoke (cx=0x195e400, argc=1, flags=dwarf2_read_address: Corrupted DWARF expression.
) at jsinterp.c:1379
#12 0x00000008009ca1f8 in js_Interpret (cx=0x195e400, pc=0x1434f99 ":", result=0x7fffffffc840) at jsinterp.c:3948
#13 0x00000008009d44cb in js_Execute (cx=0x195e400, chain=Variable "chain" is not available.
) at jsinterp.c:1637
#14 0x00000008009861a6 in JS_EvaluateUCScriptForPrincipals (cx=0x195e400, obj=0x171bf40, principals=Variable "principals" is not available.
) at jsapi.c:4318
#15 0x000000080704eb0a in nsJSContext::EvaluateString (this=0x19710f0, aScript=@0x7fffffffcb60, aScopeObject=0x171bf40, aPrincipal=Variable "aPrincipal" is not available.
)
    at nsJSEnvironment.cpp:1100
#16 0x0000000806ed6f79 in nsScriptLoader::EvaluateScript (this=Variable "this" is not available.
) at nsScriptLoader.cpp:810
#17 0x0000000806ed7269 in nsScriptLoader::ProcessRequest (this=0x172ff40, aRequest=0x13f63a0) at nsScriptLoader.cpp:711
#18 0x0000000806ed922f in nsScriptLoader::DoProcessScriptElement (this=0x172ff40, aElement=0x13f6388, aObserver=0x13f6380, 
    aFireErrorNotification=0x7fffffffd234) at nsScriptLoader.cpp:644
#19 0x0000000806ed938f in nsScriptLoader::ProcessScriptElement (this=0x172ff40, aElement=0x13f6388, aObserver=0x13f6380) at nsScriptLoader.cpp:395
#20 0x0000000806f75ccb in nsHTMLScriptElement::MaybeProcessScript (this=0x13f6340) at nsHTMLScriptElement.cpp:659
#21 0x0000000806f75ee8 in nsHTMLScriptElement::BindToTree (this=0x13f6340, aDocument=0x1b0d000, aParent=Variable "aParent" is not available.
) at nsHTMLScriptElement.cpp:453
#22 0x0000000806eb4171 in nsGenericElement::AppendChildTo (this=0x1b4c280, aKid=0x13f6340, aNotify=0) at nsGenericElement.cpp:2875
#23 0x0000000806f9d84e in HTMLContentSink::ProcessSCRIPTTag (this=0x1a9dc00, aNode=Variable "aNode" is not available.
) at nsHTMLContentSink.cpp:4171


Expected Results:  
Use a given character range or report an error.
Keywords: assertion, crash, testcase
Need a reduced testcase. Does it crash a debug trunk (1.9pre) build?

/be
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9?
This might be related or identical to https://bugzilla.mozilla.org/show_bug.cgi?id=416933
We have a couple of bugs on the 1.8.1 branch with this assertion. No assert for me on CentOS5 Linux trunk but confirm the assert on 1.8.1. I'll see about the stack and reducing the test case when my builds finish.
Attached file testcase 
#2  0x00000000004dc321 in JS_Assert (
    s=0x50e528 "(c2 <= cs->length) && (c1 <= c2)", file=0x50dee8 "jsregexp.c", 
    ln=2218) at jsutil.c:63
#3  0x00000000004bc7a4 in AddCharacterRangeToCharSet (cs=0x32f4740, c1=128, 
    c2=57) at jsregexp.c:2218
#4  0x00000000004bd1dc in ProcessCharSet (gData=0x7fff8ed3a330, 
    charSet=0x32f4740) at jsregexp.c:2414
#5  0x00000000004c0a76 in InitMatch (cx=0x32d0110, gData=0x7fff8ed3a330, 
    re=0x32f4700) at jsregexp.c:3259
#6  0x00000000004c0d10 in js_ExecuteRegExp (cx=0x32d0110, re=0x32f4700, 
    str=0x32d2d70, indexp=0x7fff8ed3a4d0, test=0, rval=0x7fff8ed3a630)
    at jsregexp.c:3308
#7  0x00000000004d5428 in match_or_replace (cx=0x32d0110, obj=0x32d2d74, 
    argc=1, argv=0x32f48c8, glob=0x4d5489 <match_glob>, data=0x7fff8ed3a570, 
    rval=0x7fff8ed3a630) at jsstr.c:1245
#8  0x00000000004d55e8 in str_match (cx=0x32d0110, obj=0x32d2d74, argc=1, 
    argv=0x32f48c8, rval=0x7fff8ed3a630) at jsstr.c:1301
#9  0x000000000045de23 in js_Invoke (cx=0x32d0110, argc=1, flags=0)
    at jsinterp.c:1384
#10 0x000000000047132a in js_Interpret (cx=0x32d0110, pc=0x32f7c62 ":", 
    result=0x7fff8ed3b280) at jsinterp.c:3953

1.8.1 only
Flags: blocking1.9?
Version: unspecified → 1.8 Branch
Attached file testcase 

    
    

    
  
I think the first character in the bogus "range" might be an astral character.  In the browser, if I do

javascript:"�".charCodeAt(0)

I get 65533 as the value.  I -think- that means this bug is actually invalid.

    
    

    
  
Maybe this is a testcase problem? Can you check with the original testcase (URL at the top of the bug)? 

    
    

    
  
(In reply to comment #6)

> I get 65533 as the value.  I -think- that means this bug is actually invalid.

How can a reproducible Assertion failure bug be invalid?


    
    

    
  
The problematic regexp range from wikEd is:

[\w À-ÖØ-öø-\u0220\u0222-\u0233ΆΈΉΊΌΎΏΑ-ΡΣ-ώ\u0400-\u0481\u048a-\u04ce\u04d0-\u04f5\u04f8\u04f9\-]

and a testcase for the previous bug (https://bugzilla.mozilla.org/show_bug.cgi?id=416933) was:

javascript:/[Þ-ß]/i.exec("Þ")

The critical range was between the following two consecutive characters U+00DE (Þ c39e LATIN CAPITAL LETTER THORN) and U+00DF (ß c39f LATIN SMALL LETTER SHARP S)


    
    

    
  
Cacycle:  Can you determine which of the class ranges here is the actual problematic one?

    
    

    
  
I have no idea which browser version to use and cannot reproduce a crash with Minefield/3.0b4pre and the current Firefox and Seamonkey.

    
    

    
  
The newest patch in bug 416933 resolves this issue.  
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE

    
    

    
  
A testcase for this bug was already added in the original bug (bug 416933).
Flags: in-testsuite-

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: