Closed Bug 576836 Opened 10 years ago Closed 9 years ago

YARR: "Assertion failure: buf[idx + 1] >= buf[idx]"

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: cdleary)

References

Details

(Keywords: assertion, testcase)

The input has to be in the form of a .js file rather than shell input.

"AAB".split(/A|B(((?=)){1,2})/);

Assertion failure: get(0, 1) <= int(input->length()), at ../jscntxt.h:1699

"AAB".split(/B(((?=)){1,2})/);

Assertion failure: buf[idx + 1] >= buf[idx], at ../jsregexp.cpp:225
This bug also causes Valgrind warnings.  Since the Valgrind warnings happen more reliably than the assertions, they're probably the best place to start.

> ==1479== Conditional jump or move depends on uninitialised value(s)
> ==1479==    at 0x11291E: js::RegExp::execute(JSContext*, JSString*, unsigned long*, bool, long*) (jsregexp.cpp:225)
> ==1479==    by 0x129D25: find_split(JSContext*, JSString*, js::RegExp*, int*, JSSubString*) (jsstr.cpp:2076)
> ==1479==    by 0x12BEF3: str_split(JSContext*, unsigned int, long*) (jsstr.cpp:2190)
> ==1479==    by 0x9C2E2: js_Interpret (jsops.cpp:2145)
> ==1479==    by 0xAE052: js_Execute (jsinterp.cpp:891)
> ==1479==    by 0x158EA: JS_ExecuteScript (jsapi.cpp:4759)
> ==1479==    by 0x9354: Process(JSContext*, JSObject*, char*, int) (shell/js.cpp:522)
> ==1479==    by 0x9D18: ProcessArgs(JSContext*, JSObject*, char**, int) (shell/js.cpp:843)
> ==1479==    by 0x9E32: shell(JSContext*, int, char**, char**) (shell/js.cpp:5025)
> ==1479==    by 0x9F57: main (shell/js.cpp:5112)
> ==1479==  Uninitialised value was created by a stack allocation
> ==1479==    at 0x1F31B5: jsRegExpExecute(JSContext*, JSRegExp const*, unsigned short const*, int, int, int*, int) (pcre_exec.cpp:2018)
Repros on 32b.
Assignee: general → cdleary
Status: NEW → ASSIGNED
WFM as tested on TM changeset 284811f39ca6 on a 32-bit shell on Linux, it has also been tested on the Webkit side.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.