Assertion failure: code - codeStart <= length, at js/src/yarr/pcre/pcre_compile.cpp:2633

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: bc, Assigned: cdleary)

Tracking

(Blocks: 1 bug, {assertion, crash})

Trunk
x86
All
assertion, crash
Points:
---

Firefox Tracking Flags

(blocking2.0 final+)

Details

(Whiteboard: fixed-in-tracemonkey, URL)

Attachments

(2 attachments)

Created attachment 466011 [details]
crash report

1. http://omlet.ru/

Assertion failure: code - codeStart <= length, at js/src/yarr/pcre/pcre_compile.cpp:2633

Operating system: Mac OS X
                  10.5.8 9L34
CPU: x86
     GenuineIntel family 6 model 26 stepping 5
     1 CPU

Crash reason:  EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash address: 0x0

Thread 0 (crashed)
 0  XUL!JS_Assert [jsutil.cpp : 80 + 0x5]
    eip = 0x05e83b5d   esp = 0xbfff8b10   ebp = 0xbfff8b38   ebx = 0x05e83b14
    esi = 0x0000006a   edi = 0x13941058   eax = 0x00000000   ecx = 0x00000000
    edx = 0x00000000   efl = 0x00010246
    Found by: given as instruction pointer in context
 1  XUL!jsRegExpCompile [pcre_compile.cpp : 2633 + 0x32]
    eip = 0x05f323a9   esp = 0xbfff8b40   ebp = 0xbfff8be8   ebx = 0x05f32105
    esi = 0x0000006a   edi = 0x13941058
    Found by: call frame info
 2  XUL!JSC::Yarr::jitCompileRegex [RegexJIT.cpp : 1511 + 0x41]
    eip = 0x05f209c0   esp = 0xbfff8bf0   ebp = 0xbfff8dc8   ebx = 0x05d5191e
    esi = 0x0000006a   edi = 0x13941058
    Found by: call frame info
 3  XUL!js::RegExp::compileHelper [jsregexpinlines.h : 176 + 0x66]
    eip = 0x05d518b4   esp = 0xbfff8dd0   ebp = 0xbfff8e18   ebx = 0x05d5191e
    esi = 0x00000000   edi = 0x13941058
    Found by: call frame info
 4  XUL!js::RegExp::compile [jsregexpinlines.h : 201 + 0x1b]
    eip = 0x05d5194d   esp = 0xbfff8e20   ebp = 0xbfff8e88   ebx = 0x05d5191e
    esi = 0x00000001   edi = 0x0000006a
    Found by: call frame info

not found on vista. mac ppc and xp results pending.

see also bug 576834
Now I can see it on xp/vista.
OS: Mac OS X → All

Comment 3

8 years ago
And also on linux, http://nabiraem.ru
Assignee: general → cdleary
Status: NEW → ASSIGNED
Created attachment 468750 [details] [diff] [review]
Fix for assertion failure.

Missing length accounting for OPBRAZERO.

(?:){1,60} was enough to trigger the assertion failure because each iteration from 2..59 is duplicated and needs an extra byte in the PCRE bytecode stream for a leading OPBRAZERO opcode. (This indicates the match on that bytecode subsection is optional).
Attachment #468750 - Flags: review?(gal)

Updated

8 years ago
Attachment #468750 - Flags: review?(gal) → review+

Comment 6

8 years ago
http://hg.mozilla.org/mozilla-central/rev/4855f7969c13
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Updated

8 years ago
blocking2.0: ? → final+
You need to log in before you can comment on or make changes to this bug.