Closed Bug 682252 Opened 13 years ago Closed 13 years ago

YARR Assertion failure: static_cast<unsigned>(-position) <= pos (or optimized crash [@ JSC::Yarr::Interpreter::checkCharacterClass])

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox6 - unaffected
firefox7 - wontfix
firefox8 - affected
firefox9 + fixed
firefox10 + fixed
status1.9.2 --- unaffected

People

(Reporter: decoder, Assigned: dmandelin)

References

Details

(4 keywords, Whiteboard: [sg:high][js-triage-needed][qa-] wanted-standalone-js)

Crash Data

The following test crashes (YARR assert) on mozilla-central (tested revision 7054f0e3e70e) when run with options "-j -m". Test was produced by LangFuzz with the regular expression extension:


re = new RegExp("([^b]*)+((..)|(\\3))+?Sc*a!(a|ab)(c|bcd)(<*)", "i");
var str = "aNULLxabcd";
str.replace(re, function(s) { return s; });


Optimized shell furthermore crashes dangerously:

==12570== Invalid read of size 2
==12570==    at 0x51F060: JSC::Yarr::Interpreter::checkCharacterClass(JSC::Yarr::CharacterClass*, bool, int) (YarrInterpreter.cpp:212)
==12570==    by 0x51F420: JSC::Yarr::Interpreter::matchCharacterClass(JSC::Yarr::ByteTerm&, JSC::Yarr::Interpreter::DisjunctionContext*) (YarrInterpreter.cpp:454)
==12570==    by 0x51FD87: JSC::Yarr::Interpreter::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool, bool) (YarrInterpreter.cpp:1194)
==12570==    by 0x51F81F: JSC::Yarr::Interpreter::matchNonZeroDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool) (YarrInterpreter.cpp:1376)
==12570==    by 0x5201AF: JSC::Yarr::Interpreter::matchParentheses(JSC::Yarr::ByteTerm&, JSC::Yarr::Interpreter::DisjunctionContext*) (YarrInterpreter.cpp:881)
==12570==    by 0x51FDA7: JSC::Yarr::Interpreter::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool, bool) (YarrInterpreter.cpp:1202)
==12570==    by 0x5202D8: JSC::Yarr::Interpreter::interpret() (YarrInterpreter.cpp:1401)
==12570==    by 0x51EB52: JSC::Yarr::interpret(JSC::Yarr::BytecodePattern*, unsigned short const*, unsigned int, unsigned int, int*) (YarrInterpreter.cpp:1901)
==12570==    by 0x414BD9: js::RegExp::executeInternal(JSContext*, js::RegExpStatics*, JSString*, unsigned long*, bool, js::Value*) (jsregexpinlines.h:371)
==12570==    by 0x4982AE: DoMatch(JSContext*, js::RegExpStatics*, JSString*, RegExpPair const&, bool (*)(JSContext*, js::RegExpStatics*, unsigned long, void*), void*, MatchControlFlags, js::Value*) (jsregexpinlines.h:167)
==12570==    by 0x49A0AF: js::str_replace(JSContext*, unsigned int, js::Value*) (jsstr.cpp:2049)
==12570==    by 0x51019C: CallCompiler::generateNativeStub() (jscntxtinlines.h:281)
==12570==  Address 0x2041039c4 is not stack'd, malloc'd or (recently) free'd
==12570== 
==12570== 
==12570== Process terminating with default action of signal 11 (SIGSEGV)
==12570==  Access not within mapped region at address 0x2041039C4


Bisect shows the same revision as bug 679986 (the YARR import):

The first bad revision is:
changeset:   70607:cc36a234d0d6
user:        David Mandelin <dmandelin@mozilla.com>
date:        Thu May 12 18:39:47 2011 -0700
summary:     Bug 625600: Update Yarr import to WebKit rev 86639, r=cdleary,dvander

It seems unlikely to me though that it's the same bug (more likely the import of that WebKit revision pulled in a few bugs). Cloned this from bug 679986 including all tracking flags.
Blocks: 682572
Whiteboard: [sg:critical?] → [sg:critical?][js-triage-needed]
This also affects WebKit trunk. Filed https://bugs.webkit.org/show_bug.cgi?id=67454
@dmandelin: Can you Cc me on the webkit bug? Same email address as used here. Thanks!
Assignee: general → dmandelin
Whiteboard: [sg:critical?][js-triage-needed] → [sg:critical?][js-triage-needed] wanted-standalone-js
I cannot reproduce this anymore since the fix for bug 683838 landed:

The first good revision is:
changeset:   78388:b9bae20fb35c
user:        Gavin Barraclough
date:        Fri Oct 07 17:52:50 2011 -0700
summary:     Bug 683838: Fix return logic in backTrackParentheses, r=dmandelin

Someone from the JS dev team should verify that these two we're really the same issues and mark this fixed as appropriate.

Furthermore, I'm marking this as sg:high because the symptoms look similar to those described in comment 18 of bug 679986. Feel free to adjust the rating if this is not correct.
Whiteboard: [sg:critical?][js-triage-needed] wanted-standalone-js → [sg:high][js-triage-needed] wanted-standalone-js
Depends on: 683838
Flags: in-testsuite?
I can't repro this any more either, so I'm pretty sure it's a dup. The presumed fix was merged to aurora, and I verified this no longer crashes there as well.
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox10: affectedfixed
status-firefox9: affectedfixed
Resolution: --- → DUPLICATE
I was told s-g bugs are not duped to non-sg bugs but rather resolved as fixed with a depend on the duplicate bug. Shall we still do that here?
Resolution: DUPLICATE → FIXED
Due to the dependencies to reproduce this bug, marking qa-. Chrisitian, could you kindly verify this is fixed on Firefox 9 and 10?
Whiteboard: [sg:high][js-triage-needed] wanted-standalone-js → [sg:high][js-triage-needed][qa-] wanted-standalone-js
Confirmed to be fixed on Firefox 9 and 10.
Group: core-security
Status: RESOLVED → VERIFIED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.