YARR Assertion failure: (matchBegin == -1) || (matchBegin <= matchEnd) (or optimized crash [@ JSC::Yarr::Interpreter::checkCasedCharacter])

RESOLVED DUPLICATE of bug 682252

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 682252
7 years ago
4 years ago

People

(Reporter: decoder, Assigned: dmandelin)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86_64
Linux
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox6- unaffected, firefox7- wontfix, firefox8- wontfix, status1.9.2 unaffected)

Details

(Whiteboard: [sg:high][js-triage-needed], crash signature)

(Reporter)

Description

7 years ago
The following test crashes (YARR assert) on mozilla-central (tested revision 7054f0e3e70e) when run with options "-j -m". Test was produced by LangFuzz with the regular expression extension:


re = new RegExp("((..)|(.))((..)|a*)+?((..)|(.))((..)|\\4+?)dAME", "gi");
var str = "aaaaaaNULLaaaaa\\n";
var execResult = re.exec(str);


Optimized shell furthermore crashes dangerously:

==6447== Invalid read of size 2
==6447==    at 0x51F045: JSC::Yarr::Interpreter::checkCasedCharacter(int, int, int) (YarrInterpreter.cpp:212)
==6447==    by 0x51FCE1: JSC::Yarr::Interpreter::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool, bool) (YarrInterpreter.cpp:1168)
==6447==    by 0x5202D8: JSC::Yarr::Interpreter::interpret() (YarrInterpreter.cpp:1401)
==6447==    by 0x51EB52: JSC::Yarr::interpret(JSC::Yarr::BytecodePattern*, unsigned short const*, unsigned int, unsigned int, int*) (YarrInterpreter.cpp:1901)
==6447==    by 0x414BD9: js::RegExp::executeInternal(JSContext*, js::RegExpStatics*, JSString*, unsigned long*, bool, js::Value*) (jsregexpinlines.h:371)
==6447==    by 0x489765: ExecuteRegExp(JSContext*, ExecType, unsigned int, js::Value*) (jsregexpinlines.h:167)
==6447==    by 0x51019C: CallCompiler::generateNativeStub() (jscntxtinlines.h:281)
==6447==    by 0x50F291: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1033)
==6447==    by 0x4024700: ???
==6447==    by 0x4F177B: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:687)
==6447==    by 0x44A8CA: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:611)
==6447==    by 0x44B0F2: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, js::Value const&, js::ExecuteType, js::StackFrame*, js::Value*) (jsinterp.cpp:911)
==6447==  Address 0x2041039ce is not stack'd, malloc'd or (recently) free'd


Bisect shows the same revision as bug 679986 and bug 682252 (the YARR import):

The first bad revision is:
changeset:   70607:cc36a234d0d6
user:        David Mandelin <dmandelin@mozilla.com>
date:        Thu May 12 18:39:47 2011 -0700
summary:     Bug 625600: Update Yarr import to WebKit rev 86639, r=cdleary,dvander

Given the similarity of tests (both require back referencing) and crash, this could be a duplicate of bug 682252. Further investigation is required here to verify this.
(Assignee)

Updated

7 years ago
Whiteboard: [sg:critical?] → [sg:critical?][js-triage-needed]

Updated

7 years ago
status-firefox7: affected → wontfix
tracking-firefox7: + → -
(Assignee)

Updated

7 years ago
Assignee: general → dmandelin
(Reporter)

Updated

7 years ago
Blocks: 676763
status1.9.2: --- → unaffected
Does this also affect webkit like bug 682252?

Updated

7 years ago
status-firefox10: --- → affected
status-firefox8: affected → wontfix
tracking-firefox10: --- → +
tracking-firefox8: + → -
(Reporter)

Comment 2

7 years ago
Cannot reproduce this anymore on tip and the fixing revision is the same as in bug 682252. Marking as duplicate and adjusting sg:rating to that bug.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical?][js-triage-needed] → [sg:high][js-triage-needed]
Duplicate of bug: 682252

Comment 3

6 years ago
tracking original.
status-firefox10: affected → ---
status-firefox9: affected → ---
tracking-firefox10: + → ---
tracking-firefox9: + → ---
Group: core-security
You need to log in before you can comment on or make changes to this bug.