Closed Bug 866611 Opened 7 years ago Closed 7 years ago

Assertion failure: length <= MAX_LENGTH, at vm/String.h

Categories

(Core :: JavaScript Engine, defect, critical)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla23
Tracking Flags:
Tracking Status
firefox22 --- unaffected
firefox23 --- verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 2 open bugs)

Details

(5 keywords, Whiteboard: [jsbugmon:update][adv-main23-])

Attachments

(1 file)

Patch
1.28 KB, patch
h4writer
: review+
Details | Diff | Splinter Review 
try {
    y = 'x'
    Object.defineProperty(this, "z", {
        get: function() {
            y += y
            return z
        }
    })
    Uint8Array(z)
} catch (e) {}
for (v of y) {}

asserts js debug shell on m-c changeset 05533d50f2f7 with --ion-eager at Assertion failure: length <= MAX_LENGTH, at vm/String.h
Attached patch PatchSplinter Review 
Good catch. Regression from bug 863018. temp2 holds the length of the LHS, temp2 holds the result length and is the one we want to test against JSString::MAX_LENGTH.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #742966 - Flags: review?(hv1989)
Blocks: 863018
Comment on attachment 742966 [details] [diff] [review]
Patch

Review of attachment 742966 [details] [diff] [review]:
-----------------------------------------------------------------

Indeed an easy one to overlook.
Attachment #742966 - Flags: review?(hv1989) → review+
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   130142:3b7a2cbccaaa
user:        Jan de Mooij
date:        Fri Apr 26 14:08:54 2013 +0200
summary:     Bug 863018 part 2 - Add JSShortString path back to ConcatStrings and LConcat. r=luke

This iteration took 149.557 seconds to run.
I'm pretty sure this is s-s and at least sec-high. I'm seeing this trace in my fuzzer with the same assertion:

Program terminated with signal 11, Segmentation fault.
#0  0x0000000000672298 in JSString::buildLengthAndFlags (
    flags=<optimized out>, length=<optimized out>, this=<optimized out>)
    at ../vm/String.h:231
231	        JS_ASSERT(length <= MAX_LENGTH);
#0  0x0000000000672298 in JSString::buildLengthAndFlags (flags=<optimized out>, length=<optimized out>, this=<optimized out>) at ../vm/String.h:231
#1  0x0000000000674380 in buildLengthAndFlags (flags=<optimized out>, length=<optimized out>, this=<optimized out>) at ../vm/String.h:231
#2  JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=<error reading variable: Cannot access memory at address 0x64006300620061>, maybecx=<optimized out>) at js/src/vm/String.cpp:276


Notice the memory address in frame #2 consisting of a string (in 16 bit unicode).
Blocks: 676763
Group: core-security
Keywords: csec-wildptr, sec-high
Duplicate of this bug: 866672
https://hg.mozilla.org/mozilla-central/rev/cf9469c2c3c6
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox23: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Marking status-firefox23:verified based on comment 8.
status-firefox23: fixedverified
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main23-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.