Assertion failure: length <= MAX_LENGTH, at vm/String.h

VERIFIED FIXED in Firefox 23

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks: 2 bugs, 5 keywords)

Trunk
mozilla23
x86_64
Mac OS X
assertion, csectype-wildptr, regression, sec-high, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox22 unaffected, firefox23 verified, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [jsbugmon:update][adv-main23-])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
try {
    y = 'x'
    Object.defineProperty(this, "z", {
        get: function() {
            y += y
            return z
        }
    })
    Uint8Array(z)
} catch (e) {}
for (v of y) {}

asserts js debug shell on m-c changeset 05533d50f2f7 with --ion-eager at Assertion failure: length <= MAX_LENGTH, at vm/String.h
(Assignee)

Comment 1

5 years ago
Created attachment 742966 [details] [diff] [review]
Patch

Good catch. Regression from bug 863018. temp2 holds the length of the LHS, temp2 holds the result length and is the one we want to test against JSString::MAX_LENGTH.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #742966 - Flags: review?(hv1989)
(Assignee)

Updated

5 years ago
Blocks: 863018
Comment on attachment 742966 [details] [diff] [review]
Patch

Review of attachment 742966 [details] [diff] [review]:
-----------------------------------------------------------------

Indeed an easy one to overlook.
Attachment #742966 - Flags: review?(hv1989) → review+
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   130142:3b7a2cbccaaa
user:        Jan de Mooij
date:        Fri Apr 26 14:08:54 2013 +0200
summary:     Bug 863018 part 2 - Add JSShortString path back to ConcatStrings and LConcat. r=luke

This iteration took 149.557 seconds to run.
I'm pretty sure this is s-s and at least sec-high. I'm seeing this trace in my fuzzer with the same assertion:

Program terminated with signal 11, Segmentation fault.
#0  0x0000000000672298 in JSString::buildLengthAndFlags (
    flags=<optimized out>, length=<optimized out>, this=<optimized out>)
    at ../vm/String.h:231
231	        JS_ASSERT(length <= MAX_LENGTH);
#0  0x0000000000672298 in JSString::buildLengthAndFlags (flags=<optimized out>, length=<optimized out>, this=<optimized out>) at ../vm/String.h:231
#1  0x0000000000674380 in buildLengthAndFlags (flags=<optimized out>, length=<optimized out>, this=<optimized out>) at ../vm/String.h:231
#2  JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=<error reading variable: Cannot access memory at address 0x64006300620061>, maybecx=<optimized out>) at js/src/vm/String.cpp:276


Notice the memory address in frame #2 consisting of a string (in 16 bit unicode).
Blocks: 676763
Group: core-security
Keywords: csec-wildptr, sec-high
Duplicate of this bug: 866672

Comment 7

5 years ago
https://hg.mozilla.org/mozilla-central/rev/cf9469c2c3c6
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
status-firefox23: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
status-b2g18: --- → unaffected
status-firefox22: --- → unaffected
status-firefox-esr17: --- → unaffected
Marking status-firefox23:verified based on comment 8.
status-firefox23: fixed → verified
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main23-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.