New issue
Advanced search Search tips

Issue 705934 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: value != Smi::FromInt(JSRegExp::kUninitializedValue) in objects-inl.h

Project Member Reported by ClusterFuzz, Mar 28 2017

Issue description

Comment 1 by ishell@chromium.org, Mar 28 2017

Cc: yangguo@chromium.org
Owner: jgruber@chromium.org
Status: Assigned (was: Untriaged)
CF points to 17f13863b64b25eccf565e0aa9c4c441f0562b84.
Looks like the RegExp isn't successfully initialized when close to a stack overflow. 

Minimal repro:

function call_replace_close_to_stack_overflow() {
  try {
    call_replace_close_to_stack_overflow();
  } catch(e) {
    "b".replace(/(b)/g);
  }
}

call_replace_close_to_stack_overflow();
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 29 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e2858f2adc4e8767576ab3adda61e37695bfd7be

commit e2858f2adc4e8767576ab3adda61e37695bfd7be
Author: jgruber <jgruber@chromium.org>
Date: Wed Mar 29 07:18:10 2017

[regexp] Properly handle failed RegExp compilations

Compilation can fail e.g. on stack overflow. This ensures that we exit
early from StringReplaceGlobalRegExpWithString in that case.

BUG= v8:5437 , chromium:705934 

Review-Url: https://codereview.chromium.org/2778953004
Cr-Commit-Position: refs/heads/master@{#44215}

[modify] https://crrev.com/e2858f2adc4e8767576ab3adda61e37695bfd7be/src/runtime/runtime-regexp.cc
[add] https://crrev.com/e2858f2adc4e8767576ab3adda61e37695bfd7be/test/mjsunit/regress/regress-705934.js

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Mar 29 2017

ClusterFuzz has detected this issue as fixed in range 44214:44215.

Detailed report: https://clusterfuzz.com/testcase?key=5218451347210240

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  value != Smi::FromInt(JSRegExp::kUninitializedValue) in objects-inl.h
  
Sanitizer: address (ASAN)

Regressed: V8: 44170:44171
Fixed: V8: 44214:44215

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv979_jeAuquJOFXaOQV_z89tIgrbOasfdW0fzITGHL0fASQNSh-sjkXN4rYYN5DPr3Owk7YB0DOb7hXssUseNAFfXv1oiYmDQXVUf8wA-8jiL6mlatCNcl1u7fXb0dAH5LkuLoqp2Cwj3HK3-JxovDXDWyUJNYH5sNx_zalBfysHDwLUI-5sxlD_v2iqdHBZq9sbmIw2PFnlTgAEzMzaI-iYkqIFz78iSgp99ImXuC2YhLaT307EtXgS2UaG9462ycbmAFvnUcXV5t18qFFND8xkjzrCLeLFag3zObJLd9Mkz96DL6u_xDqY5ubhxc0mTmZhfVj5jl_rG2uduKD2qtEdZ935IAJqAlkPBVf7UnBg30oaRwyZs5J4Vp1Zw6m0t476YgkSKNaXUAJpbnTlPp71zG59xg?testcase_id=5218451347210240


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment