CHECK failure: value != Smi::FromInt(JSRegExp::kUninitializedValue) in objects-inl.h |
||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5218451347210240 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: value != Smi::FromInt(JSRegExp::kUninitializedValue) in objects-inl.h Sanitizer: address (ASAN) Regressed: V8: 44170:44171 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv979_jeAuquJOFXaOQV_z89tIgrbOasfdW0fzITGHL0fASQNSh-sjkXN4rYYN5DPr3Owk7YB0DOb7hXssUseNAFfXv1oiYmDQXVUf8wA-8jiL6mlatCNcl1u7fXb0dAH5LkuLoqp2Cwj3HK3-JxovDXDWyUJNYH5sNx_zalBfysHDwLUI-5sxlD_v2iqdHBZq9sbmIw2PFnlTgAEzMzaI-iYkqIFz78iSgp99ImXuC2YhLaT307EtXgS2UaG9462ycbmAFvnUcXV5t18qFFND8xkjzrCLeLFag3zObJLd9Mkz96DL6u_xDqY5ubhxc0mTmZhfVj5jl_rG2uduKD2qtEdZ935IAJqAlkPBVf7UnBg30oaRwyZs5J4Vp1Zw6m0t476YgkSKNaXUAJpbnTlPp71zG59xg?testcase_id=5218451347210240 Issue manually filed by: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 28 2017
Looks like the RegExp isn't successfully initialized when close to a stack overflow.
Minimal repro:
function call_replace_close_to_stack_overflow() {
try {
call_replace_close_to_stack_overflow();
} catch(e) {
"b".replace(/(b)/g);
}
}
call_replace_close_to_stack_overflow();
,
Mar 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e2858f2adc4e8767576ab3adda61e37695bfd7be commit e2858f2adc4e8767576ab3adda61e37695bfd7be Author: jgruber <jgruber@chromium.org> Date: Wed Mar 29 07:18:10 2017 [regexp] Properly handle failed RegExp compilations Compilation can fail e.g. on stack overflow. This ensures that we exit early from StringReplaceGlobalRegExpWithString in that case. BUG= v8:5437 , chromium:705934 Review-Url: https://codereview.chromium.org/2778953004 Cr-Commit-Position: refs/heads/master@{#44215} [modify] https://crrev.com/e2858f2adc4e8767576ab3adda61e37695bfd7be/src/runtime/runtime-regexp.cc [add] https://crrev.com/e2858f2adc4e8767576ab3adda61e37695bfd7be/test/mjsunit/regress/regress-705934.js
,
Mar 29 2017
,
Mar 29 2017
ClusterFuzz has detected this issue as fixed in range 44214:44215. Detailed report: https://clusterfuzz.com/testcase?key=5218451347210240 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: value != Smi::FromInt(JSRegExp::kUninitializedValue) in objects-inl.h Sanitizer: address (ASAN) Regressed: V8: 44170:44171 Fixed: V8: 44214:44215 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv979_jeAuquJOFXaOQV_z89tIgrbOasfdW0fzITGHL0fASQNSh-sjkXN4rYYN5DPr3Owk7YB0DOb7hXssUseNAFfXv1oiYmDQXVUf8wA-8jiL6mlatCNcl1u7fXb0dAH5LkuLoqp2Cwj3HK3-JxovDXDWyUJNYH5sNx_zalBfysHDwLUI-5sxlD_v2iqdHBZq9sbmIw2PFnlTgAEzMzaI-iYkqIFz78iSgp99ImXuC2YhLaT307EtXgS2UaG9462ycbmAFvnUcXV5t18qFFND8xkjzrCLeLFag3zObJLd9Mkz96DL6u_xDqY5ubhxc0mTmZhfVj5jl_rG2uduKD2qtEdZ935IAJqAlkPBVf7UnBg30oaRwyZs5J4Vp1Zw6m0t476YgkSKNaXUAJpbnTlPp71zG59xg?testcase_id=5218451347210240 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||
►
Sign in to add a comment |
||
Comment 1 by ishell@chromium.org
, Mar 28 2017Owner: jgruber@chromium.org
Status: Assigned (was: Untriaged)