NEW 160647
Assertion failure "len >= 0" in String methods when creating JSString exceeding JSString::MaxLength 
https://bugs.webkit.org/show_bug.cgi?id=160647
Summary Assertion failure "len >= 0" in String methods when creating JSString exceedi...
André Bargull
Reported 2016-08-07 07:54:29 PDT
SVN: rev204118 Build with: perl Tools/Scripts/build-jsc --gtk --debug String.prototype.indexOf, String.prototype.slice and String.prototype.substring report assertion failures when the string length exceeds JSString::MaxLength. Test case: --- var s = "a".repeat((1<<30) + (1<<30) - 1); var r = String(Symbol(s); r.indexOf("a", 0); --- Reports the following assertion failure: --- ASSERTION FAILED: len >= 0 ../../Source/JavaScriptCore/runtime/StringPrototype.cpp(956) : JSC::EncodedJSValue JSC::stringProtoFuncIndexOf(JSC::ExecState*) 1 0x7ffff6da9fd3 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7ffff6da9fd3] 2 0x7ffff6ca2856 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC22stringProtoFuncIndexOfEPNS_9ExecStateE+0x139) [0x7ffff6ca2856] 3 0x7fffafdff028 [0x7fffafdff028] --- Backtrace: --- #0 0x00007ffff6da9fd8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323 #1 0x00007ffff6ca2856 in JSC::stringProtoFuncIndexOf (exec=0x7fffffffcad0) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:956 #2 0x00007fffafdff028 in ?? () #3 0x00007fffffffcb40 in ?? () #4 0x00007ffff69b2a12 in llint_entry () at ../../Source/WTF/wtf/HashTable.h:720 --- Similar assertion failures: --- var s = "a".repeat((1<<30) + (1<<30) - 1); var r = String(Symbol(s)); r.slice(0); ASSERTION FAILED: len >= 0 ../../Source/JavaScriptCore/runtime/StringPrototype.cpp(1025) : JSC::EncodedJSValue JSC::stringProtoFuncSlice(JSC::ExecState*) 1 0x7ff37684dfd3 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7ff37684dfd3] 2 0x7ff376746e0b /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC20stringProtoFuncSliceEPNS_9ExecStateE+0x103) [0x7ff376746e0b] 3 0x7ff32f7ff028 [0x7ff32f7ff028] #0 0x00007ffff6da9fd8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323 #1 0x00007ffff6ca2e0b in JSC::stringProtoFuncSlice (exec=0x7fffffffcad0) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:1025 #2 0x00007fffafdff028 in ?? () #3 0x00007fffffffcb40 in ?? () #4 0x00007ffff69b2a12 in llint_entry () at ../../Source/WTF/wtf/HashTable.h:720 --- And: --- var s = "a".repeat((1<<30) + (1<<30) - 1); var r = String(Symbol(s)); r.substring(0); ASSERTION FAILED: len >= 0 ../../Source/JavaScriptCore/runtime/StringPrototype.cpp(1271) : JSC::EncodedJSValue JSC::stringProtoFuncSubstring(JSC::ExecState*) 1 0x7f94c52c5fd3 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f94c52c5fd3] 2 0x7f94c51bfe50 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC24stringProtoFuncSubstringEPNS_9ExecStateE+0xeb) [0x7f94c51bfe50] 3 0x7f947e1ff028 [0x7f947e1ff028] #0 0x00007ffff6da9fd8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323 #1 0x00007ffff6ca3e50 in JSC::stringProtoFuncSubstring (exec=0x7fffffffcad0) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:1271 #2 0x00007fffafdff028 in ?? () #3 0x00007fffffffcb40 in ?? () #4 0x00007ffff69b2a12 in llint_entry () at ../../Source/WTF/wtf/HashTable.h:720 --- `String(Symbol(s))` is not the only way to create an overlong string, e.g. `s.fixed()` works just as well.
Attachments
Add attachment proposed patch, testcase, etc.
Note You need to log in before you can comment on or make changes to this bug.