Bug 160647 - Assertion failure "len >= 0" in String methods when creating JSString exceeding JSString::MaxLength
Summary: Assertion failure "len >= 0" in String methods when creating JSString exceedi...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-07 07:54 PDT by André Bargull
Modified: 2016-08-08 18:04 PDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description André Bargull 2016-08-07 07:54:29 PDT 
SVN: rev204118
Build with: perl Tools/Scripts/build-jsc --gtk --debug

String.prototype.indexOf, String.prototype.slice and String.prototype.substring report assertion failures when the string length exceeds JSString::MaxLength. 


Test case:
---
var s = "a".repeat((1<<30) + (1<<30) - 1);
var r = String(Symbol(s);
r.indexOf("a", 0);
---

Reports the following assertion failure:
---
ASSERTION FAILED: len >= 0
../../Source/JavaScriptCore/runtime/StringPrototype.cpp(956) : JSC::EncodedJSValue JSC::stringProtoFuncIndexOf(JSC::ExecState*)
1   0x7ffff6da9fd3 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7ffff6da9fd3]
2   0x7ffff6ca2856 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC22stringProtoFuncIndexOfEPNS_9ExecStateE+0x139) [0x7ffff6ca2856]
3   0x7fffafdff028 [0x7fffafdff028]
---

Backtrace:
---
#0  0x00007ffff6da9fd8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323
#1  0x00007ffff6ca2856 in JSC::stringProtoFuncIndexOf (exec=0x7fffffffcad0) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:956
#2  0x00007fffafdff028 in ?? ()
#3  0x00007fffffffcb40 in ?? ()
#4  0x00007ffff69b2a12 in llint_entry () at ../../Source/WTF/wtf/HashTable.h:720
---



Similar assertion failures:
---
var s = "a".repeat((1<<30) + (1<<30) - 1);
var r = String(Symbol(s));
r.slice(0);

ASSERTION FAILED: len >= 0
../../Source/JavaScriptCore/runtime/StringPrototype.cpp(1025) : JSC::EncodedJSValue JSC::stringProtoFuncSlice(JSC::ExecState*)
1   0x7ff37684dfd3 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7ff37684dfd3]
2   0x7ff376746e0b /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC20stringProtoFuncSliceEPNS_9ExecStateE+0x103) [0x7ff376746e0b]
3   0x7ff32f7ff028 [0x7ff32f7ff028]

#0  0x00007ffff6da9fd8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323
#1  0x00007ffff6ca2e0b in JSC::stringProtoFuncSlice (exec=0x7fffffffcad0) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:1025
#2  0x00007fffafdff028 in ?? ()
#3  0x00007fffffffcb40 in ?? ()
#4  0x00007ffff69b2a12 in llint_entry () at ../../Source/WTF/wtf/HashTable.h:720
---


And:
---
var s = "a".repeat((1<<30) + (1<<30) - 1);
var r = String(Symbol(s));
r.substring(0);

ASSERTION FAILED: len >= 0
../../Source/JavaScriptCore/runtime/StringPrototype.cpp(1271) : JSC::EncodedJSValue JSC::stringProtoFuncSubstring(JSC::ExecState*)
1   0x7f94c52c5fd3 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f94c52c5fd3]
2   0x7f94c51bfe50 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC24stringProtoFuncSubstringEPNS_9ExecStateE+0xeb) [0x7f94c51bfe50]
3   0x7f947e1ff028 [0x7f947e1ff028]

#0  0x00007ffff6da9fd8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323
#1  0x00007ffff6ca3e50 in JSC::stringProtoFuncSubstring (exec=0x7fffffffcad0) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:1271
#2  0x00007fffafdff028 in ?? ()
#3  0x00007fffffffcb40 in ?? ()
#4  0x00007ffff69b2a12 in llint_entry () at ../../Source/WTF/wtf/HashTable.h:720
---


`String(Symbol(s))` is not the only way to create an overlong string, e.g. `s.fixed()` works just as well.