<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Assertion failure "len >= 0" in String methods when creating JSString exceeding JSString::MaxLength"
href="https://bugs.webkit.org/show_bug.cgi?id=160647">160647</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Assertion failure "len >= 0" in String methods when creating JSString exceeding JSString::MaxLength
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Local Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>andre.bargull@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>SVN: rev204118
Build with: perl Tools/Scripts/build-jsc --gtk --debug
String.prototype.indexOf, String.prototype.slice and String.prototype.substring report assertion failures when the string length exceeds JSString::MaxLength.
Test case:
---
var s = "a".repeat((1<<30) + (1<<30) - 1);
var r = String(Symbol(s);
r.indexOf("a", 0);
---
Reports the following assertion failure:
---
ASSERTION FAILED: len >= 0
../../Source/JavaScriptCore/runtime/StringPrototype.cpp(956) : JSC::EncodedJSValue JSC::stringProtoFuncIndexOf(JSC::ExecState*)
1 0x7ffff6da9fd3 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7ffff6da9fd3]
2 0x7ffff6ca2856 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC22stringProtoFuncIndexOfEPNS_9ExecStateE+0x139) [0x7ffff6ca2856]
3 0x7fffafdff028 [0x7fffafdff028]
---
Backtrace:
---
#0 0x00007ffff6da9fd8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323
#1 0x00007ffff6ca2856 in JSC::stringProtoFuncIndexOf (exec=0x7fffffffcad0) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:956
#2 0x00007fffafdff028 in ?? ()
#3 0x00007fffffffcb40 in ?? ()
#4 0x00007ffff69b2a12 in llint_entry () at ../../Source/WTF/wtf/HashTable.h:720
---
Similar assertion failures:
---
var s = "a".repeat((1<<30) + (1<<30) - 1);
var r = String(Symbol(s));
r.slice(0);
ASSERTION FAILED: len >= 0
../../Source/JavaScriptCore/runtime/StringPrototype.cpp(1025) : JSC::EncodedJSValue JSC::stringProtoFuncSlice(JSC::ExecState*)
1 0x7ff37684dfd3 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7ff37684dfd3]
2 0x7ff376746e0b /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC20stringProtoFuncSliceEPNS_9ExecStateE+0x103) [0x7ff376746e0b]
3 0x7ff32f7ff028 [0x7ff32f7ff028]
#0 0x00007ffff6da9fd8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323
#1 0x00007ffff6ca2e0b in JSC::stringProtoFuncSlice (exec=0x7fffffffcad0) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:1025
#2 0x00007fffafdff028 in ?? ()
#3 0x00007fffffffcb40 in ?? ()
#4 0x00007ffff69b2a12 in llint_entry () at ../../Source/WTF/wtf/HashTable.h:720
---
And:
---
var s = "a".repeat((1<<30) + (1<<30) - 1);
var r = String(Symbol(s));
r.substring(0);
ASSERTION FAILED: len >= 0
../../Source/JavaScriptCore/runtime/StringPrototype.cpp(1271) : JSC::EncodedJSValue JSC::stringProtoFuncSubstring(JSC::ExecState*)
1 0x7f94c52c5fd3 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f94c52c5fd3]
2 0x7f94c51bfe50 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC24stringProtoFuncSubstringEPNS_9ExecStateE+0xeb) [0x7f94c51bfe50]
3 0x7f947e1ff028 [0x7f947e1ff028]
#0 0x00007ffff6da9fd8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323
#1 0x00007ffff6ca3e50 in JSC::stringProtoFuncSubstring (exec=0x7fffffffcad0) at ../../Source/JavaScriptCore/runtime/StringPrototype.cpp:1271
#2 0x00007fffafdff028 in ?? ()
#3 0x00007fffffffcb40 in ?? ()
#4 0x00007ffff69b2a12 in llint_entry () at ../../Source/WTF/wtf/HashTable.h:720
---
`String(Symbol(s))` is not the only way to create an overlong string, e.g. `s.fixed()` works just as well.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>