Bug 1603036 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

on 2019-12-10 23:54:07 PST

The following testcase crashes on mozilla-central revision 7635669b8d72 (build with --enable-address-sanitizer, run with --fuzzing-safe --no-threads --no-baseline --no-ion --blinterp-eager):

    // jsfunfuzz-generated
    (function() {
        (function() {
            // Adapted from randomly chosen test: js/src/jit-test/tests/xdr/module.js
            codeModule(parseModule(""));
        })();
    })();

Backtrace:

```
Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x563234c8a9f3 in __interceptor_malloc (/home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/js-64-asan-linux-x86_64-7635669b8d72+0x187a9f3)
    #1 0x563234d50a05 in unsigned char* mozilla::MallocAllocPolicy::maybe_pod_malloc<unsigned char>(unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/AllocPolicy.h:83:28
    #2 0x563234d50a05 in unsigned char* mozilla::MallocAllocPolicy::pod_malloc<unsigned char>(unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/AllocPolicy.h:101
    #3 0x563234d50a05 in mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>::convertToHeapStorage(unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/Vector.h:937
    #4 0x563234d50a05 in mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>::growStorageBy(unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/Vector.h:1025
    #5 0x563234d52db4 in bool mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>::append<unsigned char>(unsigned char const*, unsigned char const*) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/Vector.h:1330:9
    #6 0x563234d52db4 in bool mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>::append<unsigned char>(unsigned char const*, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/Vector.h:1386
    #7 0x563234d52db4 in bool mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>::appendAll<unsigned char, 0ul, mozilla::MallocAllocPolicy>(mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy> const&) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/Vector.h:1379
    #8 0x563234d52db4 in XDRBufferObject::create(JSContext*, mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>*) js/src/shell/js.cpp:4765
    #9 0x563234d09f85 in CodeModule(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:4804:29
    #10 0x563234ef5245 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:457:13
    #11 0x563234ef5245 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:549
    #12 0x5632365d9078 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:2941:10
/snip
```

For detailed crash information, see attachment.

Revision 1 by

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

on 2019-12-11 15:41:03 PST

The following testcase crashes on mozilla-central revision 7635669b8d72 (build with --enable-address-sanitizer, run with --fuzzing-safe --no-threads --no-baseline --no-ion --blinterp-eager and ASAN_OPTIONS=detect_leaks=1 in the environment variable):

    // jsfunfuzz-generated
    (function() {
        (function() {
            // Adapted from randomly chosen test: js/src/jit-test/tests/xdr/module.js
            codeModule(parseModule(""));
        })();
    })();

Backtrace:

```
Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x563234c8a9f3 in __interceptor_malloc (/home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/js-64-asan-linux-x86_64-7635669b8d72+0x187a9f3)
    #1 0x563234d50a05 in unsigned char* mozilla::MallocAllocPolicy::maybe_pod_malloc<unsigned char>(unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/AllocPolicy.h:83:28
    #2 0x563234d50a05 in unsigned char* mozilla::MallocAllocPolicy::pod_malloc<unsigned char>(unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/AllocPolicy.h:101
    #3 0x563234d50a05 in mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>::convertToHeapStorage(unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/Vector.h:937
    #4 0x563234d50a05 in mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>::growStorageBy(unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/Vector.h:1025
    #5 0x563234d52db4 in bool mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>::append<unsigned char>(unsigned char const*, unsigned char const*) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/Vector.h:1330:9
    #6 0x563234d52db4 in bool mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>::append<unsigned char>(unsigned char const*, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/Vector.h:1386
    #7 0x563234d52db4 in bool mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>::appendAll<unsigned char, 0ul, mozilla::MallocAllocPolicy>(mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy> const&) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-7635669b8d72/objdir-js/dist/include/mozilla/Vector.h:1379
    #8 0x563234d52db4 in XDRBufferObject::create(JSContext*, mozilla::Vector<unsigned char, 0ul, mozilla::MallocAllocPolicy>*) js/src/shell/js.cpp:4765
    #9 0x563234d09f85 in CodeModule(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:4804:29
    #10 0x563234ef5245 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:457:13
    #11 0x563234ef5245 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:549
    #12 0x5632365d9078 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:2941:10
/snip
```

For detailed crash information, see attachment.

Back to Bug 1603036 Comment 0

Bugzilla

Quick Search

Bug 1603036 Comment 0 Edit History