Closed
Bug 1235874
Opened 8 years ago
Closed 8 years ago
Crash [@ strlen] or [@ strdup]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla46
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])
Crash Data
Attachments
(2 files, 1 obsolete file)
|
3.02 KB,
text/plain
|
Details | |
|
1.54 KB,
patch
|
sunfish
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision c690c50b2b54 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
evaluate("evalcx(\"x\")", {
fileName: null
})
Backtrace:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_c.dylib 0x00007fff8625b152 strlen + 18
1 libsystem_c.dylib 0x00007fff862b5b79 strdup + 18
2 js-dbg-64-dm-darwin-c690c50b2b54 0x00000001005388f5 JS::DescribeScriptedCaller(JSContext*, mozilla::UniquePtr<char, JS::FreePolicy>*, unsigned int*, unsigned int*) + 277 (UniquePtr.h:290)
3 js-dbg-64-dm-darwin-c690c50b2b54 0x0000000100010cf7 EvalInContext(JSContext*, unsigned int, JS::Value*) + 1319 (Maybe.h:91)
4 js-dbg-64-dm-darwin-c690c50b2b54 0x00000001007527c2 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 786 (jscntxtinlines.h:236)
5 js-dbg-64-dm-darwin-c690c50b2b54 0x0000000100752ffb js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 555 (Interpreter.cpp:512)
6 js-dbg-64-dm-darwin-c690c50b2b54 0x0000000100190a0b js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2811 (BaselineIC.cpp:6184)
7 ??? 0x0000000101df52db 0 + 4326380251
8 ??? 0x0000000103e2aac0 0 + 4360153792
Seems to be a null-deref but setting this [fuzzblocker] s-s to be safe.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/5e0769303a5e user: Luke Wagner date: Mon Dec 28 17:39:37 2015 -0600 summary: Bug 1229642 - change to AsmJSActivation to WasmActivation (r=bbouvier) Luke, is bug 1229642 a likely regressor?
Blocks: 1229642
Flags: needinfo?(luke)
|
|
Reporter | |
Updated•8 years ago
|
Crash Signature: [@ strlen] → [@ strlen]
[@ strdup]
Summary: Crash [@ strlen] → Crash [@ strlen] or [@ strdup]
|
|
Assignee | |
Comment 3•8 years ago
|
||
D'oh, null filename. I don't think it's s-s since it's definitely near-null.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Flags: needinfo?(luke)
Attachment #8702973 -
Flags: review?(sunfish)
|
|
Assignee | |
Comment 4•8 years ago
|
||
Probably better to clear filename if !i.filename() in the off chance the caller had previous contents.
Attachment #8702973 -
Attachment is obsolete: true
Attachment #8702973 -
Flags: review?(sunfish)
Attachment #8702983 -
Flags: review?(sunfish)
|
||
Updated•8 years ago
|
Attachment #8702983 -
Flags: review?(sunfish) → review+
|
|
Reporter | |
Comment 5•8 years ago
|
||
Opening up as per comment 3. Thanks for fixing this quickly!
Group: javascript-core-security
|
||
Comment 7•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/8130a1608ca0
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•