Crash[@js::SCInput::SCInput] or assertion failure: (nbytes & 7) == 0 at StructuredClone.cpp:463

RESOLVED INVALID

Status

()

Core
JavaScript Engine
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: Spandan Veggalam, Unassigned)

Tracking

({assertion, crash})

Trunk
x86_64
Linux
assertion, crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150224133805

Steps to reproduce:

The following testcase crashes on mozilla-central revision fd8e079d6335 (build options --enable-optimize  --enable-valgrind --enable-gczeal --enable-debug)

 var clonebuffer = serialize ( "abc" ) ; 
 clonebuffer.clonebuffer = " No Error " ; 
 var obj = deserialize ( clonebuffer ) ;
 


Actual results:

Back-trace:

Assertion failure: (nbytes & 7) == 0, at js/src/vm/StructuredClone.cpp:463

Catchpoint 1 (signal SIGSEGV), 0x00000000006a4098 in js::SCInput::SCInput (
    this=this@entry=0x7fffffffc4e0, cx=cx@entry=0x1955930, data=data@entry=0x1a4d590, 
    nbytes=nbytes@entry=10)
    at js/src/vm/StructuredClone.cpp:463
463	    MOZ_ASSERT((nbytes & 7) == 0);

Catchpoint 1 (signal SIGSEGV), 0x00000000006a4098 in js::SCInput::SCInput (
    this=this@entry=0x7fffffffc4e0, cx=cx@entry=0x1955930, data=data@entry=0x1a4d590, 
    nbytes=nbytes@entry=10)
    at js/src/vm/StructuredClone.cpp:463
463	    MOZ_ASSERT((nbytes & 7) == 0);
(gdb) bt
#0  0x00000000006a4098 in js::SCInput::SCInput (this=this@entry=0x7fffffffc4e0, 
    cx=cx@entry=0x1955930, data=data@entry=0x1a4d590, nbytes=nbytes@entry=10)
    at js/src/vm/StructuredClone.cpp:463
#1  0x00000000006dfedc in ReadStructuredClone (cx=cx@entry=0x1955930, data=data@entry=0x1a4d590, 
    nbytes=nbytes@entry=10, vp=..., cb=0x0, cbClosure=0x0)
    at js/src/vm/StructuredClone.cpp:375
#2  0x00000000006e00a5 in JS_ReadStructuredClone (cx=cx@entry=0x1955930, buf=0x1a4d590, 
    nbytes=nbytes@entry=10, version=version@entry=5, vp=..., vp@entry=JSVAL_VOID, 
    optionalCallbacks=optionalCallbacks@entry=0x0, closure=0x0)
    at js/src/vm/StructuredClone.cpp:1895
#3  0x00000000004f86ce in Deserialize (cx=cx@entry=0x1955930, argc=<optimized out>, vp=0x1a1bcd8)
    at js/src/builtin/TestingFunctions.cpp:1806
#4  0x00000000005e7e32 in js::CallJSNative (cx=0x1955930, 
    native=0x4f84e0 <Deserialize(JSContext*, unsigned int, jsval*)>, args=...)
    at js/src/jscntxtinlines.h:235
#5  0x00000000005d82d7 in js::Invoke (cx=0x1955930, args=..., construct=js::NO_CONSTRUCT)
    at js/src/vm/Interpreter.cpp:498
#6  0x00000000005d33b1 in Interpret (cx=0x1955930, state=...)
    at js/src/vm/Interpreter.cpp:2599
#7  0x00000000005d80c8 in js::RunScript (cx=cx@entry=0x1955930, state=...)
    at js/src/vm/Interpreter.cpp:448
#8  0x00000000005dfce9 in js::ExecuteKernel (cx=cx@entry=0x1955930, script=..., 
    script@entry=0x7ffff515d2b8, scopeChainArg=(JSObject &) @0x7ffff5159060 [object global], 
    thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., 
    evalInFrame@entry=AbstractFramePtr ((js::ScriptFrameIter::Data *) 0x0) = {...}, 
    result=0x7fffffffd970)
    at js/src/vm/Interpreter.cpp:654
#9  0x00000000005e1dd7 in js::Execute (cx=cx@entry=0x1955930, script=..., 
    script@entry=0x7ffff515d2b8, scopeChainArg=..., rval=rval@entry=0x7fffffffd970)
    at js/src/vm/Interpreter.cpp:691
#10 0x00000000009abbbf in ExecuteScript (cx=cx@entry=0x1955930, 
    obj=(JSObject * const) 0x7ffff5159060 [object global] delegate, scriptArg=0x7ffff515d2b8, 
    rval=0x7fffffffd970) at js/src/jsapi.cpp:4116
#11 0x00000000009abc9a in JS_ExecuteScript (cx=cx@entry=0x1955930, obj=..., 
    obj@entry=(JSObject * const) 0x7ffff5159060 [object global] delegate, scriptArg=..., 
    scriptArg@entry=0x7ffff515d2b8, rval=..., rval@entry=JSVAL_VOID)
    at js/src/jsapi.cpp:4132
(Reporter)

Updated

3 years ago
Keywords: assertion, crash
(Reporter)

Updated

3 years ago
Summary: assertion failure → Crash[@js::SCInput::SCInput] or assertion failure: (nbytes & 7) == 0 at StructuredClone.cpp:463
Thanks for the report.

Afaik the structured clone reader can crash when you feed it arbitrary data (I don't think it's possible to do that in the browser). In fact, the clonebuffer setter that we're invoking here (setCloneBuffer_impl in js/src/vm/TestingFunctions.cpp) has this:

    if (fuzzingSafe) {
        // A manually-created clonebuffer could easily trigger a crash
        args.rval().setUndefined();
        return true;
    }

If you're fuzzing, you'll probably want to use --fuzzing-safe :)
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.