Closed Bug 1207409 Opened 4 years ago Closed 4 years ago

Assertion failure: src->length() > 0 && src->latin1OrTwoByteChar(0) == '(', at js/src/jsfun.cpp:983 or heap-use-after-free [@ CanStoreCharsAsLatin1] with evaluate

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1161312
Tracking Status
firefox44 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

The following testcase crashes on mozilla-central revision 2235e56c94cf (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

assertEq(evaluate("(function(x) { yield 42 })", { columnNumber: 1729 }), 1730);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000b55395 in js::FunctionToString (cx=0x7ffff6907000, fun=fun@entry=..., bodyOnly=bodyOnly@entry=false, lambdaParen=<optimized out>) at js/src/jsfun.cpp:982
#0  0x0000000000b55395 in js::FunctionToString (cx=0x7ffff6907000, fun=fun@entry=..., bodyOnly=bodyOnly@entry=false, lambdaParen=<optimized out>) at js/src/jsfun.cpp:982
#1  0x0000000000b562e2 in fun_toStringHelper (cx=<optimized out>, obj=..., indent=<optimized out>) at js/src/jsfun.cpp:1102
#2  0x0000000000b8af69 in fun_toSource (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7fffffffc988) at js/src/jsfun.cpp:1141
#3  0x00000000007046d2 in js::CallJSNative (cx=0x7ffff6907000, native=0xb8add0 <fun_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#4  0x00000000006f9593 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:765
#5  0x00000000006fa1dd in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:820
#6  0x0000000000bd2295 in js::ValueToSource (cx=cx@entry=0x7ffff6907000, v=..., v@entry=...) at js/src/jsstr.cpp:4345
#7  0x0000000000b18d7c in JS_ValueToSource (cx=cx@entry=0x7ffff6907000, value=value@entry=...) at js/src/jsapi.cpp:469
#8  0x000000000047deab in ToSource (cx=cx@entry=0x7ffff6907000, vp=..., vp@entry=..., bytes=bytes@entry=0x7fffffffcc30) at js/src/shell/js.cpp:1602
#9  0x000000000047f5ef in AssertEq (cx=0x7ffff6907000, argc=2, vp=0x7ffff47f30a8) at js/src/shell/js.cpp:1632
#10 0x00000000007046d2 in js::CallJSNative (cx=0x7ffff6907000, native=0x47f470 <AssertEq(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#11 0x00000000006f9593 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:765
#12 0x00000000006eb2f9 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3068
#13 0x00000000006f8d9b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:706
#14 0x00000000006fedb4 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:980
#15 0x00000000006ff0fe in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1014
#16 0x0000000000b6407b in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4370
#17 0x0000000000b6419b in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4401
#18 0x0000000000428443 in RunFile (compileOnly=false, file=0x7ffff699a400, filename=0x7fffffffe0a4 "min.js", cx=0x7ffff6907000) at js/src/shell/js.cpp:462
#19 Process (cx=cx@entry=0x7ffff6907000, filename=0x7fffffffe0a4 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:580
#20 0x0000000000476ef4 in ProcessArgs (op=0x7fffffffdb50, cx=0x7ffff6907000) at js/src/shell/js.cpp:5834
#21 Shell (envp=<optimized out>, op=0x7fffffffdb50, cx=0x7ffff6907000) at js/src/shell/js.cpp:6132
#22 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6488
rax	0x0	0
rbx	0x7fffffffc690	140737488340624
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc660	140737488340576
rsp	0x7fffffffc500	140737488340224
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc2c0	140737488339648
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff6907000	140737330049024
r13	0x0	0
r14	0x0	0
r15	0x7fffffffc5a0	140737488340384
rip	0xb55395 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool, bool)+645>
=> 0xb55395 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool, bool)+645>:	movl   $0x3d7,0x0
   0xb553a0 <js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool, bool)+656>:	callq  0x496750 <abort()>


Likely a shell-only problem with evaluate/columnNumber.
Group: core-security
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1161312
Regrouping for parity with the original.
Group: javascript-core-security
Group: core-security
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.