Closed
Bug 1225346
Opened 9 years ago
Closed 9 years ago
Crash [@ strlen] or Crash on Heap with parseModule
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla45
Tracking | Status | |
---|---|---|
firefox45 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])
Crash Data
Attachments
(1 file)
1.34 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 0c648a1efbe0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions):
parseModule("", 3);
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x00000000007621d6 in cvt_s<char> (flags=0, prec=-1, width=0, s=0x4 <error: Cannot access memory at address 0x4>, ss=0x7ffeef7208c0) at js/src/jsprf.cpp:337
#2 dosprintf(SprintfState *, const char *, typedef __va_list_tag __va_list_tag *) (ss=ss@entry=0x7ffeef7208c0, fmt=0xbe8650 "", fmt@entry=0xbe8630 "expected filename string, got %s", ap=<optimized out>, ap@entry=0x7ffeef7209b8) at js/src/jsprf.cpp:865
#3 0x000000000076275b in JS_vsmprintf (fmt=fmt@entry=0xbe8630 "expected filename string, got %s", ap=ap@entry=0x7ffeef7209b8) at js/src/jsprf.cpp:965
#4 0x00000000006fa27b in js::ReportErrorVA (cx=cx@entry=0x7fe0bca18c00, flags=flags@entry=0, format=format@entry=0xbe8630 "expected filename string, got %s", ap=ap@entry=0x7ffeef7209b8) at js/src/jscntxt.cpp:430
#5 0x00000000006d7b7c in JS_ReportError (cx=cx@entry=0x7fe0bca18c00, format=format@entry=0xbe8630 "expected filename string, got %s") at js/src/jsapi.cpp:5281
#6 0x000000000043e762 in ParseModule (cx=0x7fe0bca18c00, argc=2, vp=0x7fe0bb531150) at js/src/shell/js.cpp:3294
#7 0x00000000008047c1 in CallJSNative (args=..., native=0x43e650 <ParseModule(JSContext*, unsigned int, JS::Value*)>, cx=0x7fe0bca18c00) at js/src/jscntxtinlines.h:235
#8 js::Invoke (cx=0x7fe0bca18c00, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:394
#9 0x00000000007ff375 in Interpret (cx=0x7fe0bca18c00, state=...) at js/src/vm/Interpreter.cpp:2691
#10 0x000000000080427d in js::RunScript (cx=cx@entry=0x7fe0bca18c00, state=...) at js/src/vm/Interpreter.cpp:341
#11 0x000000000080451f in js::Invoke (cx=cx@entry=0x7fe0bca18c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:412
#12 0x00000000008054a9 in js::Invoke (cx=cx@entry=0x7fe0bca18c00, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7ffeef721cb8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:446
#13 0x00000000009c2f18 in js::jit::DoCallFallback (cx=0x7fe0bca18c00, frame=0x7ffeef721ce8, stub_=0x7fe0b6e14ec8, argc=0, vp=0x7ffeef721ca8, res=...) at js/src/jit/BaselineIC.cpp:8748
#14 0x00007fe0be1618e4 in ?? ()
[...]
#24 0x0000000000000000 in ?? ()
rax 0x4 4
rbx 0x0 0
rcx 0x4 4
rdx 0x18 24
rsi 0xbe864e 12486222
rdi 0x4 4
rbp 0x7ffeef7208c0 140732915648704
rsp 0x7ffeef7204c8 140732915647688
r8 0xffffffff 4294967295
r9 0x3 3
r10 0x7fe0bb531150 140603192185168
r11 0x7fe0bca26c00 140603214162944
r12 0xbe8650 12486224
r13 0x7ffeef7209b8 140732915648952
r14 0x2 2
r15 0xbe8600 12486144
rip 0x7fe0bcd28aea <strlen+42>
=> 0x7fe0bcd28aea <strlen+42>: movdqu (%rax),%xmm12
0x7fe0bcd28aef <strlen+47>: pcmpeqb %xmm8,%xmm12
This is a fuzzblocker because it is occurring quite frequently.
Updated•9 years ago
|
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 1•9 years ago
|
||
Fix bug in parseModule() error handling.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8688400 -
Flags: review?(terrence)
Updated•9 years ago
|
Attachment #8688400 -
Flags: review?(terrence) → review+
Comment 3•9 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in
before you can comment on or make changes to this bug.
Description
•