Closed Bug 1225346 Opened 9 years ago Closed 9 years ago

Crash [@ strlen] or Crash on Heap with parseModule

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla45
Tracking Status
firefox45 --- fixed

People

(Reporter: decoder, Assigned: jonco)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 0c648a1efbe0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions): parseModule("", 3); Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x00000000007621d6 in cvt_s<char> (flags=0, prec=-1, width=0, s=0x4 <error: Cannot access memory at address 0x4>, ss=0x7ffeef7208c0) at js/src/jsprf.cpp:337 #2 dosprintf(SprintfState *, const char *, typedef __va_list_tag __va_list_tag *) (ss=ss@entry=0x7ffeef7208c0, fmt=0xbe8650 "", fmt@entry=0xbe8630 "expected filename string, got %s", ap=<optimized out>, ap@entry=0x7ffeef7209b8) at js/src/jsprf.cpp:865 #3 0x000000000076275b in JS_vsmprintf (fmt=fmt@entry=0xbe8630 "expected filename string, got %s", ap=ap@entry=0x7ffeef7209b8) at js/src/jsprf.cpp:965 #4 0x00000000006fa27b in js::ReportErrorVA (cx=cx@entry=0x7fe0bca18c00, flags=flags@entry=0, format=format@entry=0xbe8630 "expected filename string, got %s", ap=ap@entry=0x7ffeef7209b8) at js/src/jscntxt.cpp:430 #5 0x00000000006d7b7c in JS_ReportError (cx=cx@entry=0x7fe0bca18c00, format=format@entry=0xbe8630 "expected filename string, got %s") at js/src/jsapi.cpp:5281 #6 0x000000000043e762 in ParseModule (cx=0x7fe0bca18c00, argc=2, vp=0x7fe0bb531150) at js/src/shell/js.cpp:3294 #7 0x00000000008047c1 in CallJSNative (args=..., native=0x43e650 <ParseModule(JSContext*, unsigned int, JS::Value*)>, cx=0x7fe0bca18c00) at js/src/jscntxtinlines.h:235 #8 js::Invoke (cx=0x7fe0bca18c00, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:394 #9 0x00000000007ff375 in Interpret (cx=0x7fe0bca18c00, state=...) at js/src/vm/Interpreter.cpp:2691 #10 0x000000000080427d in js::RunScript (cx=cx@entry=0x7fe0bca18c00, state=...) at js/src/vm/Interpreter.cpp:341 #11 0x000000000080451f in js::Invoke (cx=cx@entry=0x7fe0bca18c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:412 #12 0x00000000008054a9 in js::Invoke (cx=cx@entry=0x7fe0bca18c00, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7ffeef721cb8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:446 #13 0x00000000009c2f18 in js::jit::DoCallFallback (cx=0x7fe0bca18c00, frame=0x7ffeef721ce8, stub_=0x7fe0b6e14ec8, argc=0, vp=0x7ffeef721ca8, res=...) at js/src/jit/BaselineIC.cpp:8748 #14 0x00007fe0be1618e4 in ?? () [...] #24 0x0000000000000000 in ?? () rax 0x4 4 rbx 0x0 0 rcx 0x4 4 rdx 0x18 24 rsi 0xbe864e 12486222 rdi 0x4 4 rbp 0x7ffeef7208c0 140732915648704 rsp 0x7ffeef7204c8 140732915647688 r8 0xffffffff 4294967295 r9 0x3 3 r10 0x7fe0bb531150 140603192185168 r11 0x7fe0bca26c00 140603214162944 r12 0xbe8650 12486224 r13 0x7ffeef7209b8 140732915648952 r14 0x2 2 r15 0xbe8600 12486144 rip 0x7fe0bcd28aea <strlen+42> => 0x7fe0bcd28aea <strlen+42>: movdqu (%rax),%xmm12 0x7fe0bcd28aef <strlen+47>: pcmpeqb %xmm8,%xmm12 This is a fuzzblocker because it is occurring quite frequently.
Flags: needinfo?(jcoppeard)
Fix bug in parseModule() error handling.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8688400 - Flags: review?(terrence)
Attachment #8688400 - Flags: review?(terrence) → review+
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: