Closed Bug 1225346 Opened 6 years ago Closed 6 years ago

Crash [@ strlen] or Crash on Heap with parseModule

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla45
Tracking Status
firefox45 --- fixed

People

(Reporter: decoder, Assigned: jonco)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 0c648a1efbe0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions):

parseModule("", 3);



Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00000000007621d6 in cvt_s<char> (flags=0, prec=-1, width=0, s=0x4 <error: Cannot access memory at address 0x4>, ss=0x7ffeef7208c0) at js/src/jsprf.cpp:337
#2  dosprintf(SprintfState *, const char *, typedef __va_list_tag __va_list_tag *) (ss=ss@entry=0x7ffeef7208c0, fmt=0xbe8650 "", fmt@entry=0xbe8630 "expected filename string, got %s", ap=<optimized out>, ap@entry=0x7ffeef7209b8) at js/src/jsprf.cpp:865
#3  0x000000000076275b in JS_vsmprintf (fmt=fmt@entry=0xbe8630 "expected filename string, got %s", ap=ap@entry=0x7ffeef7209b8) at js/src/jsprf.cpp:965
#4  0x00000000006fa27b in js::ReportErrorVA (cx=cx@entry=0x7fe0bca18c00, flags=flags@entry=0, format=format@entry=0xbe8630 "expected filename string, got %s", ap=ap@entry=0x7ffeef7209b8) at js/src/jscntxt.cpp:430
#5  0x00000000006d7b7c in JS_ReportError (cx=cx@entry=0x7fe0bca18c00, format=format@entry=0xbe8630 "expected filename string, got %s") at js/src/jsapi.cpp:5281
#6  0x000000000043e762 in ParseModule (cx=0x7fe0bca18c00, argc=2, vp=0x7fe0bb531150) at js/src/shell/js.cpp:3294
#7  0x00000000008047c1 in CallJSNative (args=..., native=0x43e650 <ParseModule(JSContext*, unsigned int, JS::Value*)>, cx=0x7fe0bca18c00) at js/src/jscntxtinlines.h:235
#8  js::Invoke (cx=0x7fe0bca18c00, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:394
#9  0x00000000007ff375 in Interpret (cx=0x7fe0bca18c00, state=...) at js/src/vm/Interpreter.cpp:2691
#10 0x000000000080427d in js::RunScript (cx=cx@entry=0x7fe0bca18c00, state=...) at js/src/vm/Interpreter.cpp:341
#11 0x000000000080451f in js::Invoke (cx=cx@entry=0x7fe0bca18c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:412
#12 0x00000000008054a9 in js::Invoke (cx=cx@entry=0x7fe0bca18c00, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7ffeef721cb8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:446
#13 0x00000000009c2f18 in js::jit::DoCallFallback (cx=0x7fe0bca18c00, frame=0x7ffeef721ce8, stub_=0x7fe0b6e14ec8, argc=0, vp=0x7ffeef721ca8, res=...) at js/src/jit/BaselineIC.cpp:8748
#14 0x00007fe0be1618e4 in ?? ()
[...]
#24 0x0000000000000000 in ?? ()
rax	0x4	4
rbx	0x0	0
rcx	0x4	4
rdx	0x18	24
rsi	0xbe864e	12486222
rdi	0x4	4
rbp	0x7ffeef7208c0	140732915648704
rsp	0x7ffeef7204c8	140732915647688
r8	0xffffffff	4294967295
r9	0x3	3
r10	0x7fe0bb531150	140603192185168
r11	0x7fe0bca26c00	140603214162944
r12	0xbe8650	12486224
r13	0x7ffeef7209b8	140732915648952
r14	0x2	2
r15	0xbe8600	12486144
rip	0x7fe0bcd28aea <strlen+42>
=> 0x7fe0bcd28aea <strlen+42>:	movdqu (%rax),%xmm12
   0x7fe0bcd28aef <strlen+47>:	pcmpeqb %xmm8,%xmm12


This is a fuzzblocker because it is occurring quite frequently.
Flags: needinfo?(jcoppeard)
Fix bug in parseModule() error handling.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8688400 - Flags: review?(terrence)
Attachment #8688400 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/22210e873178
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.