Closed Bug 1261817 Opened 3 years ago Closed 3 years ago

Crash [@ js::frontend::Parser<js::frontend::FullParseHandler>::strictMode]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1161312

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

The following testcase crashes on mozilla-central revision cfd51e67b26e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

lfLogBuffer = ` 
function loadFile(lfVarx) 
                evaluate(lfVarx, new Error);
GetRawTimezoneOffset()
function GetRawTimezoneOffset() {
           var t1 = new Date(000);
}
`
lfCodeBuffer = ""
while (true) {
  line = lfLogBuffer;
  loadFile(lfCodeBuffer);
  lfCodeBuffer = line;
}
function loadFile(lfVarx)
  evaluate(lfVarx);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::frontend::Parser<js::frontend::FullParseHandler>::strictMode (this=0x7fffffffb630) at js/src/frontend/Parser.h:711
#0  js::frontend::Parser<js::frontend::FullParseHandler>::strictMode (this=0x7fffffffb630) at js/src/frontend/Parser.h:711
#1  0x0000000000c3c375 in strictMode (this=0x7fffffffb660) at js/src/frontend/TokenStream.h:436
#2  js::frontend::TokenStream::reportStrictModeError (this=this@entry=0x7fffffffb660, errorNumber=errorNumber@entry=175) at js/src/frontend/TokenStream.cpp:717
#3  0x0000000000c3ded3 in js::frontend::TokenStream::getTokenInternal (this=this@entry=0x7fffffffb660, ttp=ttp@entry=0x7fffffffad50, modifier=modifier@entry=js::frontend::Token::None) at js/src/frontend/TokenStream.cpp:1363
#4  0x00000000004dfe60 in peekTokenPos (modifier=js::frontend::Token::None, posp=0x7ffff698b024, this=0x7fffffffb660) at js/src/frontend/TokenStream.h:578
#5  js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction (this=this@entry=0x7fffffffb630, fun=..., fun@entry=..., strict=false, generatorKind=js::NotGenerator) at js/src/frontend/Parser.cpp:3070
#6  0x0000000000c19cdb in js::frontend::CompileLazyFunction (cx=cx@entry=0x7ffff6908800, lazy=lazy@entry=..., chars=<optimized out>, length=41) at js/src/frontend/BytecodeCompiler.cpp:821
#7  0x0000000000918824 in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff6908800, fun=fun@entry=...) at js/src/jsfun.cpp:1425
#8  0x00000000004a16a1 in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/jsfun.h:413
#9  0x00000000009185b1 in functionDelazifying (cx=0x7ffff6908800, this=<optimized out>) at js/src/jsscriptinlines.h:91
#10 JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff6908800, fun=fun@entry=...) at js/src/jsfun.cpp:1376
#11 0x00000000004a16a1 in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/jsfun.h:413
#12 0x0000000000a8b0fb in Interpret (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:2819
#13 0x0000000000a981c8 in js::RunScript (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:426
#14 0x0000000000a9af39 in js::ExecuteKernel (cx=cx@entry=0x7ffff6908800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7ffff3183110) at js/src/vm/Interpreter.cpp:682
#15 0x0000000000a9b218 in js::Execute (cx=cx@entry=0x7ffff6908800, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7ffff3183110) at js/src/vm/Interpreter.cpp:715
#16 0x00000000008d1f58 in ExecuteScript (cx=cx@entry=0x7ffff6908800, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7ffff3183110) at js/src/jsapi.cpp:4372
#17 0x00000000008d5b19 in JS_ExecuteScript (cx=cx@entry=0x7ffff6908800, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4398
#18 0x0000000000495101 in Evaluate (cx=0x7ffff6908800, argc=<optimized out>, vp=0x7ffff3183110) at js/src/shell/js.cpp:1514
#19 0x0000000000a9bee2 in js::CallJSNative (cx=0x7ffff6908800, native=0x494850 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#31 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7443
rax	0x0	0
rbx	0x7fffffffb660	140737488336480
rcx	0x7fffffffb8c8	140737488337096
rdx	0x0	0
rsi	0xaf	175
rdi	0x7fffffffb630	140737488336432
rbp	0x7fffffffaaa0	140737488333472
rsp	0x7fffffffaaa0	140737488333472
r8	0x1d	29
r9	0x7fffffffb630	140737488336432
r10	0x7ffff6909400	140737330058240
r11	0x1b	27
r12	0xaf	175
r13	0x7fffffffb660	140737488336480
r14	0x7ffff317dd02	140737271815426
r15	0x7ffff317dd52	140737271815506
rip	0x4e03eb <js::frontend::Parser<js::frontend::FullParseHandler>::strictMode()+11>
=> 0x4e03eb <js::frontend::Parser<js::frontend::FullParseHandler>::strictMode()+11>:	mov    0x8(%rax),%rdx
   0x4e03ef <js::frontend::Parser<js::frontend::FullParseHandler>::strictMode()+15>:	mov    $0x1,%eax


Please note that this testcase is whitespace sensitive. Removing spaces in line 3 causes parts of line 4 to show up in the error message instead of crashing. Marking s-s because this sounds like some buffers aren't right and we could potentially go out of bounds. Remove s-s when it's confirmed that this will always be a null-deref.
Flags: needinfo?(winter2718)
Flags: needinfo?(jorendorff)
This could be related to https://bugzilla.mozilla.org/show_bug.cgi?id=1205298, investigating.
Flags: needinfo?(winter2718)
evaluate(lfVarx, new Error) --> bug 1161312.  :-\
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1161312
Flags: needinfo?(jorendorff)
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.