Crash [@ js::str_replace_string_raw] with OOM

RESOLVED FIXED in Firefox 48

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: arai)

Tracking

(Blocks 2 bugs, {assertion, regression, testcase})

Trunk
mozilla48
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox48 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

Attachments

(1 attachment)

Reporter

Description

3 years ago
The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):

lfLogBuffer = `



"".replace([[2], 3])
`.split('\n');

lfCodeBuffer = ""
while (true) {
    line = lfLogBuffer.shift()
    if (line == null) break
    loadFile()
    lfCodeBuffer += line + "\n"
}
loadFile(lfCodeBuffer);
function loadFile(lfVarx)
 oomTest(function() eval(lfVarx))



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::str_replace_string_raw (cx=0x7ffff6908800, string=string@entry=..., pattern=pattern@entry=..., replacement=..., replacement@entry=...) at js/src/jsstr.cpp:2321
#0  js::str_replace_string_raw (cx=0x7ffff6908800, string=string@entry=..., pattern=pattern@entry=..., replacement=..., replacement@entry=...) at js/src/jsstr.cpp:2321
#1  0x0000000000add46d in intrinsic_StringReplaceString (cx=<optimized out>, argc=<optimized out>, vp=0x7ffff31f62a0) at js/src/vm/SelfHosting.cpp:1623
#2  0x0000000000a908c2 in js::CallJSNative (cx=0x7ffff6908800, native=0xadd390 <intrinsic_StringReplaceString(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#3  0x0000000000a8cdc7 in js::Invoke (cx=cx@entry=0x7ffff6908800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:476
[...]
#45 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff6908800	140737330055168
rcx	0x0	0
rdx	0x7fffffffa3d0	140737488331728
rsi	0x7ffff694b800	140737330329600
rdi	0x7fffffffa1b0	140737488331184
rbp	0x7fffffffa550	140737488332112
rsp	0x7fffffffa320	140737488331552
r8	0x7ffff7e89180	140737352601984
r9	0x1	1
r10	0x7fffffffa260	140737488331360
r11	0x1b	27
r12	0x7fffffffa570	140737488332144
r13	0x7fffffffa590	140737488332176
r14	0x7fffffffa5a0	140737488332192
r15	0x7ffff6908850	140737330055248
rip	0x99590c <js::str_replace_string_raw(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>, JS::Handle<JSString*>)+156>
=> 0x99590c <js::str_replace_string_raw(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>, JS::Handle<JSString*>)+156>:	mov    0x4(%rax),%r15d
   0x995910 <js::str_replace_string_raw(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>, JS::Handle<JSString*>)+160>:	lea    -0xc0(%rbp),%rax
Assignee

Comment 1

3 years ago
This is a regression from bug 887016.

It's a null pointer dereference because of not-checking the return value of AtomizeString.
I'll prepare a patch shortly.
Assignee: nobody → arai.unmht
Blocks: 887016
Keywords: regression
Assignee

Comment 2

3 years ago
Just added the null check.

I cannot reduce the testcase from there, so just renamed the variable to somewhat readable.
Attachment #8740793 - Flags: review?(hv1989)
Attachment #8740793 - Flags: review?(hv1989) → review+
Assignee

Comment 3

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/c70372e8bd86cfb1c568a20448f88ce88f3c98e9
Bug 1263879 - Check the return value of AtomizeString in str_replace_string_raw. r=h4writer

Comment 4

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/c70372e8bd86
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.