Closed
Bug 1268574
Opened 8 years ago
Closed 8 years ago
Crash [@ js::IsSelfHostedFunctionWithName]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla49
Tracking | Status | |
---|---|---|
firefox47 | --- | unaffected |
firefox48 | --- | fixed |
firefox49 | --- | fixed |
People
(Reporter: gkw, Assigned: arai)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
31.14 KB,
text/plain
|
Details | |
2.65 KB,
patch
|
lth
:
review+
lizzard
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 4292da9df16b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --ion-pgo=on): // Adapted from randomly chosen test: js/src/jit-test/tests/profiler/bug1242840.js oomTest(function() { ArrayBuffer; }) // jsfunfuzz-generated new Uint8Array(new Uint8Array()); Backtrace: 0 js-dbg-64-dm-clang-darwin-4292da9df16b 0x0000000100860bc9 js::IsSelfHostedFunctionWithName(JSFunction*, JSAtom*) + 9 (jsfun.h:173) 1 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001009019e1 GetSpeciesConstructor(JSContext*, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) + 977 (TypedArrayObject.cpp:790) 2 js-dbg-64-dm-clang-darwin-4292da9df16b 0x000000010090244f (anonymous namespace)::TypedArrayObjectTemplate<unsigned char>::fromTypedArray(JSContext*, JS::Handle<JSObject*>, bool, JS::Handle<JSObject*>) + 975 (TypedArrayObject.cpp:835) 3 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001008ecc72 (anonymous namespace)::TypedArrayObjectTemplate<unsigned char>::class_constructor(JSContext*, unsigned int, JS::Value*) + 690 (TypedArrayObject.cpp:482) 4 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007e568e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236) 5 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007ef876 js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 118 (jscntxtinlines.h:268) 6 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007d6640 InternalConstruct(JSContext*, js::AnyConstructArgs const&) + 496 (Interpreter.cpp:569) 7 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007d6257 js::ConstructFromStack(JSContext*, JS::CallArgs const&) + 87 (Interpreter.cpp:608) 8 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007caaf4 Interpret(JSContext*, js::RunState&) + 48212 (Interpreter.cpp:2823) 9 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007bedd7 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426) 10 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007d73d4 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1124 (Interpreter.cpp:704) 11 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007d7755 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667) 12 js-dbg-64-dm-clang-darwin-4292da9df16b 0x000000010059cab1 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4399) 13 js-dbg-64-dm-clang-darwin-4292da9df16b 0x000000010059cd22 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:667) 14 js-dbg-64-dm-clang-darwin-4292da9df16b 0x0000000100021149 Process(JSContext*, char const*, bool, FileKind) + 3609 (js.cpp:530) 15 js-dbg-64-dm-clang-darwin-4292da9df16b 0x0000000100006214 main + 11748 (js.cpp:6758) 16 js-dbg-64-dm-clang-darwin-4292da9df16b 0x0000000100001474 start + 52 For detailed crash information, see attachment. TypedArrays involved -> s-s for now pending further analysis.
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1837056e2ce2 user: Tooru Fujisawa date: Thu Jan 14 19:37:04 2016 +0900 summary: Bug 1165053 - Part 9: Add IsArrayBufferSpecies and avoid calling SpeciesConstructor on normal case. r=lth Arai-san, is bug 1165053 a likely regressor?
Blocks: 1165053
Flags: needinfo?(arai.unmht)
Assignee | ||
Comment 3•8 years ago
|
||
Yes, and similar code was copied in bug 1165052 too. There GetGetterPure can return true with getter=nullptr when the object has no getter function. So, if ArrayBuffer or Array object has no @@species property, it will crash with null dereference.
Assignee: nobody → arai.unmht
Flags: needinfo?(arai.unmht)
Attachment #8746620 -
Flags: review?(lhansen)
Assignee | ||
Updated•8 years ago
|
Updated•8 years ago
|
Attachment #8746620 -
Flags: review?(lhansen) → review+
Assignee | ||
Comment 4•8 years ago
|
||
thank you for reviewing! this is just a null dereference, so I'll land this patch shortly.
Assignee | ||
Comment 5•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a98eb29982c8395f0ded9b91b87978957b54a09f Bug 1268574 - Check the outparam JSFunction* value after GetGetterPure. r=lth
Updated•8 years ago
|
Group: javascript-core-security
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/a98eb29982c8
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Assignee | ||
Comment 7•8 years ago
|
||
Comment on attachment 8746620 [details] [diff] [review] Check the outparam JSFunction* value after GetGetterPure. same patch is applicable to mozilla-aurora Approval Request Comment > [Feature/regressing bug #] bug 1165052 and bug 1165053 > [User impact if declined] Crash when opening certain webpage. > [Describe test coverage new/current, TreeHerder] Tested in mozilla-central automated test. > [Risks and why] Low, just added null check. > [String/UUID change made/needed] None
Attachment #8746620 -
Flags: approval-mozilla-aurora?
Comment 8•8 years ago
|
||
Comment on attachment 8746620 [details] [diff] [review] Check the outparam JSFunction* value after GetGetterPure. Crash fix, regression from 48, please uplift to aurora.
Attachment #8746620 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 9•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/28d54417440f
You need to log in
before you can comment on or make changes to this bug.
Description
•