Closed Bug 1268574 Opened 9 years ago Closed 9 years ago

Crash [@ js::IsSelfHostedFunctionWithName]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla49
Tracking Flags:
Tracking Status
firefox47 --- unaffected
firefox48 --- fixed
firefox49 --- fixed

People

(Reporter: gkw, Assigned: arai)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

Detailed Crash Information
31.14 KB, text/plain
Details
Check the outparam JSFunction* value after GetGetterPure.
2.65 KB, patch
lth
: review+
lizzard
: approval-mozilla-aurora+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 4292da9df16b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --ion-pgo=on): // Adapted from randomly chosen test: js/src/jit-test/tests/profiler/bug1242840.js oomTest(function() { ArrayBuffer; }) // jsfunfuzz-generated new Uint8Array(new Uint8Array()); Backtrace: 0 js-dbg-64-dm-clang-darwin-4292da9df16b 0x0000000100860bc9 js::IsSelfHostedFunctionWithName(JSFunction*, JSAtom*) + 9 (jsfun.h:173) 1 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001009019e1 GetSpeciesConstructor(JSContext*, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) + 977 (TypedArrayObject.cpp:790) 2 js-dbg-64-dm-clang-darwin-4292da9df16b 0x000000010090244f (anonymous namespace)::TypedArrayObjectTemplate<unsigned char>::fromTypedArray(JSContext*, JS::Handle<JSObject*>, bool, JS::Handle<JSObject*>) + 975 (TypedArrayObject.cpp:835) 3 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001008ecc72 (anonymous namespace)::TypedArrayObjectTemplate<unsigned char>::class_constructor(JSContext*, unsigned int, JS::Value*) + 690 (TypedArrayObject.cpp:482) 4 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007e568e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236) 5 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007ef876 js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 118 (jscntxtinlines.h:268) 6 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007d6640 InternalConstruct(JSContext*, js::AnyConstructArgs const&) + 496 (Interpreter.cpp:569) 7 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007d6257 js::ConstructFromStack(JSContext*, JS::CallArgs const&) + 87 (Interpreter.cpp:608) 8 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007caaf4 Interpret(JSContext*, js::RunState&) + 48212 (Interpreter.cpp:2823) 9 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007bedd7 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426) 10 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007d73d4 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1124 (Interpreter.cpp:704) 11 js-dbg-64-dm-clang-darwin-4292da9df16b 0x00000001007d7755 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667) 12 js-dbg-64-dm-clang-darwin-4292da9df16b 0x000000010059cab1 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4399) 13 js-dbg-64-dm-clang-darwin-4292da9df16b 0x000000010059cd22 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:667) 14 js-dbg-64-dm-clang-darwin-4292da9df16b 0x0000000100021149 Process(JSContext*, char const*, bool, FileKind) + 3609 (js.cpp:530) 15 js-dbg-64-dm-clang-darwin-4292da9df16b 0x0000000100006214 main + 11748 (js.cpp:6758) 16 js-dbg-64-dm-clang-darwin-4292da9df16b 0x0000000100001474 start + 52 For detailed crash information, see attachment. TypedArrays involved -> s-s for now pending further analysis.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1837056e2ce2 user: Tooru Fujisawa date: Thu Jan 14 19:37:04 2016 +0900 summary: Bug 1165053 - Part 9: Add IsArrayBufferSpecies and avoid calling SpeciesConstructor on normal case. r=lth Arai-san, is bug 1165053 a likely regressor?
Blocks: 1165053
Flags: needinfo?(arai.unmht)
Yes, and similar code was copied in bug 1165052 too. There GetGetterPure can return true with getter=nullptr when the object has no getter function. So, if ArrayBuffer or Array object has no @@species property, it will crash with null dereference.
Assignee: nobody → arai.unmht
Flags: needinfo?(arai.unmht)
Attachment #8746620 - Flags: review?(lhansen)
Attachment #8746620 - Flags: review?(lhansen) → review+
thank you for reviewing! this is just a null dereference, so I'll land this patch shortly.
https://hg.mozilla.org/integration/mozilla-inbound/rev/a98eb29982c8395f0ded9b91b87978957b54a09f Bug 1268574 - Check the outparam JSFunction* value after GetGetterPure. r=lth
Group: javascript-core-security
https://hg.mozilla.org/mozilla-central/rev/a98eb29982c8
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox49: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Comment on attachment 8746620 [details] [diff] [review] Check the outparam JSFunction* value after GetGetterPure. same patch is applicable to mozilla-aurora Approval Request Comment > [Feature/regressing bug #] bug 1165052 and bug 1165053 > [User impact if declined] Crash when opening certain webpage. > [Describe test coverage new/current, TreeHerder] Tested in mozilla-central automated test. > [Risks and why] Low, just added null check. > [String/UUID change made/needed] None
Attachment #8746620 - Flags: approval-mozilla-aurora?
Comment on attachment 8746620 [details] [diff] [review] Check the outparam JSFunction* value after GetGetterPure. Crash fix, regression from 48, please uplift to aurora.
Attachment #8746620 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: