Closed Bug 1268574 Opened 6 years ago Closed 6 years ago

Crash [@ js::IsSelfHostedFunctionWithName]

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla49
Tracking Status
firefox47 --- unaffected
firefox48 --- fixed
firefox49 --- fixed

People

(Reporter: gkw, Assigned: arai)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 4292da9df16b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --ion-pgo=on):

// Adapted from randomly chosen test: js/src/jit-test/tests/profiler/bug1242840.js
oomTest(function() {
    ArrayBuffer;
})
// jsfunfuzz-generated
new Uint8Array(new Uint8Array());

Backtrace:

0   js-dbg-64-dm-clang-darwin-4292da9df16b	0x0000000100860bc9 js::IsSelfHostedFunctionWithName(JSFunction*, JSAtom*) + 9 (jsfun.h:173)
1   js-dbg-64-dm-clang-darwin-4292da9df16b	0x00000001009019e1 GetSpeciesConstructor(JSContext*, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) + 977 (TypedArrayObject.cpp:790)
2   js-dbg-64-dm-clang-darwin-4292da9df16b	0x000000010090244f (anonymous namespace)::TypedArrayObjectTemplate<unsigned char>::fromTypedArray(JSContext*, JS::Handle<JSObject*>, bool, JS::Handle<JSObject*>) + 975 (TypedArrayObject.cpp:835)
3   js-dbg-64-dm-clang-darwin-4292da9df16b	0x00000001008ecc72 (anonymous namespace)::TypedArrayObjectTemplate<unsigned char>::class_constructor(JSContext*, unsigned int, JS::Value*) + 690 (TypedArrayObject.cpp:482)
4   js-dbg-64-dm-clang-darwin-4292da9df16b	0x00000001007e568e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236)
5   js-dbg-64-dm-clang-darwin-4292da9df16b	0x00000001007ef876 js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 118 (jscntxtinlines.h:268)
6   js-dbg-64-dm-clang-darwin-4292da9df16b	0x00000001007d6640 InternalConstruct(JSContext*, js::AnyConstructArgs const&) + 496 (Interpreter.cpp:569)
7   js-dbg-64-dm-clang-darwin-4292da9df16b	0x00000001007d6257 js::ConstructFromStack(JSContext*, JS::CallArgs const&) + 87 (Interpreter.cpp:608)
8   js-dbg-64-dm-clang-darwin-4292da9df16b	0x00000001007caaf4 Interpret(JSContext*, js::RunState&) + 48212 (Interpreter.cpp:2823)
9   js-dbg-64-dm-clang-darwin-4292da9df16b	0x00000001007bedd7 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426)
10  js-dbg-64-dm-clang-darwin-4292da9df16b	0x00000001007d73d4 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1124 (Interpreter.cpp:704)
11  js-dbg-64-dm-clang-darwin-4292da9df16b	0x00000001007d7755 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667)
12  js-dbg-64-dm-clang-darwin-4292da9df16b	0x000000010059cab1 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4399)
13  js-dbg-64-dm-clang-darwin-4292da9df16b	0x000000010059cd22 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:667)
14  js-dbg-64-dm-clang-darwin-4292da9df16b	0x0000000100021149 Process(JSContext*, char const*, bool, FileKind) + 3609 (js.cpp:530)
15  js-dbg-64-dm-clang-darwin-4292da9df16b	0x0000000100006214 main + 11748 (js.cpp:6758)
16  js-dbg-64-dm-clang-darwin-4292da9df16b	0x0000000100001474 start + 52

For detailed crash information, see attachment.

TypedArrays involved -> s-s for now pending further analysis.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/1837056e2ce2
user:        Tooru Fujisawa
date:        Thu Jan 14 19:37:04 2016 +0900
summary:     Bug 1165053 - Part 9: Add IsArrayBufferSpecies and avoid calling SpeciesConstructor on normal case. r=lth

Arai-san, is bug 1165053 a likely regressor?
Blocks: 1165053
Flags: needinfo?(arai.unmht)
Yes, and similar code was copied in bug 1165052 too.

There GetGetterPure can return true with getter=nullptr when the object has no getter function.
So, if ArrayBuffer or Array object has no @@species property, it will crash with null dereference.
Assignee: nobody → arai.unmht
Flags: needinfo?(arai.unmht)
Attachment #8746620 - Flags: review?(lhansen)
Attachment #8746620 - Flags: review?(lhansen) → review+
thank you for reviewing!

this is just a null dereference, so I'll land this patch shortly.
https://hg.mozilla.org/integration/mozilla-inbound/rev/a98eb29982c8395f0ded9b91b87978957b54a09f
Bug 1268574 - Check the outparam JSFunction* value after GetGetterPure. r=lth
Group: javascript-core-security
https://hg.mozilla.org/mozilla-central/rev/a98eb29982c8
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Comment on attachment 8746620 [details] [diff] [review]
Check the outparam JSFunction* value after GetGetterPure.

same patch is applicable to mozilla-aurora

Approval Request Comment
> [Feature/regressing bug #]
bug 1165052 and  bug 1165053

> [User impact if declined]
Crash when opening certain webpage.

> [Describe test coverage new/current, TreeHerder]
Tested in mozilla-central automated test.

> [Risks and why]
Low, just added null check.

> [String/UUID change made/needed]
None
Attachment #8746620 - Flags: approval-mozilla-aurora?
Comment on attachment 8746620 [details] [diff] [review]
Check the outparam JSFunction* value after GetGetterPure.

Crash fix, regression from 48, please uplift to aurora.
Attachment #8746620 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.