Closed
Bug 1364654
Opened 7 years ago
Closed 7 years ago
crash: Assertion fauilure: ShellAllocationMetadataBuilder::build, at js/src/jscntxt.cpp:1504
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
INVALID
People
(Reporter: kangyan91, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586
Steps to reproduce:
The following testcase crashes on mozilla-central revision b043233ec04f.
I build spiderMonkey with :
cd js/src
autoconf
mkdir build_DBG.OBJ
cd build_DBG.OBJ
../configure --enable-debug --disable-optimize
make
testcase.js :
var propKeyEvaluated = false;
var base = {};
var prop = {
toString: function() {
enableShellAllocationMetadataBuilder(!propKeyEvaluated);
assertEq(byteSize(enableShellAllocationMetadataBuilder(prop + "function f(i) { i=i|0; for(;;) { if (i) { return i|0 } else { return i|0 } i = 1 } return i|0 } return f"))(3), 3);
return "";
}
};
var expr = function() {
return 0;
};
base[prop] >>= expr();
setSharedArrayBuffer(0, 0);
Actual results:
Assertion failure: [unhandlable oom] ShellAllocationMetadataBuilder::build, at /js/src/jscntxt.cpp:1504
Program received signal SIGSEGV, Segmentation fault.
js::AutoEnterOOMUnsafeRegion::crash (this=<optimized out>, reason=0x0) at /js/src/jscntxt.cpp:1505
warning: Source file is more recent than executable.
1505 MOZ_CRASH();
backtrace:
#0 0x0000000000e7ad4a in js::AutoEnterOOMUnsafeRegion::crash(char const*) (this=<optimized out>, reason=0x0) at /js/src/jscntxt.cpp:1505
#1 0x0000000000cda9a1 in ShellAllocationMetadataBuilder::build(JSContext*, JS::Handle<JSObject*>, js::AutoEnterOOMUnsafeRegion&) const (this=<optimized out>, cx=<optimized out>, oomUnsafe=...)
at /js/src/builtin/TestingFunctions.cpp:1953
#2 0x0000000000e86562 in JSCompartment::setNewObjectMetadata(JSContext*, JS::Handle<JSObject*>) (this=0x7ffff6962800, cx=0x7ffff695d800, obj=...)
at /js/src/jscompartment.cpp:1089
#3 0x0000000000f9e550 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) (cx=<optimized out>, obj=<optimized out>)
at /js/src/jsobjinlines.h:313
#4 0x0000000000f9e550 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) (cx=0x7ffff6f6b9d0 <_IO_stdfile_2_lock>, kind=<optimized out>, heap=js::gc::TenuredHeap, shape=..., group=...) at /js/src/vm/NativeObject-inl.h:452
#5 0x0000000000fb5481 in NewObject(JSContext*, JS::Handle<js::ObjectGroup*>, js::gc::AllocKind, js::NewObjectKind, unsigned int) (cx=0x7ffff695d800, group=..., kind=js::gc::OBJECT8, newKind=js::TenuredObject, initialShapeFlags=0) at /js/src/jsobj.cpp:677
#6 0x0000000000fb4b7e in js::NewObjectWithGivenTaggedProto(JSContext*, js::Class const*, JS::Handle<js::TaggedProto>, js::gc::AllocKind, js::NewObjectKind, unsigned int) (cx=0x7ffff695d800, clasp=0x2b4eca0 <js::SavedFrame::class_>, proto=..., allocKind=<optimized out>, newKind=js::TenuredObject, initialShapeFlags=0) at /js/src/jsobj.cpp:738
#7 0x0000000001361e8b in js::SavedFrame::create(JSContext*) (cx=0x7ffff695d800, newKind=js::TenuredObject, initialShapeFlags=0, clasp=<optimized out>, proto=...)
at /js/src/jsobjinlines.h:543
#8 0x0000000001361e8b in js::SavedFrame::create(JSContext*) (newKind=js::TenuredObject, cx=<optimized out>, clasp=<optimized out>, proto=...)
at /js/src/jsobjinlines.h:578
#9 0x0000000001361e8b in js::SavedFrame::create(JSContext*) (cx=0x7ffff695d800) at /js/src/vm/SavedStacks.cpp:532
#10 0x000000000136f26d in js::SavedStacks::getOrCreateSavedFrame(JSContext*, js::SavedFrame::HandleLookup) (cx=0x7ffff695d800, lookup=..., this=<optimized out>)
at /js/src/vm/SavedStacks.cpp:1517
#11 0x000000000136f26d in js::SavedStacks::getOrCreateSavedFrame(JSContext*, js::SavedFrame::HandleLookup) (this=0x7ffff69628e8, cx=0x7ffff695d800, lookup=...)
at /js/src/vm/SavedStacks.cpp:1504
#12 0x000000000136c3b5 in js::SavedStacks::insertFrames(JSContext*, js::FrameIter&, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0x7ffff69628e8, cx=0x7ffff695d800, iter=..., frame=..., capture=<unknown type in /home-ext2/ky/mozilla-latest/js/src/build/js/src/shell/js, CU 0x35cf9c8, DIE 0x36f48cc>)
at /js/src/vm/SavedStacks.cpp:1410
#13 0x000000000136a9d3 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0x7ffff69628e8, cx=0x7ffff695d800, frame=..., capture=<unknown type in /home-ext2/ky/mozilla-latest/js/src/build/js/src/shell/js, CU 0x35cf9c8, DIE 0x36f35c5>)
at /js/src/vm/SavedStacks.cpp:1177
#14 0x0000000000e940c5 in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) (cx=<optimized out>, stackp=..., capture=<optimized out>)
at /js/src/jsapi.cpp:7084
#15 0x0000000000e940c5 in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) (stack=..., cx=<optimized out>)
at /js/src/jsexn.cpp:361
#16 0x0000000000e940c5 in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) (cx=<optimized out>, reportp=0x7fffffefdda0, callback=<optimized out>, userRef=<optimized out>) at /js/src/jsexn.cpp:680
#17 0x0000000000e6ae25 in js::ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) (callback=<optimized out>, userRef=0x0, cx=<optimized out>, reportp=<optimized out>) at /js/src/jscntxt.cpp:291
#18 0x0000000000e6ae25 in js::ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) (cx=<optimized out>, flags=<optimized out>, callback=<optimized out>, userRef=0x0, errorNumber=<optimized out>, argumentsType=js::ArgumentsAreASCII, ap=0x2b72b00 <__afl_area_ptr>)
at /js/src/jscntxt.cpp:890
#19 0x0000000000e36c3b in JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) (cx=0x7ffff695d800, errorCallback=0xe36c50 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=116, ap=0x1e9f463 <.L.str.98>) at /js/src/jsapi.cpp:5775
#20 0x0000000000e36c3b in JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) (cx=0x7ffff6f6a1c0 <_IO_2_1_stderr_>, errorCallback=0x0, userRef=0x2b74c80 <gMozCrashReason>, errorNumber=4160518016) at /js/src/jsapi.cpp:5765
#21 0x0000000000e763b2 in js::ReportOverRecursed(JSContext*, unsigned int) (maybecx=0x7ffff695d800, errorNumber=116) at /js/src/jscntxt.cpp:379
#22 0x00000000005fe127 in js::RunScript(JSContext*, js::RunState&) (cx=0x7ffff695d800, limit=<optimized out>) at /js/src/jsfriendapi.h:1017
#23 0x00000000005fe127 in js::RunScript(JSContext*, js::RunState&) (cx=0x7ffff695d800) at /js/src/jsfriendapi.h:1040
#24 0x00000000005fe127 in js::RunScript(JSContext*, js::RunState&) (cx=0x7ffff695d800, state=...) at /js/src/vm/Interpreter.cpp:347
#25 0x000000000062507f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x7ffff695d800, args=..., construct=<optimized out>)
at /js/src/vm/Interpreter.cpp:473
#26 0x00000000006256eb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (cx=0x7ffff6f6a1c0 <_IO_2_1_stderr_>, fval=..., thisv=..., args=..., rval=...) at /js/src/vm/Interpreter.cpp:519
#27 0x0000000000fcd4b5 in MaybeCallMethod(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) (thisObj=<optimized out>, rval=..., cx=<optimized out>, fval=...)
at /js/src/vm/Interpreter.h:96
……………………
register info:
rax 0x1e9f463 32109667
rbx 0x7fffffefc650 140737487291984
rcx 0x2b74c80 45567104
rdx 0x0 0
rsi 0x7ffff6f6b9d0 140737336752592
rdi 0x7ffff6f6a1c0 140737336746432
rbp 0x7fffffefca60 0x7fffffefca60
rsp 0x7fffffefc650 0x7fffffefc650
r8 0x7ffff7fc7780 140737353906048
r9 0x616c6c697a6f6d2f 7020105119445249327
r10 0x7fffffefc410 140737487291408
r11 0x7ffff6c18e20 140737333268000
r12 0x7ffff695d800 140737330403328
r13 0x2b72b00 45558528
r14 0x1eaeca9 32173225
r15 0xe44330 14959408
rip 0xe7ad4a 0xe7ad4a <js::AutoEnterOOMUnsafeRegion::crash(char const*)+114>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
$pc:
=> 0xe7ad4a <js::AutoEnterOOMUnsafeRegion::crash(char const*)+114>: movl $0x5e1,0x0
0xe7ad55 <js::AutoEnterOOMUnsafeRegion::crash(char const*)+125>: callq 0x485cd0 <abort()>
0xe7ad5a <MOZ_ReportAssertionFailure(char const*, char const*, int)>: push %rbp
0xe7ad5b <MOZ_ReportAssertionFailure(char const*, char const*, int)+1>: mov %rsp,%rbp
0xe7ad5e <MOZ_ReportAssertionFailure(char const*, char const*, int)+4>: push %r14
0xe7ad60 <MOZ_ReportAssertionFailure(char const*, char const*, int)+6>: push %rbx
0xe7ad61 <MOZ_ReportAssertionFailure(char const*, char const*, int)+7>: mov %rdi,%rbx
0xe7ad64 <MOZ_ReportAssertionFailure(char const*, char const*, int)+10>: mov %fs:0x0,%rax
0xe7ad6d <MOZ_ReportAssertionFailure(char const*, char const*, int)+19>: lea -0x8(%rax),%rax
0xe7ad74 <MOZ_ReportAssertionFailure(char const*, char const*, int)+26>: movslq (%rax),%rcx
Comment 2•7 years ago
|
||
This is an intentional crash because we detected a lack of memory. Not exploitable.
Group: core-security
Comment 3•7 years ago
|
||
Here's a shorter program that causes the same crash:
enableShellAllocationMetadataBuilder();
var prop = { toString: function() { prop + "xxxxxxxxxxxxxxxxx"; } }
prop + "";
Disappointing though it may be, there are certain conditions under which an OOM crash is correct behavior for SpiderMonkey. In particular, running out of memory during a call to the allocation metadata builder is fatal.
Flags: needinfo?(jimb)
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•