Closed
Bug 1427351
Opened 6 years ago
Closed 6 years ago
Assertion failure: currentStartPosition_ == chunk(0).start(), at /data/canicula/mozilla-central/js/src/gc/Nursery.cpp:232
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1415291
People
(Reporter: bingosxs, Unassigned)
Details
Attachments
(1 file)
420 bytes,
application/x-javascript
|
Details |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20171129230835 Steps to reproduce: We compile the latest js shell from the latest source code by: hg clone https://hg.mozilla.org/mozilla-central and compile the spidermonkey js shell following the instructions: cd js/src autoconf2.13 # This name should end with "_DBG.OBJ" to make the version control system ignore it. mkdir build_DBG.OBJ -p cd build_DBG.OBJ ../configure --enable-debug --disable-optimize # Use "mozmake" on Windows make After the compilation: mozilla-central/js/src/build_DBG.OBJ/dist/bin/js poc16.js poc16.js is the bug triggering script file. and then then the js shell crashed. Actual results: crashed. Assertion failure: currentStartPosition_ == chunk(0).start(), at /data/canicula/mozilla-central/js/src/gc/Nursery.cpp:232 Segmentation fault (core dumped) The valgrind trace: ==30891== Memcheck, a memory error detector ==30891== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==30891== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==30891== Command: /data/canicula/mozilla-central/js/src/build_DBG.OBJ/dist/bin/js crash/16.js ==30891== ==30891== Warning: set address range perms: large range [0x19a8e6ff5000, 0x19a926ff5000) (noaccess) ==30891== Invalid read of size 8 ==30891== at 0x11CB162: js::wasm::Table::set(unsigned int, void*, js::wasm::Instance&) (WasmTable.cpp:119) ==30891== by 0x11BAF5B: js::WasmTableObject::setImpl(JSContext*, JS::CallArgs const&) (WasmJS.cpp:1778) ==30891== by 0x11CBCD1: bool JS::CallNonGenericMethod<&(IsTable(JS::Handle<JS::Value>)), &js::WasmTableObject::setImpl>(JSContext*, JS::CallArgs const&) (CallNonGenericMethod.h:100) ==30891== by 0x11BB043: js::WasmTableObject::set(JSContext*, unsigned int, JS::Value*) (WasmJS.cpp:1791) ==30891== by 0x5C99AD: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:291) ==30891== by 0x5A625C: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:472) ==30891== by 0x5A6621: InternalCall(JSContext*, js::AnyInvokeArgs const&) (Interpreter.cpp:521) ==30891== by 0x5A665F: js::CallFromStack(JSContext*, JS::CallArgs const&) (Interpreter.cpp:527) ==30891== by 0x5B47EB: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:3066) ==30891== by 0x5A5DEE: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:422) ==30891== by 0x5A7468: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (Interpreter.cpp:705) ==30891== by 0x5A7751: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (Interpreter.cpp:738) ==30891== Address 0xe5e5e5e5e5e5e5ed is not stack'd, malloc'd or (recently) free'd ==30891== ==30891== ==30891== Process terminating with default action of signal 11 (SIGSEGV) ==30891== General Protection Fault ==30891== at 0x11CB162: js::wasm::Table::set(unsigned int, void*, js::wasm::Instance&) (WasmTable.cpp:119) ==30891== by 0x11BAF5B: js::WasmTableObject::setImpl(JSContext*, JS::CallArgs const&) (WasmJS.cpp:1778) ==30891== by 0x11CBCD1: bool JS::CallNonGenericMethod<&(IsTable(JS::Handle<JS::Value>)), &js::WasmTableObject::setImpl>(JSContext*, JS::CallArgs const&) (CallNonGenericMethod.h:100) ==30891== by 0x11BB043: js::WasmTableObject::set(JSContext*, unsigned int, JS::Value*) (WasmJS.cpp:1791) ==30891== by 0x5C99AD: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:291) ==30891== by 0x5A625C: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:472) ==30891== by 0x5A6621: InternalCall(JSContext*, js::AnyInvokeArgs const&) (Interpreter.cpp:521) ==30891== by 0x5A665F: js::CallFromStack(JSContext*, JS::CallArgs const&) (Interpreter.cpp:527) ==30891== by 0x5B47EB: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:3066) ==30891== by 0x5A5DEE: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:422) ==30891== by 0x5A7468: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (Interpreter.cpp:705) ==30891== by 0x5A7751: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (Interpreter.cpp:738) ==30891== ==30891== HEAP SUMMARY: ==30891== in use at exit: 0 bytes in 0 blocks ==30891== total heap usage: 0 allocs, 0 frees, 0 bytes allocated ==30891== ==30891== All heap blocks were freed -- no leaks are possible ==30891== ==30891== For counts of detected and suppressed errors, rerun with: -v ==30891== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0) Killed The nightly build firefox does not produce the crash because it complains: "wasmTextToBinary is undefined" However this poc crashed latest-js shell and valgrind reported memory corruption, we believe it is likely an issue. Please Refer to "Trusted Operating System and System Assurance Working Group, TCA, Institute of Software, Chinese Academy of Sciences" in the acknowledgement if applicable. Expected results: Should not crash. Please Refer to "Trusted Operating System and System Assurance Working Group, TCA, Institute of Software, Chinese Academy of Sciences" in the acknowledgement if applicable.
Updated•6 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Updated•6 years ago
|
Group: core-security → javascript-core-security
Flags: needinfo?(luke)
Comment 1•6 years ago
|
||
Judging from the crash stack and testing poc16.js in a fresh build of the shell, this is a duplicate of bug 1415291 and was fixed by https://hg.mozilla.org/mozilla-central/rev/622c05a8e7a1 so tentatively resolving as a duplicate. (The buildid from comment 0 is right before the fix landed.) Thank you so much for the detailed report Xiaoshan; feel free to reopen if I'm mistaken.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(luke)
Resolution: --- → DUPLICATE
Updated•3 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•