Closed
Bug 1437536
Opened 6 years ago
Closed 6 years ago
Assertion failure: fun->isInterpreted()
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 1437481
Tracking | Status | |
---|---|---|
firefox60 | --- | affected |
People
(Reporter: Alex_Gaynor, Unassigned)
Details
(Keywords: oss-fuzz)
Attachments
(1 file)
4.65 KB,
application/x-javascript
|
Details |
(I don't think this is a security issue, but it's a non-release assert, and I don't have a non-debug build to verify) This bug was found by Google's OSS-Fuzz running their custom internal JS fuzzer. I am refiling it in our issue tracker. Please note that they apply a 90-day disclose timeline to all bugs: root@f9a425957398:/src/mozilla-central/js/src# /out/js clusterfuzz-testcase-minimized-6452691615088640.js Assertion failure: fun->isInterpreted(), at /src/mozilla-central/js/src/jsfun.cpp:137 AddressSanitizer:DEADLYSIGNAL ================================================================= ==3217==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000001e0995e bp 0x7ffda4a0c370 sp 0x7ffda4a0c340 T0) ==3217==The signal is caused by a WRITE memory access. ==3217==Hint: address points to the zero page. #0 0x1e0995d in JSFunction::lazyScript() const /src/mozilla-central/js/src/jsfun.h:522:9 #1 0x1e0995d in JSFunction::isAsync() const /src/mozilla-central/js/src/jsfun.h:550 #2 0x1e0995d in IsSloppyNormalFunction(JSFunction*) /src/mozilla-central/js/src/jsfun.cpp:134 #3 0x1d0cd5f in ArgumentsRestrictions(JSContext*, JS::Handle<JSFunction*>) /src/mozilla-central/js/src/jsfun.cpp:160:10 #4 0x1d0cd5f in ArgumentsSetterImpl(JSContext*, JS::CallArgs const&) /src/mozilla-central/js/src/jsfun.cpp:221 #5 0x1e113c2 in bool JS::CallNonGenericMethod<&(IsFunction(JS::Handle<JS::Value>)), &(ArgumentsSetterImpl(JSContext*, JS::CallArgs const&))>(JSContext*, JS::CallArgs const&) /src/mozilla-central/js/src/build_DBG.OBJ/dist/include/js/CallNonGenericMethod.h:100:16 #6 0x1e113c2 in ArgumentsSetter(JSContext*, unsigned int, JS::Value*) /src/mozilla-central/js/src/jsfun.cpp:233 #7 0x9d628e in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/mozilla-central/js/src/jscntxtinlines.h:291:15 #8 0x9d628e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/mozilla-central/js/src/vm/Interpreter.cpp:473 #9 0x9db94b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/mozilla-central/js/src/vm/Interpreter.cpp:541:10 #10 0x9db94b in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /src/mozilla-central/js/src/vm/Interpreter.cpp:670 #11 0x26088b2 in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /src/mozilla-central/js/src/vm/NativeObject.cpp:2756:10 #12 0x263a935 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /src/mozilla-central/js/src/vm/NativeObject.cpp:2784:20 #13 0x9edd35 in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /src/mozilla-central/js/src/vm/NativeObject.h:1647:12 #14 0x9edd35 in SetObjectElementOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool, JSScript*, unsigned char*) /src/mozilla-central/js/src/vm/Interpreter.cpp:1615 #15 0x9ad703 in Interpret(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:2975:10 #16 0x99861d in js::RunScript(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:423:12 #17 0x9dcab4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:706:15 #18 0x9ddacf in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:738:12 #19 0x1c12c71 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /src/mozilla-central/js/src/jsapi.cpp:4715:12 #20 0x1c132cb in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /src/mozilla-central/js/src/jsapi.cpp:4748:12 #21 0x5fde73 in RunFile(JSContext*, char const*, _IO_FILE*, bool) /src/mozilla-central/js/src/shell/js.cpp:826:14 #22 0x5fde73 in Process(JSContext*, char const*, bool, FileKind) /src/mozilla-central/js/src/shell/js.cpp:1179 #23 0x578d58 in ProcessArgs(JSContext*, js::cli::OptionParser*) /src/mozilla-central/js/src/shell/js.cpp:8474:14 #24 0x578d58 in Shell(JSContext*, js::cli::OptionParser*, char**) /src/mozilla-central/js/src/shell/js.cpp:8860 #25 0x578d58 in main /src/mozilla-central/js/src/shell/js.cpp:9317 #26 0x7f5fbe95e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #27 0x4604f8 in _start (/out/js+0x4604f8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/mozilla-central/js/src/jsfun.h:522:9 in JSFunction::lazyScript() const ==3217==ABORTING
Comment 1•6 years ago
|
||
Running this in an opt build gives me a heap-buffer-overflow [@ JSScript::strict] so I think this might be a duplicate to bug 1437481 which I filed this morning. Benjamin, do you agree?
Flags: needinfo?(bbouvier)
Comment 2•6 years ago
|
||
Agreed, it's the assertion I found in comment 1, with the same stack. Thanks!
Flags: needinfo?(bbouvier)
Reporter | ||
Comment 3•6 years ago
|
||
OSS-Fuzz confirmed this is fixed, so I'm going to mark this as a dupe of the 1437481.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Updated•3 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•