Closed
Bug 1437536
Opened 6 years ago
Closed 6 years ago
Assertion failure: fun->isInterpreted()
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 1437481
| Tracking | Status | |
|---|---|---|
| firefox60 | --- | affected |
People
(Reporter: Alex_Gaynor, Unassigned)
Details
(Keywords: oss-fuzz)
Attachments
(1 file)
|
4.65 KB,
application/x-javascript
|
Details |
(I don't think this is a security issue, but it's a non-release assert, and I don't have a non-debug build to verify)
This bug was found by Google's OSS-Fuzz running their custom internal JS fuzzer. I am refiling it in our issue tracker.
Please note that they apply a 90-day disclose timeline to all bugs:
root@f9a425957398:/src/mozilla-central/js/src# /out/js clusterfuzz-testcase-minimized-6452691615088640.js
Assertion failure: fun->isInterpreted(), at /src/mozilla-central/js/src/jsfun.cpp:137
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3217==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000001e0995e bp 0x7ffda4a0c370 sp 0x7ffda4a0c340 T0)
==3217==The signal is caused by a WRITE memory access.
==3217==Hint: address points to the zero page.
#0 0x1e0995d in JSFunction::lazyScript() const /src/mozilla-central/js/src/jsfun.h:522:9
#1 0x1e0995d in JSFunction::isAsync() const /src/mozilla-central/js/src/jsfun.h:550
#2 0x1e0995d in IsSloppyNormalFunction(JSFunction*) /src/mozilla-central/js/src/jsfun.cpp:134
#3 0x1d0cd5f in ArgumentsRestrictions(JSContext*, JS::Handle<JSFunction*>) /src/mozilla-central/js/src/jsfun.cpp:160:10
#4 0x1d0cd5f in ArgumentsSetterImpl(JSContext*, JS::CallArgs const&) /src/mozilla-central/js/src/jsfun.cpp:221
#5 0x1e113c2 in bool JS::CallNonGenericMethod<&(IsFunction(JS::Handle<JS::Value>)), &(ArgumentsSetterImpl(JSContext*, JS::CallArgs const&))>(JSContext*, JS::CallArgs const&) /src/mozilla-central/js/src/build_DBG.OBJ/dist/include/js/CallNonGenericMethod.h:100:16
#6 0x1e113c2 in ArgumentsSetter(JSContext*, unsigned int, JS::Value*) /src/mozilla-central/js/src/jsfun.cpp:233
#7 0x9d628e in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/mozilla-central/js/src/jscntxtinlines.h:291:15
#8 0x9d628e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/mozilla-central/js/src/vm/Interpreter.cpp:473
#9 0x9db94b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/mozilla-central/js/src/vm/Interpreter.cpp:541:10
#10 0x9db94b in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /src/mozilla-central/js/src/vm/Interpreter.cpp:670
#11 0x26088b2 in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /src/mozilla-central/js/src/vm/NativeObject.cpp:2756:10
#12 0x263a935 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /src/mozilla-central/js/src/vm/NativeObject.cpp:2784:20
#13 0x9edd35 in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /src/mozilla-central/js/src/vm/NativeObject.h:1647:12
#14 0x9edd35 in SetObjectElementOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool, JSScript*, unsigned char*) /src/mozilla-central/js/src/vm/Interpreter.cpp:1615
#15 0x9ad703 in Interpret(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:2975:10
#16 0x99861d in js::RunScript(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:423:12
#17 0x9dcab4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:706:15
#18 0x9ddacf in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:738:12
#19 0x1c12c71 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /src/mozilla-central/js/src/jsapi.cpp:4715:12
#20 0x1c132cb in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /src/mozilla-central/js/src/jsapi.cpp:4748:12
#21 0x5fde73 in RunFile(JSContext*, char const*, _IO_FILE*, bool) /src/mozilla-central/js/src/shell/js.cpp:826:14
#22 0x5fde73 in Process(JSContext*, char const*, bool, FileKind) /src/mozilla-central/js/src/shell/js.cpp:1179
#23 0x578d58 in ProcessArgs(JSContext*, js::cli::OptionParser*) /src/mozilla-central/js/src/shell/js.cpp:8474:14
#24 0x578d58 in Shell(JSContext*, js::cli::OptionParser*, char**) /src/mozilla-central/js/src/shell/js.cpp:8860
#25 0x578d58 in main /src/mozilla-central/js/src/shell/js.cpp:9317
#26 0x7f5fbe95e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#27 0x4604f8 in _start (/out/js+0x4604f8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/mozilla-central/js/src/jsfun.h:522:9 in JSFunction::lazyScript() const
==3217==ABORTING
|
||
Comment 1•6 years ago
|
||
Running this in an opt build gives me a heap-buffer-overflow [@ JSScript::strict] so I think this might be a duplicate to bug 1437481 which I filed this morning. Benjamin, do you agree?
Flags: needinfo?(bbouvier)
|
||
Comment 2•6 years ago
|
||
Agreed, it's the assertion I found in comment 1, with the same stack. Thanks!
Flags: needinfo?(bbouvier)
|
Reporter | |
Comment 3•6 years ago
|
||
OSS-Fuzz confirmed this is fixed, so I'm going to mark this as a dupe of the 1437481.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
|
||
Updated•3 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•