Closed
Bug 1440762
Opened 7 years ago
Closed 7 years ago
null defref in JIT'd code
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
DUPLICATE
of bug 1440510
| Tracking | Status | |
|---|---|---|
| firefox60 | --- | affected |
People
(Reporter: Alex_Gaynor, Unassigned)
Details
(Keywords: oss-fuzz)
Attachments
(1 file)
|
1.54 KB,
application/x-javascript
|
Details |
(Filing as security because the issue appears to be coming from JIT'd code and I haven't dug in to see what the origin is. Better safe than sorry!)
This bug was found by Google's OSS-Fuzz running their custom internal JS fuzzer. I am refiling it in our issue tracker.
Please note that they apply a 90-day disclose timeline to all bugs:
root@9973b47106ce:/src/mozilla-central/js/src# ASAN_OPTIONS=redzone=256:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:coverage=0:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=1:handle_segv=1 /out/js clusterfuzz-testcase-minimized-5746168467292160.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3211==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fec3384eb4a bp 0x7ffc1e7a5f48 sp 0x7ffc1e7a5ee0 T0)
==3211==The signal is caused by a READ memory access.
==3211==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x7fec3384eb49 (<unknown module>)
#1 0x7fec3384bc9f (<unknown module>)
#2 0x6210002b7417 (<unknown module>)
#3 0x7fec338409d0 (<unknown module>)
#4 0x6210002ae66f (<unknown module>)
#5 0x7fec338409d0 (<unknown module>)
#6 0x6210002ceea7 (<unknown module>)
#7 0x7fec3380f814 (<unknown module>)
#8 0x6210002cc787 (<unknown module>)
#9 0x7fec3380f814 (<unknown module>)
#10 0x6210002c65b7 (<unknown module>)
#11 0x7fec3380fabc (<unknown module>)
#12 0x138c10c in EnterJit(JSContext*, js::RunState&, unsigned char*) /src/mozilla-central/js/src/jit/Jit.cpp:99:9
#13 0x138c10c in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /src/mozilla-central/js/src/jit/Jit.cpp:163
#14 0x9a4a30 in Interpret(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:3122:42
#15 0x98007a in js::RunScript(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:418:12
#16 0x9bec38 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/mozilla-central/js/src/vm/Interpreter.cpp:490:15
#17 0xd5d293 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /src/mozilla-central/js/src/jit/BaselineIC.cpp:2383:14
#18 0x7fec338266be (<unknown module>)
#19 0x6210002c408f (<unknown module>)
#20 0x7fec3380fabc (<unknown module>)
#21 0xd93946 in EnterBaseline(JSContext*, js::jit::EnterJitData&) /src/mozilla-central/js/src/jit/BaselineJIT.cpp:149:9
#22 0xd93946 in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /src/mozilla-central/js/src/jit/BaselineJIT.cpp:226
#23 0x9ae41d in Interpret(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:2046:28
#24 0x98007a in js::RunScript(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:418:12
#25 0x9c5754 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:701:15
#26 0x9c676f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:733:12
#27 0x1c49442 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /src/mozilla-central/js/src/jsapi.cpp:4720:12
#28 0x1c4996d in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /src/mozilla-central/js/src/jsapi.cpp:4753:12
#29 0x5fe693 in RunFile(JSContext*, char const*, _IO_FILE*, bool) /src/mozilla-central/js/src/shell/js.cpp:820:14
#30 0x5fe693 in Process(JSContext*, char const*, bool, FileKind) /src/mozilla-central/js/src/shell/js.cpp:1173
#31 0x579058 in ProcessArgs(JSContext*, js::cli::OptionParser*) /src/mozilla-central/js/src/shell/js.cpp:8474:14
#32 0x579058 in Shell(JSContext*, js::cli::OptionParser*, char**) /src/mozilla-central/js/src/shell/js.cpp:8860
#33 0x579058 in main /src/mozilla-central/js/src/shell/js.cpp:9321
#34 0x7fec7673d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>)
==3211==ABORTING
|
||
Comment 1•7 years ago
|
||
Very likely a duplicate of bug 1440510. Ted, can you confirm?
Flags: needinfo?(tcampbell)
|
||
Comment 2•7 years ago
|
||
Confirmed duplicate. Oops =\
Fixed in:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a1a5245ff819ff827c95c8ee7d47fc291dd58ce5
Flags: needinfo?(tcampbell)
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
||
Updated•4 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•