1459609 - Crash [@ js::frontend::ParserBase::setSourceMapInfo] with ES6 module

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision fb435df9797a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

function parseAsModule(source) {
    return Reflect.parse(source, {
        target: "module",
    });
}
parseAsModule('function f() {} //@ sourceMappingURL=http://example.com/foo.js.map', {});


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x000000000054be83 in js::frontend::ParserBase::setSourceMapInfo (this=0x7fffffffc460) at js/src/frontend/Parser.cpp:988
#0  0x000000000054be83 in js::frontend::ParserBase::setSourceMapInfo (this=0x7fffffffc460) at js/src/frontend/Parser.cpp:988
#1  0x0000000000585370 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::moduleBody (this=this@entry=0x7fffffffc460, modulesc=modulesc@entry=0x7fffffffbcc0) at js/src/frontend/Parser.cpp:2350
#2  0x00000000006254b7 in reflect_parse (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/ReflectParse.cpp:3501
#3  0x00000000005b4f01 in js::CallJSNative (cx=0x7ffff5f17000, native=0x623940 <reflect_parse(JSContext*, uint32_t, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280
#4  0x00000000005a94bf in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467
#5  0x00000000005a989d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:516
[...]
#17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9281
rax	0x1	1
rbx	0x7fffffffc460	140737488340064
rcx	0x0	0
rdx	0x7ffff495a840	140737296836672
rsi	0x16	22
rdi	0x0	0
rbp	0x7fffffffb730	140737488336688
rsp	0x7fffffffb720	140737488336672
r8	0x7fffffffc962	140737488341346
r9	0x0	0
r10	0x20aa2b0	34251440
r11	0x7ffff6cb8dd0	140737333923280
r12	0x7fffffffb850	140737488336976
r13	0x7ffff5f7e020	140737320050720
r14	0x0	0
r15	0x7fffffffc460	140737488340064
rip	0x54be83 <js::frontend::ParserBase::setSourceMapInfo()+67>
=> 0x54be83 <js::frontend::ParserBase::setSourceMapInfo()+67>:	cmpq   $0x0,0x60(%rdi)
   0x54be88 <js::frontend::ParserBase::setSourceMapInfo()+72>:	jne    0x54bf10 <js::frontend::ParserBase::setSourceMapInfo()+208>

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fe50254665a4
user:        Eric Faust
date:        Fri Apr 27 15:02:31 2018 -0700
summary:     Bug 1451826 - Part 5: Move displayURL and sourceMap intialization from BCE to Parser. (r=Waldo)

This iteration took 286.105 seconds to run.

Comment 2

[Jeff Walden [:Waldo]]

Hi efaust!

Comment 3

[Eric Faust [:efaust]]

Attachment: Add null check.

Reflect.parse doesn't set a script source object. Don't try to initialize an object that's not there.

Comment 4

[Pulsebot]

Pushed by efaustbmo@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/73bf33ab67f4
Add missing null-check to ParserBase::setSourceMapInfo(). (r=Waldo)

Comment 5

[Arthur Iakab [arthur_iakab]]

https://hg.mozilla.org/mozilla-central/rev/73bf33ab67f4

Comment 6

[Ryan VanderMeulen [:RyanVM]]

Please request Beta approval on this when you get a chance. Also, could we land this testcase as an automated test?

Comment 7

[Ryan VanderMeulen [:RyanVM]]

I talked to efaust about this on IRC . It's unlikely this code is reachable from web content, so let's just let this ride the trains.