Closed
Bug 1465081
Opened 5 years ago
Closed 5 years ago
Null-dereference READ · AppendNameInBytecode
Categories
(Core :: JavaScript: WebAssembly, defect)
Core
JavaScript: WebAssembly
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox62 | --- | fixed |
People
(Reporter: Alex_Gaynor, Assigned: bbouvier)
References
Details
(Keywords: oss-fuzz)
Attachments
(2 files)
5.10 KB,
application/x-javascript
|
Details | |
3.63 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
Found by Google's OSS-Fuzz, I am re-filing for tracking in our bugtracker. /mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js --cpu-count=2 --disable-oom-functions --fuzzing-safe /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-51.js [Environment] ASAN_OPTIONS = redzone=16:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:coverage=0:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1 AddressSanitizer:DEADLYSIGNAL ================================================================= ==1849==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000275993a bp 0x7ffef4831df0 sp 0x7ffef4831df0 T0) ==1849==The signal is caused by a READ memory access. ==1849==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x2759939 in mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>::length() const mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/Vector.h:0:34 #1 0x2759939 in AppendNameInBytecode(mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy> const*, js::wasm::NameInBytecode const&, mozilla::Vector<char, 0ul, js::SystemAllocPolicy>*) mozilla-central/js/src/wasm/WasmCode.cpp:938 #2 0x2759530 in js::wasm::Metadata::getFuncName(js::wasm::Metadata::NameContext, mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy> const*, unsigned int, mozilla::Vector<char, 0ul, js::SystemAllocPolicy>*) const mozilla-central/js/src/wasm/WasmCode.cpp:963:14 #3 0x285d5c5 in js::wasm::Metadata::getFuncNameBeforeLocation(mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy> const*, unsigned int, mozilla::Vector<char, 0ul, js::SystemAllocPolicy>*) const mozilla-central/js/src/wasm/WasmCode.h:460:16 #4 0x285d5c5 in js::wasm::Instance::getFuncDisplayAtom(JSContext*, unsigned int) const mozilla-central/js/src/wasm/WasmInstance.cpp:952 #5 0x285cf67 in js::wasm::WasmFrameIter::functionDisplayAtom() const mozilla-central/js/src/wasm/WasmFrameIter.cpp:190:32 #6 0x22398f1 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) mozilla-central/js/src/vm/SavedStacks.cpp:1482:41 #7 0x22381d6 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) mozilla-central/js/src/vm/SavedStacks.cpp:1295:12 #8 0x1af7b07 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) mozilla-central/js/src/jsapi.cpp:7803:31 #9 0x1b02b7a in CaptureStack(JSContext*, JS::MutableHandle<JSObject*>) mozilla-central/js/src/jsexn.cpp:369:12 #10 0x1b0554e in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) mozilla-central/js/src/jsexn.cpp:686:10 #11 0x1fe70ee in ReportError(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) mozilla-central/js/src/vm/JSContext.cpp:249:5 #12 0x1fe70ee in js::ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) mozilla-central/js/src/vm/JSContext.cpp:836 #13 0x1ae80f3 in JS_ReportErrorNumberUTF8VA(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, __va_list_tag*) mozilla-central/js/src/jsapi.cpp:6528:5 #14 0x1ae80f3 in JS_ReportErrorNumberUTF8(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) mozilla-central/js/src/jsapi.cpp:6518 #15 0x2796a81 in ReportError(JSContext*, unsigned int) mozilla-central/js/src/wasm/WasmBuiltins.cpp:217:5 #16 0x2796a81 in WasmHandleTrap() mozilla-central/js/src/wasm/WasmBuiltins.cpp:249 #12 0x3405ceca727c (<unknown module>) #13 0x6070000072bf (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js+0x2759939) ==1849==ABORTING
Assignee | ||
Updated•5 years ago
|
Flags: needinfo?(bbouvier)
Assignee | ||
Comment 1•5 years ago
|
||
Regression from bug 1458029. There's a module name subsection but no function names subsection, so we erroneously do not preserve bytecode.
Assignee: nobody → bbouvier
Component: JavaScript Engine → Javascript: Web Assembly
Depends on: 1458029
Flags: needinfo?(bbouvier)
Assignee | ||
Comment 2•5 years ago
|
||
Attachment #8985504 -
Flags: review?(luke)
Assignee | ||
Updated•5 years ago
|
Status: NEW → ASSIGNED
![]() |
||
Updated•5 years ago
|
Attachment #8985504 -
Flags: review?(luke) → review+
Assignee | ||
Updated•5 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/7cd314fe93e3 Preserve bytecode if there's a module name subsection. r=luke
Keywords: checkin-needed
Comment 4•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/7cd314fe93e3
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Updated•5 years ago
|
Flags: qe-verify-
You need to log in
before you can comment on or make changes to this bug.
Description
•