Closed Bug 1509168 Opened 6 years ago Closed 5 years ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/js/src/jsfriendapi.h:1564:9 in byteSize

Categories

(Core :: Storage: IndexedDB, defect, P3)

Product:
Core
Component:
Storage: IndexedDB
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: violet.bugreport)

References

(Blocks 3 open bugs)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

testcase.html
349 bytes, text/html
Details
Bug 1509168 - Use JS_GetObjectAsArrayBufferView() to retrieve ArrayBufferView data
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html 
Testcase found while fuzzing mozilla-central rev eeddcefcdad8.

==32426==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f264e6d2b83 bp 0x7fff5a523d30 sp 0x7fff5a523d30 T0)
==32426==The signal is caused by a WRITE memory access.
==32426==Hint: address points to the zero page.
    #0 0x7f264e6d2b82 in byteSize /builds/worker/workspace/build/src/js/src/jsfriendapi.h:1564:9
    #1 0x7f264e6d2b82 in bytesPerElement /builds/worker/workspace/build/src/js/src/vm/TypedArrayObject.h:229
    #2 0x7f264e6d2b82 in byteLengthValue /builds/worker/workspace/build/src/js/src/vm/TypedArrayObject.h:96
    #3 0x7f264e6d2b82 in byteLength /builds/worker/workspace/build/src/js/src/vm/TypedArrayObject.h:109
    #4 0x7f264e6d2b82 in js::GetArrayBufferViewLengthAndData(JSObject*, unsigned int*, bool*, unsigned char**) /builds/worker/workspace/build/src/js/src/vm/ArrayBufferViewObject.cpp:295
    #5 0x7f2648e26280 in EncodeBinary /builds/worker/workspace/build/src/dom/indexedDB/Key.cpp:669:5
    #6 0x7f2648e26280 in mozilla::dom::indexedDB::Key::EncodeJSValInternal(JSContext*, JS::Handle<JS::Value>, unsigned char, unsigned short) /builds/worker/workspace/build/src/dom/indexedDB/Key.cpp:307
    #7 0x7f2648e28ef7 in EncodeJSVal /builds/worker/workspace/build/src/dom/indexedDB/Key.cpp:414:10
    #8 0x7f2648e28ef7 in mozilla::dom::indexedDB::Key::SetFromJSVal(JSContext*, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/dom/indexedDB/Key.cpp:777
    #9 0x7f2648e82028 in mozilla::dom::IDBFactory::Cmp(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/indexedDB/IDBFactory.cpp:545:23
    #10 0x7f2646a8499c in mozilla::dom::IDBFactory_Binding::cmp(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBFactory*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/IDBFactoryBinding.cpp:404:24
    #11 0x7f2646c75df4 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3376:13
    #12 0x7f2650071ead in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
    #13 0x7f2650071ead in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560
    #14 0x7f26500744d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:633:10
    #15 0x7f264f10d4b1 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:178:12
    #16 0x7f264f0c4c41 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:355:23
    #17 0x7f264f0eafd1 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:560:21
    #18 0x7f2650072f4c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:20
    #19 0x7f265005bb07 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:620:12
    #20 0x7f265005bb07 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3462
    #21 0x7f265003f0a6 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:12
    #22 0x7f2650072851 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:587:15
    #23 0x7f26500744d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:633:10
    #24 0x7f264f032376 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2988:12
    #25 0x7f26462884c9 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #26 0x7f26474bfe72 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #27 0x7f26474bfe72 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1112
    #28 0x7f26474c24c7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1317:15
    #29 0x7f26474a3c76 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #30 0x7f26474a3c76 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:425
    #31 0x7f26474a1ef8 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:642:16
    #32 0x7f26474a8950 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1164:11
    #33 0x7f264a20d0fe in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1165:7
    #34 0x7f264d46c2e3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7034:21
    #35 0x7f264d467b09 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6825:7
    #36 0x7f264d470917 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #37 0x7f2642197b35 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1309:3
    #38 0x7f264219671c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:852:14
    #39 0x7f2642192068 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:741:9
    #40 0x7f26421949be in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:630:5
    #41 0x7f2642196244 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #42 0x7f263faddfb7 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:628:28
    #43 0x7f2643b53a07 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8500:18
    #44 0x7f2643b53a07 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8422
    #45 0x7f2643b2daa9 in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5306:3
    #46 0x7f2643c8dcdb in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1191:12
    #47 0x7f2643c8dcdb in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1197
    #48 0x7f2643c8dcdb in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1242
    #49 0x7f263f819405 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #50 0x7f263f856861 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1244:14
    #51 0x7f263f85f60d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
    #52 0x7f2640ad5c4f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #53 0x7f26409d10be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #54 0x7f26409d10be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #55 0x7f26409d10be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #56 0x7f2649975ec3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #57 0x7f264e266eae in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:961:22
    #58 0x7f26409d10be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #59 0x7f26409d10be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #60 0x7f26409d10be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #61 0x7f264e265f01 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:787:34
    #62 0x55b812528864 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #63 0x55b812528864 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #64 0x7f2662bdfb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
Priority: -- → P3
Assignee: nobody → violet.bugreport

When using JS_IsArrayBufferViewObject() to check ArrayBufferView object,
we should consistently use JS_FRIEND_API to get its length and data.
Because in rare case there might a wrapper on the object, JS_FRIEND_API
will handle it, js::GetArrayBufferViewLengthAndData() won't.

Hi Jan,

I submitted two patches (including this one) for some crash bugs in IndexedDB component two days ago, could you review them? This one in particular will cause a dereference-of-wrong-type in release build, I think it needs to be fixed.

These are my first patches to IndexedDB component, so I might be choosing reviewer incorrectly. In case I'm wrong, could you point me to the correct reviewer to get these patches reviewed?

Thanks!

Flags: needinfo?(jvarga)

I don't quite understand the commit message... js::GetArrayBufferViewLengthAndData is friend API just like JS_GetObjectAsArrayBufferView. The real change is that JS_GetObjectAsArrayBufferView can handle a CCW for an ArrayBufferView while js::GetArrayBufferViewLengthAndData can't, right?

(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #3)

I don't quite understand the commit message... js::GetArrayBufferViewLengthAndData is friend API just like JS_GetObjectAsArrayBufferView.

Sorry, I'm new to the JS codebase, after re-reading the js/src/jsfriendapi.h declarations, I found js::GetArrayBufferViewLengthAndData is indeed a JS_FRIEND_API. I will update the commit message.

The real change is that JS_GetObjectAsArrayBufferView can handle a CCW for an ArrayBufferView while js::GetArrayBufferViewLengthAndData can't, right?

Yes, this is what I meant.

Sounds good, thank you!

Attachment #9051961 - Attachment description: Bug 1509168 - Use JS_FRIEND_API to retrieve ArrayBufferView data → Bug 1509168 - Use JS_GetObjectAsArrayBufferView() to retrieve ArrayBufferView data
Flags: needinfo?(jvarga)
Pushed by violet.bugreport@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/7f67ed870073
Use JS_GetObjectAsArrayBufferView() to retrieve ArrayBufferView data r=asuth

https://hg.mozilla.org/mozilla-central/rev/7f67ed870073

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
status-firefox65: affectedwontfix
status-firefox66: --- → wontfix
status-firefox67: --- → wontfix
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: