Closed Bug 1526932 Opened 6 years ago Closed 6 years ago

Assertion failure: isThrowingOutOfMemory(), at mozilla-central/js/src/vm/JSContext.cpp:1162

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1527155

Tracking Flags:

Tracking

Status

firefox67

---

affected

People

(Reporter: Alex_Gaynor, Unassigned)

Details

(Keywords: oss-fuzz)

Attachments

(1 file)

clusterfuzz-testcase-minimized-5079683350134784.js 6 years ago Alex Gaynor [:Alex_Gaynor] 389 bytes, application/x-javascript		Details

Alex Gaynor [:Alex_Gaynor]

Reporter

Description

•

6 years ago

Attached file clusterfuzz-testcase-minimized-5079683350134784.js — Details

Found by OSS-Fuzz:

[Environment] ASAN_OPTIONS = redzone=512:print_suppressions=0:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1
[Command line] /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js --cpu-count=2 --disable-oom-functions --fuzzing-safe --arm-hwcap=vfp /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/fuzz-18.js

Assertion failure: isThrowingOutOfMemory(), at mozilla-central/js/src/vm/JSContext.cpp:1162
AddressSanitizer:DEADLYSIGNAL
=================================================================
==92497==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x559301331388 bp 0x7ffdb07e0f30 sp 0x7ffdb07e0f10 T0)
==92497==The signal is caused by a WRITE memory access.
==92497==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x559301331387 in JSContext::alreadyReportedOOM() mozilla-central/js/src/vm/JSContext.cpp:1162:5
    #1 0x5593036f0953 in js::StringToBigInt(JSContext*, JS::Handle<JSString*>) mozilla-central/js/src/vm/BigIntType.cpp:3150:16
    #2 0x5593036eef64 in js::ToBigInt(JSContext*, JS::Handle<JS::Value>) mozilla-central/js/src/vm/BigIntType.cpp:2633:5
    #3 0x5593036a805a in BigIntConstructor(JSContext*, unsigned int, JS::Value*) mozilla-central/js/src/builtin/BigInt.cpp:47:57
    #4 0x559300c7d86f in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) mozilla-central/js/src/vm/Interpreter.cpp:442:13
    #5 0x559300c50297 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) mozilla-central/js/src/vm/Interpreter.cpp:534:12
    #6 0x5593024fe220 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jit/BaselineIC.cpp:3921:10
    #7 0x15e7e3f073e2  (<unknown module>)
    #8 0x62100001d84f  (<unknown module>)
    #9 0x15e7e3ef5ac3  (<unknown module>)
    #7 0x5593027f892f in EnterBaseline(JSContext*, js::jit::EnterJitData&) mozilla-central/js/src/jit/BaselineJIT.cpp:111:5
    #8 0x5593027f892f in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) mozilla-central/js/src/jit/BaselineJIT.cpp:189
    #9 0x559300c3f6f0 in Interpret(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:1995:24
    #10 0x559300c18f67 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:422:10
    #11 0x559300c56155 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:781:13
    #12 0x559300c56deb in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) mozilla-central/js/src/vm/Interpreter.cpp:814:10
    #13 0x559300fc654c in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:438:10
    #14 0x559300fc698f in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:471:10
    #15 0x559300ad837b in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) mozilla-central/js/src/shell/js.cpp:899:10
    #16 0x559300ad5c41 in Process(JSContext*, char const*, bool, FileKind) mozilla-central/js/src/shell/js.cpp:1439:14
    #17 0x559300a586a6 in ProcessArgs(JSContext*, js::cli::OptionParser*) mozilla-central/js/src/shell/js.cpp:10052:10
    #18 0x559300a586a6 in Shell(JSContext*, js::cli::OptionParser*, char**) mozilla-central/js/src/shell/js.cpp:10612
    #19 0x559300a46b35 in main mozilla-central/js/src/shell/js.cpp:11215:12
    #20 0x7ff80817f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js+0x1205387)

Alex Gaynor [:Alex_Gaynor]

Reporter

Updated

•

6 years ago

Status: NEW → RESOLVED

Closed: 6 years ago

Resolution: --- → DUPLICATE

Al Billings [:abillings - ex-MoCo]

Updated

•

6 years ago

Keywords: oss-fuzz

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Assertion failure: isThrowingOutOfMemory(), at mozilla-central/js/src/vm/JSContext.cpp:1162

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: Alex_Gaynor, Unassigned)

References

Details

(Keywords: oss-fuzz)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Attachment

General

Description

File Name

Content Type