Crash [@ JSString::flags] with BinAST

RESOLVED FIXED in Firefox 67

Status

()

defect
P3
critical
RESOLVED FIXED
3 months ago
3 months ago

People

(Reporter: decoder, Assigned: arai)

Tracking

(Blocks 1 bug, {crash, regression, testcase})

Trunk
mozilla67
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox66 unaffected, firefox67 fixed)

Details

(Whiteboard: [fuzzblocker], crash signature)

Attachments

(2 attachments)

Reporter

Description

3 months ago

The attached testcase crashes on mozilla-central revision add98afa5f0c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-tests --enable-fuzzing --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with FUZZER=BinAST ./fuzz-tests test.binjs).

Backtrace:

==6324==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5613af209f8b bp 0x7ffe2452b4d0 sp 0x7ffe2452b4c0 T0)
==6324==The signal is caused by a READ memory access.
==6324==Hint: address points to the zero page.
    #0 0x5613af209f8a in JSString::flags() const js/src/vm/StringType.h:399:46
    #1 0x5613af209f8a in JSString::hasLatin1Chars() const js/src/vm/StringType.h:454
    #2 0x5613af209f8a in js::frontend::IsIdentifier(JSLinearString*) js/src/frontend/TokenStream.cpp:170
    #3 0x5613aef6fd5f in js::frontend::BinTokenReaderMultipart::readIdentifierName() js/src/frontend/BinTokenReaderMultipart.cpp:297:8
    #4 0x5613aef13d4c in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceIdentifierExpression(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinASTParser.cpp:3188:3
    #5 0x5613aef0767b in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseExpression() js/src/frontend/BinASTParser.cpp:230:3
    #6 0x5613aef0f969 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceBinaryExpression(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinASTParser.cpp:1815:3
    #7 0x5613aef4918f in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseOptionalExpression() js/src/frontend/BinASTParser.cpp:4897:5
    #8 0x5613aef28701 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceForStatement(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinASTParser.cpp:2896:3
    #9 0x5613aef0b66b in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseStatement() js/src/frontend/BinASTParser.cpp:1052:3
    #10 0x5613aef42d37 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseListOfStatement() js/src/frontend/BinASTParser.cpp:4777:5
    #11 0x5613aef2095a in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseInterfaceScript(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinASTParser.cpp:3666:3
    #12 0x5613aef09cf4 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseSumProgram(unsigned long, js::frontend::BinKind, js::frontend::BinTokenReaderMultipart::BinFields const&) js/src/frontend/BinASTParser.cpp:745:7
    #13 0x5613aef09cf4 in js::frontend::BinASTParser<js::frontend::BinTokenReaderMultipart>::parseProgram() js/src/frontend/BinASTParser.cpp:730
    #14 0x5613aef53f8f in js::frontend::BinASTParserPerTokenizer<js::frontend::BinTokenReaderMultipart>::parseAux(js::frontend::GlobalSharedContext*, unsigned char const*, unsigned long, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinASTParserPerTokenizer.cpp:134:3
    #15 0x5613aef5506a in js::frontend::BinASTParserPerTokenizer<js::frontend::BinTokenReaderMultipart>::parse(js::frontend::GlobalSharedContext*, unsigned char const*, unsigned long, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinASTParserPerTokenizer.cpp:108:17
    #16 0x5613aef5506a in js::frontend::BinASTParserPerTokenizer<js::frontend::BinTokenReaderMultipart>::parse(js::frontend::GlobalSharedContext*, mozilla::Vector<unsigned char, 0ul, js::TempAllocPolicy> const&, js::frontend::BinASTSourceMetadata**) js/src/frontend/BinASTParserPerTokenizer.cpp:101
    #17 0x5613ae087939 in testBinASTReaderFuzz(unsigned char const*, unsigned long) js/src/fuzz-tests/testBinASTReader.cpp:68:27
[...]
    #25 0x5613adf8b108 in _start (build/fuzz-tests+0x545108)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/vm/StringType.h:399:46 in JSString::flags() const
==6324==ABORTING

This issue is highly frequent, marking as fuzzblocker.

Reporter

Comment 1

3 months ago
Posted file Testcase
Assignee

Updated

3 months ago
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Priority: -- → P3

Comment 3

3 months ago
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/8014816b11ed
Throw error for empty string in readIdentifierName. r=Yoric

Comment 4

3 months ago
bugherder
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Blocks: 1532517
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.