Closed
Bug 1562298
Opened 2 years ago
Closed 2 years ago
Crash [@ js::frontend::FullParseHandler::addClassMemberDefinition] with OOM
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla70
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | wontfix |
| firefox67 | --- | unaffected |
| firefox68 | --- | wontfix |
| firefox69 | --- | fixed |
| firefox70 | --- | verified |
People
(Reporter: gkw, Assigned: arai)
References
(Regression)
Details
(6 keywords, Whiteboard: [keep hidden while 1562102 is][jsbugmon:update][post-critsmash-triage]][adv-main69-])
Crash Data
Attachments
(1 file)
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
+++ This bug was initially created as a clone of Bug #1562102 +++
The following testcase crashes on mozilla-central revision 7ffabb358c42 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
// Adapted from randomly chosen test: js/src/tests/test262/language/statements/class/elements/after-same-line-static-async-gen-rs-field-identifier.js
oomTest(
new Function(`
evaluate(\`
class C {
c;
_;
2;
u;
J;
_;
}
t(C);
function s() {
e;
if (r) {
0;
}
c1 = 1;
t.e(
c
.a2,
1
);
s
.s(
c8,
1
);
a
(
c
.J
, 1
);
u
(
c
._
, 1
);
}
e.r;
\`, {
compileAndGo: true
})
`)
)
Backtrace:
#0 js::frontend::FullParseHandler::addClassMemberDefinition (this=0x7fffffffac30, memberList=0x7ffff5de7060, member=0x0)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/FullParseHandler.h:470
#1 0x0000555556e25cfd in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::finishClassConstructor (this=0x7fffffffa798,
classStmt=..., className=..., hasHeritage=<optimized out>, classStartOffset=4294945840, classEndOffset=150, numFields=6,
classMembers=@0x7fffffff9970: 0x7ffff5de7060) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:6997
#2 0x0000555556e13189 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classDefinition (this=<optimized out>,
yieldHandling=<optimized out>, classContext=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::ClassStatement,
defaultHandling=js::frontend::NameRequired) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:7134
#3 0x0000555556e0d81b in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=<optimized out>,
yieldHandling=<optimized out>, canHaveDirectives=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:7998
#4 0x0000555556e0bb95 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=<optimized out>,
yieldHandling=js::frontend::YieldIsName) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:3475
#5 0x0000555556e4642d in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::globalBody (this=0x7fffffffa798, globalsc=0x7fffffffadf8)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:1446
#6 0x0000555556e7b583 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=0x7fffffffa240, info=..., environment=..., sc=<optimized out>)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:531
#7 0x0000555556e4a96b in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=<optimized out>)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:208
/snip
Ashley mentioned in bug 1562102 comment 7 that this is an unrelated bug, so cloning it here. Still s-s because that bug is still s-s.
Flags: needinfo?(khyperia)
|
Reporter | |
Comment 1•2 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/d96f98f974e0
user: Ashley Hauck
date: Wed Mar 20 17:26:01 2019 +0000
summary: Bug 1535166 - Implement computed field names. r=jorendorff
This is as per bug 1562102 comment 6.
Regressed by: 1562102
|
|
Reporter | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
status-firefox67:
--- → unaffected
status-firefox68:
--- → wontfix
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → affected
|
||
Updated•2 years ago
|
Priority: -- → P1
|
Assignee | |
Comment 2•2 years ago
|
||
will fix this, with bug 1562102.
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
||
Updated•2 years ago
|
Keywords: csectype-oom,
sec-other
Whiteboard: [jsbugmon:update] → [keep hidden while 1562102 is][jsbugmon:update]
|
||
Updated•2 years ago
|
Flags: needinfo?(khyperia)
https://hg.mozilla.org/integration/autoland/rev/b9da377f23c12603ce45bbaf0cb8489d80059d39
https://hg.mozilla.org/mozilla-central/rev/b9da377f23c1
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox70:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
|
Assignee | |
Comment 6•2 years ago
|
||
Comment on attachment 9075548 [details]
Bug 1562298 - Check OOM after PerHandlerParser::finishLexicalScope. r?jorendorff
Beta/Release Uplift Approval Request
- User impact if declined: crash by null-dereference, when opening a crafted webpage.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: Bug 1562102
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just adds usual error handling for OOM.
- String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: this is just null-deref crash. not sure if this requires the ESR uplift, but asking just in case, given the tracking flag is "affected"
- User impact if declined: crash by null-dereference, when opening a crafted webpage.
- Fix Landed on Version: 70
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just adds usual error handling for OOM.
- String or UUID changes made by this patch:
Flags: needinfo?(arai.unmht)
Attachment #9075548 -
Flags: approval-mozilla-esr68?
Attachment #9075548 -
Flags: approval-mozilla-beta?
|
|
||
Comment 7•2 years ago
|
||
Comment on attachment 9075548 [details]
Bug 1562298 - Check OOM after PerHandlerParser::finishLexicalScope. r?jorendorff
Fixes an OOM crash. Approved for 69.0b10 and 68.1esr.
Attachment #9075548 -
Flags: approval-mozilla-esr68?
Attachment #9075548 -
Flags: approval-mozilla-esr68+
Attachment #9075548 -
Flags: approval-mozilla-beta?
Attachment #9075548 -
Flags: approval-mozilla-beta+
|
|
||
Comment 8•2 years ago
|
||
| uplift | ||
The scope variable used here got added in bug 1547467 (Gecko 69). People have voted against uplift in that bug. Does anything need to be done here or ESR68?
Flags: needinfo?(arai.unmht)
|
|
Assignee | |
Comment 10•2 years ago
|
||
sounds like autobisect found another issue, or maybe something already fixed?
will look into the history.
anyway, for this patch, no need to esr68 uplift
|
|
||
Updated•2 years ago
|
Attachment #9075548 -
Flags: approval-mozilla-esr68+
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Flags: qe-verify-
Whiteboard: [keep hidden while 1562102 is][jsbugmon:update] → [keep hidden while 1562102 is][jsbugmon:update][post-critsmash-triage]]
|
|
Assignee | |
Comment 11•2 years ago
|
||
I cannot reproduce the crash on d96f98f974e0.
can you tell me the detail?
what's the backtrace there?
Flags: needinfo?(nth10sd)
|
|
Reporter | |
Comment 12•2 years ago
|
||
(In reply to Tooru Fujisawa [:arai] from comment #11)
I cannot reproduce the crash on d96f98f974e0.
can you tell me the detail?
what's the backtrace there?
Try it with --fuzzing-safe --no-threads --no-baseline --no-ion --enable-experimental-fields at that revision?
Stack at that revision:
Thread 1 "js-dbg-64-dm-li" received signal SIGSEGV, Segmentation fault.
js::frontend::FullParseHandler::addStatementToList (this=0x7fffffffac70, list=0x0, stmt=0x7ffff5800310)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/FullParseHandler.h:511
warning: Source file is more recent than executable.
511 }
(gdb) bt
#0 js::frontend::FullParseHandler::addStatementToList (this=0x7fffffffac70, list=0x0, stmt=0x7ffff5800310)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/FullParseHandler.h:511
#1 0x0000555556d5c925 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::fieldInitializerOpt (this=0x7fffffffa820,
yieldHandling=(unknown: 4118806944), propName=0x7ffff58000a0, propAtom=..., numFieldKeys=@0x7fffffff9a10: 0)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:7415
#2 0x0000555556d5a51c in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classMember (this=0x7fffffffa820,
yieldHandling=js::frontend::YieldIsName, defaultHandling=<optimized out>, classStmt=..., className=..., classStartOffset=4118806688, hasHeritage=<optimized out>,
numFields=@0x7fffffff9a18: 1, numFieldKeys=@0x7fffffff9a10: 0, classMembers=@0x7fffffff9a20: 0x7ffff5800060, done=0x7fffffff9ac0)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:6805
#3 0x0000555556d48361 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classDefinition (this=0x7fffffffa820,
yieldHandling=js::frontend::YieldIsName, classContext=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::ClassStatement,
defaultHandling=js::frontend::NameRequired) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:7032
#4 0x0000555556d42f89 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=0x7fffffffa820,
yieldHandling=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:7881
#5 0x0000555556d41285 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=<optimized out>,
yieldHandling=js::frontend::YieldIsName) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:3421
#6 0x0000555556d7a4f9 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::globalBody (this=0x7fffffffa820, globalsc=0x7fffffffae38)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:1429
#7 0x0000555556dab053 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=0x7fffffffa310, info=..., environment=..., sc=0x7fffffffae38)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:536
#8 0x0000555556d7e4ab in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=0x0)
at /home/ubuntu/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:207
#9 js::frontend::CompileGlobalScript (info=..., srcBuf=..., sourceObjectOut=0x0) at /home/ubuntu/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:219
#10 0x0000555556798f55 in CompileSourceBuffer<char16_t> (cx=0x7ffff5d17000, options=..., srcBuf=..., script=...)
at /home/ubuntu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:70
#11 0x00005555565a2f2d in Evaluate (cx=0x7ffff5d17000, argc=<optimized out>, vp=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:2194
#12 0x0000555556659315 in CallJSNative (cx=0x7ffff5d17000, native=0x5555565a1da0 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...)
at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:442
#13 0x0000555556648b0f in js::InternalCallOrConstruct (cx=0x7ffff5d17000, args=..., construct=js::NO_CONSTRUCT)
at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:534
#14 0x000055555663ed84 in js::CallFromStack (cx=0x7ffff5d17000, args=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:593
#15 Interpret (cx=<optimized out>, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:3075
#16 0x000055555663492d in js::RunScript (cx=0x7ffff5d17000, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:422
#17 0x0000555556648a8a in js::InternalCallOrConstruct (cx=0x7ffff5d17000, args=..., construct=js::NO_CONSTRUCT)
at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:562
#18 0x000055555664971d in js::Call (cx=0x7fffffffac70, fval=..., thisv=..., args=..., rval=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:605
#19 0x0000555556c47dbe in JS_CallFunction (cx=0x7ffff5d17000, obj=..., fun=..., args=..., rval=...) at /home/ubuntu/trees/mozilla-central/js/src/jsapi.cpp:2579
#20 0x0000555556a11efd in RunIterativeFailureTest (cx=0x7ffff5d17000, params=..., simulator=...)
at /home/ubuntu/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:1892
#21 0x0000555556a43187 in OOMTest (cx=0x7ffff5d17000, argc=<optimized out>, vp=<optimized out>)
at /home/ubuntu/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:2074
#22 0x0000555556659315 in CallJSNative (cx=0x7ffff5d17000, native=0x555556a43090 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...)
at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:442
#23 0x0000555556648b0f in js::InternalCallOrConstruct (cx=0x7ffff5d17000, args=..., construct=js::NO_CONSTRUCT)
at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:534
#24 0x000055555663ed84 in js::CallFromStack (cx=0x7ffff5d17000, args=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:593
#25 Interpret (cx=<optimized out>, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:3075
#26 0x000055555663492d in js::RunScript (cx=0x7ffff5d17000, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:422
#27 0x000055555664ad5a in js::ExecuteKernel (cx=0x7ffff5d17000, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=0x0)
at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:781
#28 0x000055555664b19e in js::Execute (cx=0x7ffff5d17000, script=..., envChainArg=..., rval=0x0) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:814
#29 0x000055555679b4a6 in ExecuteScript (cx=0x7ffff5d17000, scope=..., script=..., rval=0x0)
at /home/ubuntu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:438
#30 0x000055555679b647 in JS_ExecuteScript (cx=0x7ffff5d17000, scriptArg=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:471
#31 0x00005555565c8ccb in RunFile (cx=0x7ffff5d17000, filename=0x7fffffffe16c "1562298.js", file=<optimized out>, compileMethod=CompileUtf8::InflateToUtf16,
compileOnly=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:883
#32 0x00005555565c80ca in Process (cx=0x7ffff5d17000, filename=0x7fffffffe16c "1562298.js", forceTTY=<optimized out>, kind=<optimized out>)
at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:1423
#33 0x0000555556599576 in ProcessArgs (cx=<optimized out>, op=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:10135
#34 Shell (cx=0x7ffff5d17000, op=0x7fffffffdbb0, envp=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:10685
#35 0x0000555556594212 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:11270
Flags: needinfo?(nth10sd)
|
|
Assignee | |
Comment 13•2 years ago
|
||
Thanks!
that one is fixed by bug 1550628.
https://hg.mozilla.org/mozilla-central/rev/c21f692a069302eca39bdb1342bc6acb9fa14a3b
Flags: needinfo?(arai.unmht)
|
||
Updated•2 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 14•2 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•1 year ago
|
Whiteboard: [keep hidden while 1562102 is][jsbugmon:update][post-critsmash-triage]] → [keep hidden while 1562102 is][jsbugmon:update][post-critsmash-triage]][adv-main69-]
|
|
||
Updated•1 month ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•