Closed Bug 1562298 Opened 2 years ago Closed 2 years ago

Crash [@ js::frontend::FullParseHandler::addClassMemberDefinition] with OOM

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox67 --- unaffected
firefox68 --- wontfix
firefox69 --- fixed
firefox70 --- verified

People

(Reporter: gkw, Assigned: arai)

References

(Regression)

Details

(6 keywords, Whiteboard: [keep hidden while 1562102 is][jsbugmon:update][post-critsmash-triage]][adv-main69-])

Crash Data

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #1562102 +++

The following testcase crashes on mozilla-central revision 7ffabb358c42 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/tests/test262/language/statements/class/elements/after-same-line-static-async-gen-rs-field-identifier.js
oomTest(
    new Function(`
        evaluate(\`
            class C {
                c;
                _;
                2;
                u;
                J;
                _;
            }
            t(C);
            function s() {
                e;
                if (r) {
                    0;
                }
                c1 = 1;
                t.e(
                    c
                    .a2,
                    1
                );
                s
                .s( 
                    c8,
                    1
                );
                a
                (   
                    c
                    .J
                    , 1
                );
                u
                (   
                    c
                    ._
                    , 1
                );
            }
            e.r;
        \`, {
            compileAndGo: true
        })
    `)
)

Backtrace:

#0  js::frontend::FullParseHandler::addClassMemberDefinition (this=0x7fffffffac30, memberList=0x7ffff5de7060, member=0x0)
    at /home/ubuntu/trees/mozilla-central/js/src/frontend/FullParseHandler.h:470
#1  0x0000555556e25cfd in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::finishClassConstructor (this=0x7fffffffa798, 
    classStmt=..., className=..., hasHeritage=<optimized out>, classStartOffset=4294945840, classEndOffset=150, numFields=6, 
    classMembers=@0x7fffffff9970: 0x7ffff5de7060) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:6997
#2  0x0000555556e13189 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classDefinition (this=<optimized out>, 
    yieldHandling=<optimized out>, classContext=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::ClassStatement, 
    defaultHandling=js::frontend::NameRequired) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:7134
#3  0x0000555556e0d81b in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=<optimized out>, 
    yieldHandling=<optimized out>, canHaveDirectives=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:7998
#4  0x0000555556e0bb95 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=<optimized out>, 
    yieldHandling=js::frontend::YieldIsName) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:3475
#5  0x0000555556e4642d in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::globalBody (this=0x7fffffffa798, globalsc=0x7fffffffadf8)
    at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:1446
#6  0x0000555556e7b583 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=0x7fffffffa240, info=..., environment=..., sc=<optimized out>)
    at /home/ubuntu/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:531
#7  0x0000555556e4a96b in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=<optimized out>)
    at /home/ubuntu/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:208
/snip

Ashley mentioned in bug 1562102 comment 7 that this is an unrelated bug, so cloning it here. Still s-s because that bug is still s-s.

Flags: needinfo?(khyperia)

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/d96f98f974e0
user: Ashley Hauck
date: Wed Mar 20 17:26:01 2019 +0000
summary: Bug 1535166 - Implement computed field names. r=jorendorff

This is as per bug 1562102 comment 6.

Regressed by: 1562102
Regressed by: 1535166
No longer regressed by: 1562102
Priority: -- → P1

will fix this, with bug 1562102.

Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Whiteboard: [jsbugmon:update] → [keep hidden while 1562102 is][jsbugmon:update]
Flags: needinfo?(khyperia)

ni? myself to ask uplift after merge

Flags: needinfo?(arai.unmht)
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Comment on attachment 9075548 [details]
Bug 1562298 - Check OOM after PerHandlerParser::finishLexicalScope. r?jorendorff

Beta/Release Uplift Approval Request

  • User impact if declined: crash by null-dereference, when opening a crafted webpage.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: Bug 1562102
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just adds usual error handling for OOM.
  • String changes made/needed:

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: this is just null-deref crash. not sure if this requires the ESR uplift, but asking just in case, given the tracking flag is "affected"
  • User impact if declined: crash by null-dereference, when opening a crafted webpage.
  • Fix Landed on Version: 70
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just adds usual error handling for OOM.
  • String or UUID changes made by this patch:
Flags: needinfo?(arai.unmht)
Attachment #9075548 - Flags: approval-mozilla-esr68?
Attachment #9075548 - Flags: approval-mozilla-beta?

Comment on attachment 9075548 [details]
Bug 1562298 - Check OOM after PerHandlerParser::finishLexicalScope. r?jorendorff

Fixes an OOM crash. Approved for 69.0b10 and 68.1esr.

Attachment #9075548 - Flags: approval-mozilla-esr68?
Attachment #9075548 - Flags: approval-mozilla-esr68+
Attachment #9075548 - Flags: approval-mozilla-beta?
Attachment #9075548 - Flags: approval-mozilla-beta+

The scope variable used here got added in bug 1547467 (Gecko 69). People have voted against uplift in that bug. Does anything need to be done here or ESR68?

Flags: needinfo?(arai.unmht)

sounds like autobisect found another issue, or maybe something already fixed?
will look into the history.
anyway, for this patch, no need to esr68 uplift

Attachment #9075548 - Flags: approval-mozilla-esr68+
Flags: qe-verify-
Whiteboard: [keep hidden while 1562102 is][jsbugmon:update] → [keep hidden while 1562102 is][jsbugmon:update][post-critsmash-triage]]

I cannot reproduce the crash on d96f98f974e0.
can you tell me the detail?
what's the backtrace there?

Flags: needinfo?(nth10sd)

(In reply to Tooru Fujisawa [:arai] from comment #11)

I cannot reproduce the crash on d96f98f974e0.
can you tell me the detail?
what's the backtrace there?

Try it with --fuzzing-safe --no-threads --no-baseline --no-ion --enable-experimental-fields at that revision?

Stack at that revision:

Thread 1 "js-dbg-64-dm-li" received signal SIGSEGV, Segmentation fault.
js::frontend::FullParseHandler::addStatementToList (this=0x7fffffffac70, list=0x0, stmt=0x7ffff5800310)
    at /home/ubuntu/trees/mozilla-central/js/src/frontend/FullParseHandler.h:511
warning: Source file is more recent than executable.
511       }
(gdb) bt
#0  js::frontend::FullParseHandler::addStatementToList (this=0x7fffffffac70, list=0x0, stmt=0x7ffff5800310)
    at /home/ubuntu/trees/mozilla-central/js/src/frontend/FullParseHandler.h:511
#1  0x0000555556d5c925 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::fieldInitializerOpt (this=0x7fffffffa820, 
    yieldHandling=(unknown: 4118806944), propName=0x7ffff58000a0, propAtom=..., numFieldKeys=@0x7fffffff9a10: 0)
    at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:7415
#2  0x0000555556d5a51c in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classMember (this=0x7fffffffa820, 
    yieldHandling=js::frontend::YieldIsName, defaultHandling=<optimized out>, classStmt=..., className=..., classStartOffset=4118806688, hasHeritage=<optimized out>, 
    numFields=@0x7fffffff9a18: 1, numFieldKeys=@0x7fffffff9a10: 0, classMembers=@0x7fffffff9a20: 0x7ffff5800060, done=0x7fffffff9ac0)
    at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:6805
#3  0x0000555556d48361 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classDefinition (this=0x7fffffffa820, 
    yieldHandling=js::frontend::YieldIsName, classContext=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::ClassStatement, 
    defaultHandling=js::frontend::NameRequired) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:7032
#4  0x0000555556d42f89 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=0x7fffffffa820,
    yieldHandling=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:7881
#5  0x0000555556d41285 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=<optimized out>,
    yieldHandling=js::frontend::YieldIsName) at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:3421
#6  0x0000555556d7a4f9 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::globalBody (this=0x7fffffffa820, globalsc=0x7fffffffae38)
    at /home/ubuntu/trees/mozilla-central/js/src/frontend/Parser.cpp:1429
#7  0x0000555556dab053 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=0x7fffffffa310, info=..., environment=..., sc=0x7fffffffae38)
    at /home/ubuntu/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:536
#8  0x0000555556d7e4ab in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=0x0)
    at /home/ubuntu/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:207
#9  js::frontend::CompileGlobalScript (info=..., srcBuf=..., sourceObjectOut=0x0) at /home/ubuntu/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:219
#10 0x0000555556798f55 in CompileSourceBuffer<char16_t> (cx=0x7ffff5d17000, options=..., srcBuf=..., script=...)
    at /home/ubuntu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:70
#11 0x00005555565a2f2d in Evaluate (cx=0x7ffff5d17000, argc=<optimized out>, vp=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:2194
#12 0x0000555556659315 in CallJSNative (cx=0x7ffff5d17000, native=0x5555565a1da0 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:442
#13 0x0000555556648b0f in js::InternalCallOrConstruct (cx=0x7ffff5d17000, args=..., construct=js::NO_CONSTRUCT)
    at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:534
#14 0x000055555663ed84 in js::CallFromStack (cx=0x7ffff5d17000, args=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:593
#15 Interpret (cx=<optimized out>, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:3075
#16 0x000055555663492d in js::RunScript (cx=0x7ffff5d17000, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:422
#17 0x0000555556648a8a in js::InternalCallOrConstruct (cx=0x7ffff5d17000, args=..., construct=js::NO_CONSTRUCT)
    at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:562
#18 0x000055555664971d in js::Call (cx=0x7fffffffac70, fval=..., thisv=..., args=..., rval=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:605
#19 0x0000555556c47dbe in JS_CallFunction (cx=0x7ffff5d17000, obj=..., fun=..., args=..., rval=...) at /home/ubuntu/trees/mozilla-central/js/src/jsapi.cpp:2579
#20 0x0000555556a11efd in RunIterativeFailureTest (cx=0x7ffff5d17000, params=..., simulator=...)
    at /home/ubuntu/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:1892
#21 0x0000555556a43187 in OOMTest (cx=0x7ffff5d17000, argc=<optimized out>, vp=<optimized out>)
    at /home/ubuntu/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:2074
#22 0x0000555556659315 in CallJSNative (cx=0x7ffff5d17000, native=0x555556a43090 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:442
#23 0x0000555556648b0f in js::InternalCallOrConstruct (cx=0x7ffff5d17000, args=..., construct=js::NO_CONSTRUCT)
    at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:534
#24 0x000055555663ed84 in js::CallFromStack (cx=0x7ffff5d17000, args=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:593
#25 Interpret (cx=<optimized out>, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:3075
#26 0x000055555663492d in js::RunScript (cx=0x7ffff5d17000, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:422
#27 0x000055555664ad5a in js::ExecuteKernel (cx=0x7ffff5d17000, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=0x0)
    at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:781
#28 0x000055555664b19e in js::Execute (cx=0x7ffff5d17000, script=..., envChainArg=..., rval=0x0) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:814
#29 0x000055555679b4a6 in ExecuteScript (cx=0x7ffff5d17000, scope=..., script=..., rval=0x0)
    at /home/ubuntu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:438
#30 0x000055555679b647 in JS_ExecuteScript (cx=0x7ffff5d17000, scriptArg=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:471
#31 0x00005555565c8ccb in RunFile (cx=0x7ffff5d17000, filename=0x7fffffffe16c "1562298.js", file=<optimized out>, compileMethod=CompileUtf8::InflateToUtf16, 
    compileOnly=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:883
#32 0x00005555565c80ca in Process (cx=0x7ffff5d17000, filename=0x7fffffffe16c "1562298.js", forceTTY=<optimized out>, kind=<optimized out>)
    at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:1423
#33 0x0000555556599576 in ProcessArgs (cx=<optimized out>, op=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:10135
#34 Shell (cx=0x7ffff5d17000, op=0x7fffffffdbb0, envp=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:10685
#35 0x0000555556594212 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:11270
Flags: needinfo?(nth10sd)
Flags: needinfo?(arai.unmht)
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [keep hidden while 1562102 is][jsbugmon:update][post-critsmash-triage]] → [keep hidden while 1562102 is][jsbugmon:update][post-critsmash-triage]][adv-main69-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.