Closed Bug 1584006 Opened 5 years ago Closed 5 years ago

undefined shift in js/src/ctypes/CTypes.cpp:8708

Categories

(Core :: js-ctypes, defect, P1)

Product:
Core
Component:
js-ctypes
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox71 --- fixed

People

(Reporter: tsmith, Assigned: Waldo)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(1 file)

Bug 1584006 - Construct a 64-bit value in ctypes code from two 32-bit values without potentially left-shifting a negative value. r=jorendorff
47 bytes, text/x-phabricator-request
Details | Review

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="shift"
ac_add_options --disable-jemalloc

TEST-UNEXPECTED-FAIL | toolkit/components/ctypes/tests/unit/test_jsctypes.js
...
src/js/src/ctypes/CTypes.cpp:8708:28: runtime error: left shift of negative value -676923933
    #0 0x7efde3aa2ad0 in js::ctypes::Int64::Join(JSContext*, unsigned int, JS::Value*) src/js/src/ctypes/CTypes.cpp:8708:28
    #1 0x7efde3b18554 in CallJSNative src/js/src/vm/Interpreter.cpp:458:13
    #2 0x7efde3b18554 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:551
    #3 0x7efde3b1a479 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:620:10
    #4 0x7efde3b1a844 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:637:8
    #5 0x7efde3cf6291 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/Wrapper.cpp:162:10
    #6 0x7efde3cbbdf5 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/CrossCompartmentWrapper.cpp:237:19
    #7 0x7efde3cdbdd0 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) src/js/src/proxy/Proxy.cpp:504:19
    #8 0x7efde3b18bb0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:525:14
    #9 0x7efde3b1a479 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:620:10
    #10 0x7efde498b663 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:3229:10
    #11 0x2047c6f01797  (<unknown module>)
Component: JavaScript Engine → js-ctypes
Priority: -- → P1
Pushed by jwalden@mit.edu:
https://hg.mozilla.org/integration/autoland/rev/b98968eb71d3
Construct a 64-bit value in ctypes code from two 32-bit values without potentially left-shifting a negative value.  r=jorendorff

https://hg.mozilla.org/mozilla-central/rev/b98968eb71d3

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox71: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Assignee: nobody → jwalden
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: