Closed
Bug 1584601
Opened 5 years ago
Closed 5 years ago
addition of unsigned offset overflowed in js/src/ctypes/CTypes.cpp:5159
Categories
(Core :: js-ctypes, defect)
Core
js-ctypes
Tracking
()
RESOLVED
FIXED
mozilla71
| Tracking | Status | |
|---|---|---|
| firefox71 | --- | fixed |
People
(Reporter: tsmith, Assigned: Waldo)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-undefined, testcase)
Attachments
(1 file)
This is triggered with an UBSan build. To enable this check add the following to your mozconfig:
ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="pointer-overflow"
ac_add_options --disable-jemalloc
TEST-UNEXPECTED-FAIL | toolkit/components/ctypes/tests/unit/test_jsctypes.js
...
src/js/src/ctypes/CTypes.cpp:5159:24: runtime error: addition of unsigned offset to 0x6030000db170 overflowed to 0x6030000db160
#0 0x7f5212f1c2a7 in js::ctypes::PointerType::OffsetBy(JSContext*, JS::CallArgs const&, int, char const*) src/js/src/ctypes/CTypes.cpp:5159:24
#1 0x7f5212f1b7b1 in js::ctypes::PointerType::Decrement(JSContext*, unsigned int, JS::Value*) src/js/src/ctypes/CTypes.cpp:5178:10
#2 0x7f5212f98ea4 in CallJSNative src/js/src/vm/Interpreter.cpp:458:13
#3 0x7f5212f98ea4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:551
#4 0x7f5212f9adc9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:620:10
#5 0x7f5212f9b194 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:637:8
#6 0x7f5213176781 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/Wrapper.cpp:162:10
#7 0x7f521313c2e5 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/CrossCompartmentWrapper.cpp:237:19
#8 0x7f521315c2c0 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) src/js/src/proxy/Proxy.cpp:504:19
#9 0x7f5212f99500 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:525:14
#10 0x7f5212f9adc9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:620:10
#11 0x7f5212f802c2 in CallFromStack src/js/src/vm/Interpreter.cpp:624:10
#12 0x7f5212f802c2 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3113
#13 0x7f5212f62d25 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10
#14 0x7f5212f98fa6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:592:13
#15 0x7f5212f9adc9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:620:10
#16 0x7f5213e0f353 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:3229:10
#17 0x7f5175cd5797 (<unknown module>)
|
Assignee | |
Comment 1•5 years ago
|
||
|
||
Comment 2•5 years ago
|
||
The priority flag is not set for this bug.
:jorendorff, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jorendorff)
Pushed by jwalden@mit.edu: https://hg.mozilla.org/integration/autoland/rev/a391d6b9a5e8 CTypes.PointerType.prototype.decrement shouldn't compute the new pointer by adding a super-large unsigned value to the pointer (and thereby overflowing). r=jorendorff
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
|
|
||
Updated•5 years ago
|
Assignee: nobody → jwalden
You need to log in
before you can comment on or make changes to this bug.
Description
•