Closed Bug 1584601 Opened 4 months ago Closed 3 months ago

addition of unsigned offset overflowed in js/src/ctypes/CTypes.cpp:5159

Categories

(Core :: js-ctypes, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox71 --- fixed

People

(Reporter: tsmith, Assigned: Waldo)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(1 file)

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="pointer-overflow"
ac_add_options --disable-jemalloc
TEST-UNEXPECTED-FAIL | toolkit/components/ctypes/tests/unit/test_jsctypes.js
...
src/js/src/ctypes/CTypes.cpp:5159:24: runtime error: addition of unsigned offset to 0x6030000db170 overflowed to 0x6030000db160
    #0 0x7f5212f1c2a7 in js::ctypes::PointerType::OffsetBy(JSContext*, JS::CallArgs const&, int, char const*) src/js/src/ctypes/CTypes.cpp:5159:24
    #1 0x7f5212f1b7b1 in js::ctypes::PointerType::Decrement(JSContext*, unsigned int, JS::Value*) src/js/src/ctypes/CTypes.cpp:5178:10
    #2 0x7f5212f98ea4 in CallJSNative src/js/src/vm/Interpreter.cpp:458:13
    #3 0x7f5212f98ea4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:551
    #4 0x7f5212f9adc9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:620:10
    #5 0x7f5212f9b194 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:637:8
    #6 0x7f5213176781 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/Wrapper.cpp:162:10
    #7 0x7f521313c2e5 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/CrossCompartmentWrapper.cpp:237:19
    #8 0x7f521315c2c0 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) src/js/src/proxy/Proxy.cpp:504:19
    #9 0x7f5212f99500 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:525:14
    #10 0x7f5212f9adc9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:620:10
    #11 0x7f5212f802c2 in CallFromStack src/js/src/vm/Interpreter.cpp:624:10
    #12 0x7f5212f802c2 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3113
    #13 0x7f5212f62d25 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10
    #14 0x7f5212f98fa6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:592:13
    #15 0x7f5212f9adc9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:620:10
    #16 0x7f5213e0f353 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:3229:10
    #17 0x7f5175cd5797  (<unknown module>)

The priority flag is not set for this bug.
:jorendorff, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jorendorff)

Stamped.

Flags: needinfo?(jorendorff)
Pushed by jwalden@mit.edu:
https://hg.mozilla.org/integration/autoland/rev/a391d6b9a5e8
CTypes.PointerType.prototype.decrement shouldn't compute the new pointer by adding a super-large unsigned value to the pointer (and thereby overflowing).  r=jorendorff
Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Assignee: nobody → jwalden
You need to log in before you can comment on or make changes to this bug.