Open
Bug 1597572
Opened 5 years ago
Updated 5 months ago
null pointer passed as argument 2, which is declared to never be null in modules/zlib/src/trees.c:873
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox72 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: csectype-undefined, testcase)
Attachments
(1 file)
|
35.37 KB,
text/html
|
Details |
This is triggered with an UBSan build. To enable this check add the following to your mozconfig:
ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="nonnull-attribute"
ac_add_options --disable-jemalloc
modules/zlib/src/trees.c:873:42: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
#0 0x7f45f2b8e1b1 in MOZ_Z__tr_stored_block modules/zlib/src/trees.c:873:5
#1 0x7f45f2b6a7ca in MOZ_Z_deflate modules/zlib/src/deflate.c:1025:17
#2 0x7f45f301f359 in js::Compressor::compressMore() js/src/vm/Compression.cpp:117:13
#3 0x7f45f32f6879 in void js::SourceCompressionTask::workEncodingSpecific<char16_t>() js/src/vm/JSScript.cpp:2623:18
#4 0x7f45f32950d9 in decltype(auto) mozilla::Variant<js::ScriptSource::Compressed<mozilla::Utf8Unit, (js::SourceRetrievable)0>, js::ScriptSource::Uncompressed<mozilla::Utf8Unit, (js::SourceRetrievable)0>, js::ScriptSource::Compressed<mozilla::Utf8Unit, (js::SourceRetrievable)1>, js::ScriptSource::Uncompressed<mozilla::Utf8Unit, (js::SourceRetrievable)1>, js::ScriptSource::Compressed<char16_t, (js::SourceRetrievable)0>, js::ScriptSource::Uncompressed<char16_t, (js::SourceRetrievable)0>, js::ScriptSource::Compressed<char16_t, (js::SourceRetrievable)1>, js::ScriptSource::Uncompressed<char16_t, (js::SourceRetrievable)1>, js::ScriptSource::Retrievable<mozilla::Utf8Unit>, js::ScriptSource::Retrievable<char16_t>, js::ScriptSource::Missing, js::ScriptSource::BinAST>::match<js::SourceCompressionTask::PerformTaskWork>(js::SourceCompressionTask::PerformTaskWork&&) objdir-ff-ubsan/dist/include/mozilla/Variant.h:767:12
#5 0x7f45f32950d9 in js::ScriptSource::performTaskWork(js::SourceCompressionTask*) js/src/vm/JSScript.cpp:2688:8
#6 0x7f45f32950d9 in js::SourceCompressionTask::runTask() js/src/vm/JSScript.cpp:2699:11
#7 0x7f45f30b3d83 in js::HelperThread::handleCompressionWorkload(js::AutoLockHelperThreadState&) js/src/vm/HelperThreads.cpp:2404:11
#8 0x7f45f30b1323 in js::HelperThread::threadLoop() js/src/vm/HelperThreads.cpp:2658:5
#9 0x7f45f30c7e2c in void js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul>(std::integer_sequence<unsigned long, 0ul>) js/src/threading/Thread.h:218:5
#10 0x7f45f30c7e2c in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) js/src/threading/Thread.h:207:11
#11 0x7f460c7e36da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#12 0x7f460b7c188e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
||
Comment 1•5 years ago
|
||
Jan, any idea who might be the best person to investigate?
Flags: needinfo?(jdemooij)
Priority: -- → P2
|
||
Comment 2•5 years ago
|
||
It's this line:
zmemcpy(s->pending_buf + s->pending, (Bytef *)buf, stored_len);
And there are some callers that pass a nullptr buf with stored_len 0, for example here.
This was reported and fixed upstream two years ago: https://github.com/madler/zlib/issues/290 However, according to zlib.net the latest version is still 1.2.11 so there's no stable release with this fixed...
Flags: needinfo?(jdemooij)
|
|
||
Comment 3•5 years ago
|
||
In https://github.com/madler/zlib/issues/422 people are asking for a new zlib release and madler said "soon", 5 months ago...
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•