Closed Bug 1599683 Opened 6 years ago Closed 6 years ago

AddressSanitizer: SEGV /gecko-dev_11_26/gecko-dev/js/src/ASAN/dist/include/mozilla/Assertions.h:332:3 in MOZ_Crash(char const*, int, char const*)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
72 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: 423495062, Unassigned)

Details

Attachments

(1 file)

crash1.js
1.54 KB, text/javascript
Details
Attached file crash1.js

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36

Steps to reproduce:

1、Use AddressSanitizer to compile JS engine
2、Use 'crash1.js' as the input file of JS engine
and JS engine crashes.

Actual results:

Hit MOZ_CRASH(Must not run any more promise jobs after quitting) at /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/shell/js.cpp:3710
AddressSanitizer:DEADLYSIGNAL

==17234==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555652092a bp 0x7fffffff6f10 sp 0x7fffffff6d20 T0)
==17234==The signal is caused by a WRITE memory access.
==17234==Hint: address points to the zero page.
#0 0x555556520929 in MOZ_Crash(char const*, int, char const*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/ASAN/dist/include/mozilla/Assertions.h:332:3
#1 0x555556520929 in Crash(JSContext*, unsigned int, JS::Value*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/shell/js.cpp:3710
#2 0x55555678588d in CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:456:13
#3 0x555556753e25 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:548:12
#4 0x55555672e9de in js::CallFromStack(JSContext*, JS::CallArgs const&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:621:10
#5 0x55555672e9de in Interpret(JSContext*, js::RunState&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:3117
#6 0x55555670c64c in js::RunScript(JSContext*, js::RunState&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:423:10
#7 0x555556753e4d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:589:13
#8 0x555556756a5a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:634:8
#9 0x5555569b7720 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.h:103:10
#10 0x555556f49db2 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/builtin/Promise.cpp:1813:10
#11 0x55555678588d in CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:456:13
#12 0x555556753e25 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:548:12
#13 0x555556756a5a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:634:8
#14 0x555556a52728 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/jsapi.cpp:2710:10
#15 0x5555570454d7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/jsapi.h:1601:10
#16 0x5555570454d7 in js::InternalJobQueue::runJobs(JSContext*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/JSContext.cpp:1114
#17 0x5555564ad3d2 in RunShellJobs(JSContext*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/shell/js.cpp:1074:3
#18 0x555556496112 in Shell(JSContext*, js::cli::OptionParser*, char**) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/shell/js.cpp:10830:3
#19 0x555556484f6b in main /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/shell/js.cpp:11476:12
#20 0x7ffff6827b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#21 0x5555563731a9 in _start (/home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/ASAN/dist/bin/js+0xe1f1a9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/ASAN/dist/include/mozilla/Assertions.h:332:3 in MOZ_Crash(char const*, int, char const*)
==17234==ABORTING

This test case basically boils down to:

crash("Must not run any more promise jobs after quitting");

There's a crash() builtin function in the shell.

If you're fuzzing JS, welcome! :) and you should definitely use the --fuzzing-safe option, which removes scary shell builtins like crash() and os.kill() and os.writeTypedArrayToFile().

-> Resolving this as "invalid" (which just means this isn't a bug after all)

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: