AddressSanitizer: SEGV /gecko-dev_11_26/gecko-dev/js/src/ASAN/dist/include/js/RootingAPI.h:648:10 in JS::MutableHandle<JS::Value>::set(JS::Value const&)
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: 423495062, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
91 bytes,
text/javascript
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36
Steps to reproduce:
1、Use AddressSanitizer to compile JS engine
2、Use 'crash1.js' as the input file of JS engine
and JS engine crashes.
Actual results:
Assertion failure: JSID_TO_STRING(id)->isPermanentAtom(), at /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/SelfHosting.cpp:2813
AddressSanitizer:DEADLYSIGNAL
==30472==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5555573bc5e7 bp 0x7fffffff3030 sp 0x7fffffff2f20 T0)
==30472==The signal is caused by a WRITE memory access.
==30472==Hint: address points to the zero page.
#0 0x5555573bc5e6 in JS::MutableHandle<JS::Value>::set(JS::Value const&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/ASAN/dist/include/js/RootingAPI.h:648:10
#1 0x5555573bc5e6 in GetUnclonedValue(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/SelfHosting.cpp:2803
#2 0x5555573bb794 in JSRuntime::getUnclonedSelfHostedValue(JSContext*, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/SelfHosting.cpp:3150:10
#3 0x5555573bc825 in JSRuntime::cloneSelfHostedValue(JSContext*, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/SelfHosting.cpp:3168:8
#4 0x555556518f44 in GetSelfHostedValue(JSContext*, unsigned int, JS::Value*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/shell/js.cpp:6438:25
#5 0x55555678588d in CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:456:13
#6 0x555556753e25 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:548:12
#7 0x55555672e9de in js::CallFromStack(JSContext*, JS::CallArgs const&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:621:10
#8 0x55555672e9de in Interpret(JSContext*, js::RunState&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:3117
#9 0x55555670c64c in js::RunScript(JSContext*, js::RunState&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:423:10
#10 0x55555675ae88 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:810:13
#11 0x555556873405 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/builtin/Eval.cpp:341:10
#12 0x555556872204 in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/builtin/Eval.cpp:445:10
#13 0x55555678588d in CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:456:13
#14 0x555556753e25 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:548:12
#15 0x55555672e9de in js::CallFromStack(JSContext*, JS::CallArgs const&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:621:10
#16 0x55555672e9de in Interpret(JSContext*, js::RunState&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:3117
#17 0x55555670c64c in js::RunScript(JSContext*, js::RunState&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:423:10
#18 0x55555675ae88 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:810:13
#19 0x55555675bdf1 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/Interpreter.cpp:843:10
#20 0x555556d129a9 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:453:10
#21 0x555556d12e5f in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:486:10
#22 0x55555652b30b in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/shell/js.cpp:900:10
#23 0x555556528d32 in Process(JSContext*, char const*, bool, FileKind) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/shell/js.cpp:1509:14
#24 0x55555649607c in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/shell/js.cpp:10225:10
#25 0x55555649607c in Shell(JSContext*, js::cli::OptionParser*, char**) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/shell/js.cpp:10820
#26 0x555556484f6b in main /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/shell/js.cpp:11476:12
#27 0x7ffff6827b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#28 0x5555563731a9 in _start (/home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/ASAN/dist/bin/js+0xe1f1a9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev/js/src/ASAN/dist/include/js/RootingAPI.h:648:10 in JS::MutableHandle<JS::Value>::set(JS::Value const&)
==30472==ABORTING
|
||
Comment 1•4 years ago
|
||
Like bug 1599683, this test case calls an unsafe shell builtin. The solution is to test with --fuzzing-safe.
Keeping this one open as a P3 because the builtin should probably be at least a little more forgiving than that. Or at the very least help(getSelfHostedValue) should explain the safety rules.
|
|
||
Comment 2•4 years ago
|
||
As always, thanks for reporting these issues. This is the right place. We appreciate it.
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•2 years ago
|
Description
•