Closed Bug 1662260 Opened 4 years ago Closed 4 years ago

Crash [@ js::frontend::ParserAtomEntry::isIndex] with OOM and private methods

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
82 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 --- wontfix
firefox80 --- wontfix
firefox81 --- wontfix
firefox82 --- fixed

People

(Reporter: decoder, Assigned: djvj)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect,confirmed])

Crash Data

Attachments

(2 files)

Testcase
148 bytes, text/plain
Details
Bug 1662260 - OOM check in parser. r?mgaudet
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200831-b4055ac79297 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --enable-private-fields --enable-private-methods):

function loadX(lfVarx) {
    oomTest(function() {
        let m55 = parseModule(lfVarx);
    });
}
loadX(`
  class B50 {
    #priv() {}
  }
`)

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::frontend::ParserAtomEntry::isIndex (this=0x0, indexp=0x7fffffff92fc) at js/src/frontend/ParserAtom.cpp:134
#1  0x0000555556f905d9 in js::frontend::ParserAtomEntry::isIndex (this=0x0) at js/src/frontend/ParserAtom.h:290
#2  js::frontend::ParserAtomEntry::asName (this=0x0) at js/src/frontend/ParserAtom.h:339
#3  0x000055555749f5f9 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classMember (this=0x7fffffffa7c0, yieldHandling=<optimized out>, classStmt=..., className=0x7fff00000000, classStartOffset=3, hasHeritage=js::frontend::HasHeritage::No, classInitializedMembers=..., classMembers=@0x7fffffff9518: 0x7ffff5663090, done=0x7fffffff94ef) at js/src/frontend/Parser.cpp:7330
#4  0x000055555748dce0 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::classDefinition (this=0x7fffffffa7c0, yieldHandling=js::frontend::YieldIsName, classContext=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::ClassStatement, defaultHandling=<optimized out>) at js/src/frontend/Parser.cpp:7526
#5  0x0000555557488603 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=0x7fffffffa7c0, yieldHandling=js::frontend::YieldIsName, canHaveDirectives=true) at js/src/frontend/Parser.cpp:8579
#6  0x00005555574864b5 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=<optimized out>, yieldHandling=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3779
#7  0x00005555574bd810 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::moduleBody (this=0x7fffffffa7c0, modulesc=<optimized out>) at js/src/frontend/Parser.cpp:1698
#8  0x0000555557509746 in js::frontend::ModuleCompiler<char16_t>::compile (this=0x7fffffffa210, compilationInfo=..., gcOutput=...) at js/src/frontend/BytecodeCompiler.cpp:609
#9  0x00005555574d452f in InternalParseModule<char16_t> (cx=<optimized out>, optionsInput=..., srcBuf=..., gcOutput=...) at js/src/frontend/BytecodeCompiler.cpp:764
#10 js::frontend::ParseModule (cx=<optimized out>, optionsInput=..., srcBuf=..., gcOutput=...) at js/src/frontend/BytecodeCompiler.cpp:779
#11 0x00005555574d4fd3 in CreateModule<char16_t> (cx=0x7ffff6027000, options=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:800
#12 js::frontend::CompileModule (cx=0x7ffff6027000, options=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:817
#13 0x0000555556b74a66 in ParseModule (cx=0x7ffff6027000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:4954
#14 0x00000556bde1e16f in ?? ()
#15 0x5ae8154b79719500 in ?? ()
#16 0x00007fffffffb158 in ?? ()
#17 0x0000000000000008 in ?? ()
#18 0x0000000000000000 in ?? ()
rax	0x5ae8154b79719500	6550509071914603776
rbx	0x0	0
rcx	0x5ae8154b79719500	6550509071914603776
rdx	0x7fffffff92fc	140737488327420
rsi	0x7fffffff92fc	140737488327420
rdi	0x0	0
rbp	0x7fffffff9310	140737488327440
rsp	0x7fffffff92e8	140737488327400
r8	0x0	0
r9	0x7ffff6027000	140737320742912
r10	0x37207d04	924876036
r11	0xce08	52744
r12	0x7fffffff93c8	140737488327624
r13	0x0	0
r14	0x7ffff5663108	140737310503176
r15	0x7ffff56630d0	140737310503120
rip	0x55555753cfb3 <js::frontend::ParserAtomEntry::isIndex(unsigned int*) const+3>
=> 0x55555753cfb3 <js::frontend::ParserAtomEntry::isIndex(unsigned int*) const+3>:	mov    0x8(%rdi),%esi
   0x55555753cfb6 <js::frontend::ParserAtomEntry::isIndex(unsigned int*) const+6>:	lea    -0x1(%rsi),%eax
Attached file Testcase 

    
    

    
  
Something is up with parser atoms here :


 const ParserAtom* storedMethodAtom =
          storedMethodName.finishParserAtom(this->compilationInfo_);
      const ParserName* storedMethodProp = storedMethodAtom->asName();



Missing OOM handling it seems.


Flags: needinfo?(kvijayan)
Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect,confirmed]

    
    

    
  
Bugmon Analysis:
Unable to reproduce bug using the following builds:
> mozilla-central 20200831215215-93d8458a0c4d
> mozilla-central 20200831091558-b4055ac79297
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

    
    

    
  
(In reply to Matthew Gaudet (he/him) [:mgaudet] from comment #2)




Something is up with parser atoms here :


 const ParserAtom* storedMethodAtom =
          storedMethodName.finishParserAtom(this->compilationInfo_);
      const ParserName* storedMethodProp = storedMethodAtom->asName();



Missing OOM handling it seems.




Thanks matthew.


Assignee: nobody → kvijayan
Status: NEW → ASSIGNED

    
    

    
  
Pushed by kvijayan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f90f01b99ece
OOM check in parser. r=mgaudet DONTBUILD
Severity: -- → S4
Priority: -- → P1

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/e7f884691bf5


Status: ASSIGNED → RESOLVED
Closed: 4 years ago

          status-firefox82:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch

          status-firefox80:
          --- → wontfix

          status-firefox81:
          --- → wontfix

          status-firefox-esr68:
          --- → wontfix

          status-firefox-esr78:
          --- → wontfix
Flags: needinfo?(kvijayan) → in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: