segmentation fault at gecko-dev/js/src/shell/js.cpp:3734
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: buaasjw, Unassigned)
References
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
|
679 bytes,
text/plain
|
Details |
Hit MOZ_CRASH(a) at gecko-dev/js/src/shell/js.cpp:3734
Git commit: 27ded6834ef8b61fa52838acd59fe617bf44c61c
Testing environment: Ubuntu 16.04
Testing command: ./gecko 000000.txt
Backtrace information:
#0 MOZ_Crash (aLine=3734, aFilename=<optimized out>, aReason=<optimized out>)
at /root/AFL/compile/gecko-dev/js/src/build_OPT.OBJ/dist/include/mozilla/Assertions.h:332
#1 Crash (cx=0x7ffff6427000, argc=<optimized out>, vp=<optimized out>)
at /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:3734
#2 0x0000555555b5ab5d in CallJSNative (cx=0x7ffff6427000,
native=0x5555559734f0 <Crash(JSContext*, unsigned int, JS::Value*)>, reason=<optimized out>, args=...)
at /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:456
#3 0x0000555555b31944 in js::InternalCallOrConstruct (cx=<optimized out>, args=..., construct=<optimized out>,
reason=<optimized out>) at /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:548
#4 0x0000555555b33966 in js::Call (cx=0x7ffff76a8540 <_IO_2_1_stderr_>, fval=..., thisv=..., args=..., rval=...,
reason=js::CallReason::Call) at /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:634
#5 0x0000555556301372 in js::fun_call (cx=0x7ffff6427000, argc=<optimized out>, vp=<optimized out>)
at /root/AFL/compile/gecko-dev/js/src/vm/JSFunction.cpp:1119
#6 0x0000555555b5ab5d in CallJSNative (cx=0x7ffff6427000,
native=0x555556300d60 <js::fun_call(JSContext*, unsigned int, JS::Value*)>, reason=<optimized out>, args=...)
at /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:456
#7 0x0000555555b31944 in js::InternalCallOrConstruct (cx=<optimized out>, args=..., construct=<optimized out>,
reason=<optimized out>) at /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:548
#8 0x0000555555b296aa in js::CallFromStack (cx=0x7ffff6427000, args=...)
at /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:621
#9 Interpret (cx=<optimized out>, state=...) at /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:3110
#10 0x0000555555b00955 in js::RunScript (cx=0x7ffff6427000, state=...)
at /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:423
#11 0x0000555555b370da in js::ExecuteKernel (cx=<optimized out>, script=..., envChainArg=..., newTargetValue=...,
evalInFrame=..., result=0x0) at /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:810
#12 0x0000555555b37ab7 in js::Execute (cx=0x7ffff6427000, script=..., envChainArg=..., rval=<optimized out>)
at /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:843
#13 0x000055555602f612 in ExecuteScript (cx=0x7ffff6427000, scope=..., script=..., rval=0x0)
at /root/AFL/compile/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:449
---Type <return> to continue, or q <return> to quit---
#14 0x000055555602f94f in JS_ExecuteScript (cx=0x7ffff6427000, scriptArg=...)
at /root/AFL/compile/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:482
#15 0x000055555597cf02 in RunFile (cx=<optimized out>,
filename=0x7fffffffecc8 "crashes/id:000000,sig:11,src:002498+001448,op:expcross,pos:0", file=<optimized out>,
compileMethod=CompileUtf8::DontInflate,
compileOnly=<error reading variable: access outside bounds of object referenced via synthetic pointer>)
at /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:899
#16 0x000055555597b29b in Process (cx=0x7ffff6427000, filename=<optimized out>, forceTTY=<optimized out>,
kind=FileScript) at /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:1459
#17 0x0000555555901328 in ProcessArgs (cx=<optimized out>, op=0x7fffffffe858)
at /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:10234
#18 Shell (cx=<optimized out>, op=<optimized out>, envp=<optimized out>)
at /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:10828
#19 0x00005555558f24de in main (argc=0, argv=<optimized out>, envp=<optimized out>)
at /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:11479
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
This looks like a direct call to the JS Shell function named crash, which works as intended. :)
You might want to run the JS Shell with --fuzzing-safe which removes these functions from the global.
See:
https://searchfox.org/mozilla-central/rev/e0eb861a187f0bb6d994228f2e0e49b2c9ee455e/js/src/shell/js.cpp#10971-10976
https://searchfox.org/mozilla-central/rev/e0eb861a187f0bb6d994228f2e0e49b2c9ee455e/js/src/shell/js.cpp#10054-10061
https://searchfox.org/mozilla-central/rev/e0eb861a187f0bb6d994228f2e0e49b2c9ee455e/js/src/shell/js.cpp#9258-9264
https://searchfox.org/mozilla-central/rev/e0eb861a187f0bb6d994228f2e0e49b2c9ee455e/js/src/shell/js.cpp#3777-3804
|
||
Updated•5 years ago
|
|
||
Updated•1 year ago
|
Description
•