1672678 - WRITE memory access

Status: RESOLVED INVALID

(Core :: JavaScript Engine, task)

Description

[1422930734]

Attachment: 6

1 . version:
JavaScript-C72.0a1
2. git commit:
27ded6834ef8b61fa52838acd59fe617bf44c61c

3 . command:
./js poc
4. description:
Hit MOZ_CRASH(createIsHTMLDDA()) at /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:3732
ASAN:DEADLYSIGNAL

==103393==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x557eae96de07 bp 0x7ffd74e5a450 sp 0x7ffd74e5a280 T0)
==103393==The signal is caused by a WRITE memory access.
==103393==Hint: address points to the zero page.
#0 0x557eae96de06 in MOZ_Crash(char const*, int, char const*) /root/AFL/compile/gecko-dev/js/src/build_OPT.OBJ/dist/include/mozilla/Assertions.h:332:3
#1 0x557eae96de06 in Crash(JSContext*, unsigned int, JS::Value*) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:3734
#2 0x557eaed5fdbf in CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:456:13
#3 0x557eaed5fdbf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:548
#4 0x557eaed66240 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:634:8
#5 0x557eafbfc7d5 in js::fun_call(JSContext*, unsigned int, JS::Value*) /root/AFL/compile/gecko-dev/js/src/vm/JSFunction.cpp:1119:10
#6 0x557eaed5fdbf in CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:456:13
#7 0x557eaed5fdbf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:548
#8 0x557eaed0e08c in js::CallFromStack(JSContext*, JS::CallArgs const&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:621:10
#9 0x557eaed0e08c in Interpret(JSContext*, js::RunState&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:3110
#10 0x557eaecf0036 in js::RunScript(JSContext*, js::RunState&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:423:10
#11 0x557eaed6e201 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:810:13
#12 0x557eaed6f533 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:843:10
#13 0x557eaf6930c6 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /root/AFL/compile/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:482:10
#14 0x557eae97cc48 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:899:10
#15 0x557eae978ee5 in Process(JSContext*, char const*, bool, FileKind) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:1459:14
#16 0x557eae8aef88 in ProcessArgs(JSContext*, js::cli::OptionParser*) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:10234:10
#17 0x557eae8aef88 in Shell(JSContext*, js::cli::OptionParser*, char**) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:10828
#18 0x557eae8aef88 in main /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:11479
#19 0x7f6ddfe7682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#20 0x557eae7669e8 in _start (/root/analysis/gecko/js3+0x6649e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/AFL/compile/gecko-dev/js/src/build_OPT.OBJ/dist/include/mozilla/Assertions.h:332:3 in MOZ_Crash(char const*, int, char const*)
==103393==ABORTING

Comment 1

[Jason Orendorff [:jorendorff]]

The test case calls crash():

        const r = crash.call(this, str);

This behavior is expected. crash isn't exposed to web scripts.