Closed Bug 1731039 Opened 3 months ago Closed 1 month ago

Crash [@ js::UnwrapOneCheckedStatic]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
95 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox92 --- unaffected
firefox93 --- wontfix
firefox94 --- wontfix
firefox95 --- verified

People

(Reporter: decoder, Assigned: sfink)

References

(Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])

Crash Data

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 20210915-8a9d97b273e7 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

encodeAsUtf8InBuffer("", "")

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556d86add in js::UnwrapOneCheckedStatic(JSObject*) ()
#1  0x0000555556d86a98 in js::CheckedUnwrapStatic(JSObject*) ()
#2  0x00005555570db5bb in JS::TypedArray<(JS::Scalar::Type)1>::unwrap(JSObject*) ()
#3  0x00005555571ab570 in EncodeAsUtf8InBuffer(JSContext*, unsigned int, JS::Value*) ()
#4  0x0000555556c22e01 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#16 0x0000555556a7afce in main ()
rax	0x0	0
rbx	0x0	0
rcx	0x0	0
rdx	0x0	0
rsi	0x0	0
rdi	0x0	0
rbp	0x7fffffffbe50	140737488338512
rsp	0x7fffffffbe40	140737488338496
r8	0x7fffffffbe68	140737488338536
r9	0x17d5267005b0	26204240348592
r10	0x8	8
r11	0x7dffadb6b	33822530411
r12	0xffff800000000000	-140737488355328
r13	0x7ffff6019000	140737320685568
r14	0x7fffffffbf30	140737488338736
r15	0x7ffff4a5a0a8	140737297883304
rip	0x555556d86add <js::UnwrapOneCheckedStatic(JSObject*)+45>
=> 0x555556d86add <_ZN2js22UnwrapOneCheckedStaticEP8JSObject+45>:	mov    0x8(%rax),%rdi
   0x555556d86ae1 <_ZN2js22UnwrapOneCheckedStaticEP8JSObject+49>:	callq  0x555556ff3940 <_ZN2js29CurrentThreadCanAccessRuntimeEPK9JSRuntime>

Likely an issue with the new shell function, but causing a major amount of crashes, so marking as fuzzblocker.

Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210916125444-fd6f4fa5ed18.
The bug appears to have been introduced in the following build range:

Start: 3005e92c10a384ac7a1a59daf6885bd167e44045 (20210908234928)
End: 31caca93507efbaae11e89b7c2e52b6020a8bf52 (20210908235319)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3005e92c10a384ac7a1a59daf6885bd167e44045&tochange=31caca93507efbaae11e89b7c2e52b6020a8bf52

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]

Steve, could you take a look at this bug, it seems it might have been caused by you push identified in the push log in comment 3.

Flags: needinfo?(sphink)
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Flags: needinfo?(sphink)

:sfink, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(sphink)
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a24fb00bab8e
ArrayBufferOrView subclasses should null-check in unwrap() r=jonco
Flags: needinfo?(sphink)
Regressed by: 1720422
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211022030827-438a6427019c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.