Assertion failure: !isIndex(), at vm/StringType.h:1813
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox98 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20220119-192e73e7c913 (debug build, run with --fuzzing-safe --no-threads --fast-warmup):
for (let v7 = 0; v7 < 1337; v7++) {
try {
v9 = String.fromCharCode(13.37,v7);
v10 = v9.padEnd(4,"536870912");
v11 = eval(v10);
} catch(v12) {}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556c8f57b in JSAtom::asPropertyName() ()
#1 0x0000555556c77552 in Interpret(JSContext*, js::RunState&) ()
#2 0x0000555556c6db7f in js::RunScript(JSContext*, js::RunState&) ()
#3 0x0000555556c84476 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#4 0x0000555556cd8665 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) ()
#5 0x0000555556cd9605 in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#6 0x00005555576ccc8c in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#7 0x0000124d48935673 in ?? ()
[...]
#28 0x0000000000000000 in ?? ()
rax 0x55555576d6b5 93824994432693
rbx 0x3bc310226f60 65708975353696
rcx 0x5555581eef18 93825039003416
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffa750 140737488332624
rsp 0x7fffffffa730 140737488332592
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7fffffffa9d8 140737488333272
r13 0xfff9800000000000 -1829587348619264
r14 0x300998f58 12894965592
r15 0x555558164ad0 93825038437072
rip 0x555556c8f57b <JSAtom::asPropertyName()+267>
=> 0x555556c8f57b <_ZN6JSAtom14asPropertyNameEv+267>: movl $0x715,0x0
0x555556c8f586 <_ZN6JSAtom14asPropertyNameEv+278>: callq 0x555556b6f1d3 <abort>
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Comment 2•4 years ago
|
||
|
||
Comment 3•4 years ago
|
||
The assertion sounds like type confusion so we're going to guess sec-high. Let us know if there are mitigations
|
||
Comment 4•4 years ago
|
||
Took a quick look. This was fixed by the patch in bug 1750935. Fortunately it's Nightly-only.
Arai, this can probably be closed as a duplicate, but it might be good if you took a look at it in case I missed something.
|
||
Comment 5•4 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220119093435-192e73e7c913) but not with tip (mozilla-central 20220119214718-cc33400f0ff8.)
The bug appears to have been fixed in the following build range:
Start: 192e73e7c91313c09603efd1650931b917746bf4 (20220119093435)
End: cc33400f0ff80f0eada6c3aa637f37d247a3ff46 (20220119214718)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=192e73e7c91313c09603efd1650931b917746bf4&tochange=cc33400f0ff80f0eada6c3aa637f37d247a3ff46
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 6•4 years ago
|
||
Yes, this is same as bug 1750935.
It's not actual type confusion, given PropertyName is a direct subclass of JSAtom with no extension,
but it fails for the restriction about string content.
https://searchfox.org/mozilla-central/rev/5d2b9e940ca09bd1cbc15aa681f69424cde8904c/js/src/vm/StringType.h#1327-1331
So this could cause misbehavior, but won't cause UAF or random address dereference or something along that line, like other type confusion.
|
|
||
Updated•4 years ago
|
|
|
||
Updated•2 years ago
|
Description
•