Closed Bug 1813744 Opened 1 year ago Closed 1 year ago

MOZ_CRASH(invalid UTF-8 string: ReportInvalidCharacter) at vm/CharacterEncoding.cpp:302

Categories

(Core :: JavaScript Engine, defect, P3)

defect

Tracking

()

RESOLVED FIXED
111 Branch
Tracking Status
firefox111 --- fixed

People

(Reporter: lukas.bernhard, Assigned: arai)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Steps to reproduce:

The attached sample crashes the js-shell on commit fb1e6d6e5735dcf12d96fde70351aca305961b53 when invoked via commandline obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js
Bisecting the issue points to commit 0216ea137eabafbb8e9fe7992298edd5c18b4836 related to bug 1782166

const v8 = InternalError();
v8.fileName = String.fromCharCode(3823486100);
evaluate("this.disassemble();", v8);
#0  0x000055555791a4a8 in InflateUTF8ToUTF16<(OnUTF8Error)3, JS::ConstUTF8CharsZ::validate(unsigned long)::$_1>(JSContext*,
JS::UTF8Chars, JS::ConstUTF8CharsZ::validate(unsigned long)::$_1) (cx=0x0, src=..., dst=...)
    at js/src/vm/CharacterEncoding.cpp:302
#1  0x000055555791a2c4 in JS::ConstUTF8CharsZ::validate (this=0x7fffffff6ca8, aLength=1082)
    at js/src/vm/CharacterEncoding.cpp:580
#2  0x000055555755e969 in JS::ConstUTF8CharsZ::ConstUTF8CharsZ (this=0x7fffffff6ca8,
    aBytes=0x7ffff74c3800 "\n{\n  \"file\": \"\224\",\n  \"lineno\": 1,\n  \"column\": 12,\n  \"immutableFlags\": [\n  ]\n}\
nloc   line  op\n----- ----  --\nmain:\n00000:   1  GlobalThis", ' ' <repeats 18 times>, "# this\n00001:   1  Dup", ' ' <rep
eats 25 times>..., aLength=1082)
    at obj-x86_64-pc-linux-gnu/dist/include/js/CharacterEncoding.h:148
#3  0x00005555574fe623 in DisassembleToString (cx=0x7ffff742f100, argc=0, vp=0x7ffff4cfc130)
    at js/src/shell/js.cpp:3269
#4  0x00005555576f209e in CallJSNative (cx=0x7ffff742f100,
    native=0x5555574fe500 <DisassembleToString(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call,
    args=...) at js/src/vm/Interpreter.cpp:459
#5  0x00005555576f18dd in js::InternalCallOrConstruct (cx=0x7ffff742f100, args=..., construct=js::NO_CONSTRUCT,
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:547
#6  0x00005555576f2c71 in InternalCall (cx=0x7ffff742f100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:614
#7  0x00005555576f2a35 in js::CallFromStack (cx=0x7ffff742f100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:619
#8  0x00005555576e3759 in Interpret (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:3362
#9  0x00005555576d5830 in js::RunScript (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:431
Component: Untriaged → JavaScript Engine
Product: Firefox → Core

Not sure what we'd like to do about this; seems unlikely to be a big issue tho. Arai, thoughts?

Severity: -- → S3
Flags: needinfo?(arai.unmht)
Priority: -- → P3

This is JS shell only function and doesn't affect Firefox.
I'll make it to use lossy conversion.

Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(arai.unmht)
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/beba3efda45f
Use lossy conversion in shell disassemble function. r=mgaudet

Backed out for causing SM bustages on disassemble-filename.js

  • Backout link
  • Push with failures
  • Failure Log
  • Failure line: TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/basic/disassemble-filename.js | :2:1 ReferenceError: disassemble is not defined (code 3, args "") [0.0 s

Failure log 2: https://treeherder.mozilla.org/logviewer?job_id=405219419&repo=autoland

Flags: needinfo?(arai.unmht)
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/8eb056b0a1dc
Use lossy conversion in shell disassemble function. r=mgaudet
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
Flags: needinfo?(arai.unmht)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: