MOZ_CRASH(invalid UTF-8 string: ReportInvalidCharacter) at vm/CharacterEncoding.cpp:302


Steps to reproduce:

The attached sample crashes the js-shell on commit fb1e6d6e5735dcf12d96fde70351aca305961b53 when invoked via commandline obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js
Bisecting the issue points to commit 0216ea137eabafbb8e9fe7992298edd5c18b4836 related to bug 1782166

const v8 = InternalError();
v8.fileName = String.fromCharCode(3823486100);
evaluate("this.disassemble();", v8);
#0  0x000055555791a4a8 in InflateUTF8ToUTF16<(OnUTF8Error)3, JS::ConstUTF8CharsZ::validate(unsigned long)::$_1>(JSContext*,
JS::UTF8Chars, JS::ConstUTF8CharsZ::validate(unsigned long)::$_1) (cx=0x0, src=..., dst=...)
    at js/src/vm/CharacterEncoding.cpp:302
#1  0x000055555791a2c4 in JS::ConstUTF8CharsZ::validate (this=0x7fffffff6ca8, aLength=1082)
    at js/src/vm/CharacterEncoding.cpp:580
#2  0x000055555755e969 in JS::ConstUTF8CharsZ::ConstUTF8CharsZ (this=0x7fffffff6ca8,
    aBytes=0x7ffff74c3800 "\n{\n  \"file\": \"\224\",\n  \"lineno\": 1,\n  \"column\": 12,\n  \"immutableFlags\": [\n  ]\n}\
nloc   line  op\n----- ----  --\nmain:\n00000:   1  GlobalThis", ' ' <repeats 18 times>, "# this\n00001:   1  Dup", ' ' <rep
eats 25 times>..., aLength=1082)
    at obj-x86_64-pc-linux-gnu/dist/include/js/CharacterEncoding.h:148
#3  0x00005555574fe623 in DisassembleToString (cx=0x7ffff742f100, argc=0, vp=0x7ffff4cfc130)
    at js/src/shell/js.cpp:3269
#4  0x00005555576f209e in CallJSNative (cx=0x7ffff742f100,
    native=0x5555574fe500 <DisassembleToString(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call,
    args=...) at js/src/vm/Interpreter.cpp:459
#5  0x00005555576f18dd in js::InternalCallOrConstruct (cx=0x7ffff742f100, args=..., construct=js::NO_CONSTRUCT,
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:547
#6  0x00005555576f2c71 in InternalCall (cx=0x7ffff742f100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:614
#7  0x00005555576f2a35 in js::CallFromStack (cx=0x7ffff742f100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:619
#8  0x00005555576e3759 in Interpret (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:3362
#9  0x00005555576d5830 in js::RunScript (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:431
Not sure what we'd like to do about this; seems unlikely to be a big issue tho. Arai, thoughts?

This is JS shell only function and doesn't affect Firefox.
I'll make it to use lossy conversion.

Pushed by
Use lossy conversion in shell disassemble function. r=mgaudet

Backed out for causing SM bustages on disassemble-filename.js

  • Backout link
  • Push with failures
  • Failure Log
  TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/basic/disassemble-filename.js | :2:1 ReferenceError: disassemble is not defined (code 3, args "") [0.0 s

Failure log 2:

Flags: needinfo?(arai.unmht)
Pushed by
Use lossy conversion in shell disassemble function. r=mgaudet
