UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55776a4f2cfb bp 0x7fff055b53c0 sp 0x7fff055b5370 T3813876)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: wh0tlif3, Unassigned)
References
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
PoC
function main() {
function v0(v1,v2) {
return v1;
}
const v3 = v0.bind();
const v4 = new v3(v3);
gc();
}
main();
Assertion failure: args.rval() != ObjectValue(callee), at /home/uuu/gecko-dev.updated/js/src/vm/Interpreter.cpp:492
#01: ???[/home/uuu/gecko-dev.updated/obj-fuzzbuild/dist/bin/js +0x196fcea]
#02: ???[/home/uuu/gecko-dev.updated/obj-fuzzbuild/dist/bin/js +0x195adf7]
#03: ???[/home/uuu/gecko-dev.updated/obj-fuzzbuild/dist/bin/js +0x194bb6f]
#04: ???[/home/uuu/gecko-dev.updated/obj-fuzzbuild/dist/bin/js +0x193ec45]
#05: ???[/home/uuu/gecko-dev.updated/obj-fuzzbuild/dist/bin/js +0x195c392]
#06: ???[/home/uuu/gecko-dev.updated/obj-fuzzbuild/dist/bin/js +0x195ca41]
#07: ???[/home/uuu/gecko-dev.updated/obj-fuzzbuild/dist/bin/js +0x1b097d6]
#07: ???[/home/uuu/js2 +0x1b097d6]
#08: JS_ExecuteScript(JSContext, JS::Handle<JSScript*>)[/home/uuu/js2 +0x1b09ab0]
#09: ???[/home/uuu/js2 +0x1874fe0]
#10: ???[/home/uuu/js2 +0x1874485]
#11: ???[/home/uuu/js2 +0x183602f]
#12: ???[/home/uuu/js2 +0x182fb6a]
#13: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x24083]
#14: ???[/home/uuu/js2 +0x17fc5e9]
#15: ??? (???:???)
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3813876==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55776a4f2cfb bp 0x7fff055b53c0 sp 0x7fff055b5370 T3813876)
==3813876==The signal is caused by a WRITE memory access.
==3813876==Hint: address points to the zero page.
#0 0x55776a4f2cfb in CallJSNativeConstructor(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&) /home/uuu/gecko-dev.updated/js/src/vm/Interpreter.cpp:490:3
#1 0x55776a4dddf6 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /home/uuu/gecko-dev.updated/js/src/vm/Interpreter.cpp:694:10
#2 0x55776a4ceb6e in js::ConstructFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/uuu/gecko-dev.updated/js/src/vm/Interpreter.cpp:722:10
#3 0x55776a4ceb6e in Interpret(JSContext*, js::RunState&) /home/uuu/gecko-dev.updated/js/src/vm/Interpreter.cpp:3347:16
#4 0x55776a4c1c44 in js::RunScript(JSContext*, js::RunState&) /home/uuu/gecko-dev.updated/js/src/vm/Interpreter.cpp:431:13
#5 0x55776a4df391 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/uuu/gecko-dev.updated/js/src/vm/Interpreter.cpp:812:13
#6 0x55776a4dfa40 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/uuu/gecko-dev.updated/js/src/vm/Interpreter.cpp:844:10
#7 0x55776a68c7d5 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/uuu/gecko-dev.updated/js/src/vm/CompilationAndEvaluation.cpp:472:10
#8 0x55776a68caaf in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/uuu/gecko-dev.updated/js/src/vm/CompilationAndEvaluation.cpp:496:10
#9 0x55776a3f7fdf in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/uuu/gecko-dev.updated/js/src/shell/js.cpp:1088:10
#10 0x55776a3f7484 in Process(JSContext*, char const*, bool, FileKind) /home/uuu/gecko-dev.updated/js/src/shell/js.cpp
#11 0x55776a3b902e in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/uuu/gecko-dev.updated/js/src/shell/js.cpp:10567:10
#12 0x55776a3b902e in Shell(JSContext*, js::cli::OptionParser*) /home/uuu/gecko-dev.updated/js/src/shell/js.cpp:10791:12
#13 0x55776a3b2b69 in main /home/uuu/gecko-dev.updated/js/src/shell/js.cpp:11217:12
#14 0x7f8be01d6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#15 0x55776a37f5e8 in _start (/home/uuu/js2+0x17fc5e8) (BuildId: 81744ff225d32cf9904eb171e7b91aa9)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/uuu/gecko-dev.updated/js/src/vm/Interpreter.cpp:490:3 in CallJSNativeConstructor(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&)
==3813876==ABORTING
|
||
Updated•2 years ago
|
|
||
Comment 2•2 years ago
|
||
Thanks for the bug report! This is a bogus assertion and a duplicate of bug 1819651.
|
||
Comment 3•2 years ago
|
||
Thanks for the report. Unfortunately, we are not going to award a bounty for this bug.
As per our bug bounty guidelines, this was filed as a duplicate and we did find it with our own fuzzers.
|
||
Updated•11 months ago
|
Description
•