Closed Bug 1823208 Opened 3 years ago Closed 3 years ago

MOZ_CRASH(invalid UTF-8 string: ReportInvalidCharacter) at vm/CharacterEncoding.cpp:323

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox113 --- fixed

People

(Reporter: lukas.bernhard, Assigned: arai)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1823208 - Use lossy conversion in getBacktrace testing function. r?jandem!
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

On git commit 5b59e4aeae621e45feacc7e9e4125a8ea7bebb9d the attached sample hits a MOZ_CRASH in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --baseline-warmup-threshold=10 --fuzzing-safe crash.js.
Bisecting did not identify a recent regressor.

const v0 = ` 
    this.getBacktrace(this);
    const v3 = \`
        ("14").constructor.fromCharCode(-1000000.0);
    \`;
    eval(v3);
`;
const v11 = eval(v0);
const o13 = { 
    ...this,
};
o13.fileName = v11;
o13.evaluate(v0, o13);

#0  InflateUTF8ToUTF16<(OnUTF8Error)3, JS::ConstUTF8CharsZ::validate(unsigned long)::$_1>(JSContext*, JS::UTF8Chars, JS::ConstUTF8CharsZ::validate(unsigned long)::$_1) (src=..., cx=<optimized out>, dst
=...)
    at js/src/vm/CharacterEncoding.cpp:323
#1  JS::ConstUTF8CharsZ::validate (this=<optimized out>, aLength=<optimized out>)
    at js/src/vm/CharacterEncoding.cpp:580
#2  0x00005555575af0e9 in JS::ConstUTF8CharsZ::ConstUTF8CharsZ (this=0x7fffffffc9b0, 
    aBytes=0x7ffff7417100 "0 <TOP LEVEL> [\"\300\":2:9]\n1 <TOP LEVEL> [\"crash_2023_03_18_2.js\":13:4]\n", 
    aLength=93824994850247) at obj-x86_64-pc-linux-gnu/dist/include/js/CharacterEncoding.h:148
#3  GetBacktrace (cx=cx@entry=0x7ffff7435c00, argc=<optimized out>, vp=<optimized out>)
    at js/src/builtin/TestingFunctions.cpp:5683
#4  0x0000555556ec46f4 in CallJSNative (cx=cx@entry=0x7ffff7435c00, 
    native=native@entry=0x5555575ae9a0 <GetBacktrace(JSContext*, unsigned int, JS::Value*)>, 
    reason=reason@entry=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:459
#5  0x0000555556ec3abe in js::InternalCallOrConstruct (cx=0x7ffff7435c00, 
    cx@entry=0x555558909af0 <Interpret(JSContext*, js::RunState&)::addresses>, args=..., 
    construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call, reason@entry=4294967282)
    at js/src/vm/Interpreter.cpp:553
#6  0x0000555556ec5826 in InternalCall (cx=0x7ffff79f8a00 <_IO_stdfile_2_lock>, args=..., reason=1497934704)
    at js/src/vm/Interpreter.cpp:620
#7  0x0000555556eb71ba in js::CallFromStack (cx=0x7ffff79f8a00 <_IO_stdfile_2_lock>, cx@entry=0xffff800000000000, args=..., 
    reason=<optimized out>) at js/src/vm/Interpreter.cpp:625
#8  Interpret (cx=0x7ffff79f8a00 <_IO_stdfile_2_lock>, cx@entry=0x7ffff7435c00, state=...)
    at js/src/vm/Interpreter.cpp:3368
#9  0x0000555556eaa135 in js::RunScript (cx=cx@entry=0x7ffff7435c00, state=...)
    at js/src/vm/Interpreter.cpp:431
#10 0x0000555556ec7882 in js::ExecuteKernel (cx=cx@entry=0x7ffff7435c00, script=script@entry=..., 
    envChainArg=envChainArg@entry=..., evalInFrame=evalInFrame@entry=..., result=...)
    at js/src/vm/Interpreter.cpp:818
#11 0x0000555556ec7f31 in js::Execute (cx=cx@entry=0x7ffff7435c00, script=script@entry=..., envChain=..., rval=rval@entry=...)
    at js/src/vm/Interpreter.cpp:850
#12 0x0000555557075c46 in ExecuteScript (cx=cx@entry=0x7ffff7435c00, envChain=..., script=..., rval=rval@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:472
#13 0x000055555707593c in JS_ExecuteScript (cx=0x7ffff7435c00, scriptArg=scriptArg@entry=..., rval=rval@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:489
#14 0x0000555556db4160 in Evaluate (cx=0x7ffff79f8a00 <_IO_stdfile_2_lock>, cx@entry=0x7ffff7435c00, argc=<optimized out>, 
    vp=<optimized out>) at js/src/shell/js.cpp:2503
#15 0x0000555556ec46f4 in CallJSNative (cx=cx@entry=0x7ffff7435c00, 
    native=native@entry=0x555556db2c10 <Evaluate(JSContext*, unsigned int, JS::Value*)>, 
    reason=reason@entry=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:459
#16 0x0000555556ec3abe in js::InternalCallOrConstruct (cx=0x7ffff7435c00, 
    cx@entry=0x555558909af0 <Interpret(JSContext*, js::RunState&)::addresses>, args=..., 
    construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call, reason@entry=4294967286)
    at js/src/vm/Interpreter.cpp:553
#17 0x0000555556ec5826 in InternalCall (cx=0x7ffff79f8a00 <_IO_stdfile_2_lock>, args=..., reason=1497934704)
    at js/src/vm/Interpreter.cpp:620
Blocks: l11d-js-fuzzing
Component: Untriaged → JavaScript Engine
Product: Firefox → Core

If you could take a look Arai!

Severity: -- → S3
Flags: needinfo?(arai.unmht)
Priority: -- → P3
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED

This is related to bug 1492090.
Currently the filename handling still uses latin-1 or raw data, but some part expects UTF-8, and the assertion fails because of invalid sequence passed to code that expects UTF-8.

This will ultimately be fixed by bug 1492090, but we can perform lossy conversion here to fix this specific issue.

Flags: needinfo?(arai.unmht)
See Also: → 1492090
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/3835571dee6a Use lossy conversion in getBacktrace testing function. r=jandem

https://hg.mozilla.org/mozilla-central/rev/3835571dee6a

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox113: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch
Regressions: 1825095
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: