Closed Bug 1845671 Opened 1 year ago Closed 1 year ago

Hit MOZ_CRASH(JSON.stringify mismatch between fast and slow paths) at /js/src/builtin/JSON.cpp:1702

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1847369
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox116 --- unaffected
firefox117 --- fixed
firefox118 --- fixed

People

(Reporter: decoder, Assigned: sfink)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files, 1 obsolete file)

Detailed Crash Information
2.29 KB, text/plain
Details
Testcase
136 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20230727-de3fd99966b1 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

a = [];
Object.defineProperty(Array.prototype, '0', {
    get() {
        return 0
    },
    set() {}
});
a.push(1);
JSON.stringify(a);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x57d86599 in js::Stringify(JSContext*, JS::MutableHandle<JS::Value>, JSObject*, JS::Value const&, js::StringBuffer&, js::StringifyBehavior) ()
#1  0x57d89a57 in json_stringify(JSContext*, unsigned int, JS::Value*) ()
#2  0x57ce96e4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#15 0x57b4dc18 in main ()
eax	0x568238e2	1451374818
ebx	0x5955fe00	1498807808
ecx	0x59561a1c	1498815004
edx	0xf7bb2cc7	-138728249
esi	0xff877650	-7899568
edi	0xf691a100	-158228224
ebp	0xff877608	4287067656
esp	0xff877320	4287066912
eip	0x57d86599 <js::Stringify(JSContext*, JS::MutableHandle<JS::Value>, JSObject*, JS::Value const&, js::StringBuffer&, js::StringifyBehavior)+12233>
=> 0x57d86599 <_ZN2js9StringifyEP9JSContextN2JS13MutableHandleINS2_5ValueEEEP8JSObjectRKS4_RNS_12StringBufferENS_17StringifyBehaviorE+12233>:	movl   $0x6a6,0x0
   0x57d865a3 <_ZN2js9StringifyEP9JSContextN2JS13MutableHandleINS2_5ValueEEEP8JSObjectRKS4_RNS_12StringBufferENS_17StringifyBehaviorE+12243>:	call   0x57be3323 <abort>

Marking s-s until triaged as the test triggers spidey sense.

Attached file Testcase
Flags: needinfo?(sphink)

Unable to reproduce bug 1845671 using build mozilla-central 20230727034425-de3fd99966b1. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Severity: -- → S2
Priority: -- → P1
Regressed by: 1837410

Set release status flags based on info from the regressing bug 1837410

status-firefox116: --- → unaffected
status-firefox118: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr115: --- → unaffected
Assignee: nobody → sphink
Status: NEW → ASSIGNED

(In reply to Bugmon [:jkratzer for issues] from comment #3)

Unable to reproduce bug 1845671 using build mozilla-central 20230727034425-de3fd99966b1. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

I'm guessing bugmon must not be using a DEBUG build, because this should reproduce 100% reliably there with any runtime flags. But that seems surprising; aren't a lot of bugs going to be DEBUG-only, eg if they're crashing with MOZ_ASSERT?

Flags: needinfo?(sphink) → needinfo?(jkratzer)

I will probably land bug 1847369, which nerfs what the fast path allows and thus fixes a superset of the problems, including the one in this bug. (I will wait for review to be sure, though.)

Does this need to be a sec bug?

Flags: needinfo?(sphink)

(In reply to Steve Fink [:sfink] [:s:] from comment #6)

(In reply to Bugmon [:jkratzer for issues] from comment #3)

Unable to reproduce bug 1845671 using build mozilla-central 20230727034425-de3fd99966b1. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

I'm guessing bugmon must not be using a DEBUG build, because this should reproduce 100% reliably there with any runtime flags. But that seems surprising; aren't a lot of bugs going to be DEBUG-only, eg if they're crashing with MOZ_ASSERT?

This was an issue with 32-bit builds. It should be fixed now.

Flags: needinfo?(jkratzer)
Keywords: bugmon

Testcase crashes using the initial build (mozilla-central 20230727034425-de3fd99966b1) but not with tip (mozilla-central 20230816034343-b6d00af33f9f.)

The bug appears to have been fixed in the following build range:

Start: 16838b515ded4549918a4ebf3e3fa8a0b427e1f4 (20230811213712)
End: 2be0ee236a5cef53847ab52c806c55bfd6b4ae6b (20230812091525)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=16838b515ded4549918a4ebf3e3fa8a0b427e1f4&tochange=2be0ee236a5cef53847ab52c806c55bfd6b4ae6b

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Attachment #9347237 - Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1847369
Flags: needinfo?(sphink)
Resolution: --- → DUPLICATE
Group: javascript-core-security → core-security-release
status-firefox117: affectedfixed
status-firefox118: affectedfixed
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: