Closed Bug 1845715 Opened 2 years ago Closed 2 years ago

js::NativeObject::sharedShape (this=0x0) at src/vm/NativeObject.h:650

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
118 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox115 --- wontfix
firefox116 --- wontfix
firefox117 --- wontfix
firefox118 --- fixed

People

(Reporter: lukas.bernhard, Assigned: jonco)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression)

Attachments

(2 files)

crash.js
1.17 KB, text/plain
Details
Bug 1845715 - Check for failure when getting RegExp match result template r?iain
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

On git commit 50588a0b728b365afdd298debd35e8302efe7850 the attached sample crashes with a NULL-deref when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --baseline-warmup-threshold=10 --ion-warmup-threshold=100 --fuzzing-safe --gc-zeal=22,76 crash.js.
The crash is quite flaky, hence reducing the testcase further failed.

#0  js::NativeObject::sharedShape (this=0x0) at js/src/vm/NativeObject.h:650
#1  0x00005555570e9da8 in js::NewDenseFullyAllocatedArrayWithTemplate (cx=cx@entry=0x7ffff602e100, length=2,
    templateObject=0x0) at js/src/builtin/Array.cpp:5278
#2  0x0000555557045d42 in js::CreateRegExpMatchResult (cx=cx@entry=0x7ffff602e100, re=re@entry=...,
    input=input@entry=..., matches=..., rval=...) at js/src/builtin/RegExp.cpp:142
#3  0x00005555570558fc in RegExpBuiltinExecMatchRaw<false> (cx=0x7ffff602e100, regexp=..., input=...,
    lastIndex=<optimized out>, maybeMatches=0x0, output=...)
    at js/src/builtin/RegExp.cpp:1333
#4  js::RegExpBuiltinExec (cx=cx@entry=0x7ffff602e100, regexp=regexp@entry=..., string=string@entry=...,
    forTest=false, rval=...) at js/src/builtin/RegExp.cpp:1850
#5  0x0000555557600420 in intrinsic_RegExpBuiltinExec<false> (cx=cx@entry=0x7ffff602e100, argc=2, vp=<optimized out>)
    at js/src/vm/SelfHosting.cpp:1324
#6  0x0000555557080b17 in CallJSNative (cx=cx@entry=0x7ffff602e100,
    native=native@entry=0x5555576001d0 <intrinsic_RegExpBuiltinExec<false>(JSContext*, unsigned int, JS::Value*)>,
    reason=reason@entry=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:486
#7  0x000055555707fdbb in js::InternalCallOrConstruct (cx=0x7ffff602e100, args=...,
    construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:580
#8  0x0000555557081c56 in InternalCall (cx=0x555558fa9b38, args=..., reason=1460577325)
    at js/src/vm/Interpreter.cpp:647
#9  0x0000555557096a33 in js::CallFromStack (cx=0x555558fa9b38, args=..., reason=<optimized out>)
    at js/src/vm/Interpreter.cpp:652
#10 js::Interpret (cx=0x555558fa9b38, state=...) at js/src/vm/Interpreter.cpp:3395
#11 0x000055555707f32b in MaybeEnterInterpreterTrampoline (cx=0x555558fa9b38, cx@entry=0x7ffff602e100, state=...)
    at js/src/vm/Interpreter.cpp:400
#12 0x000055555707f01a in js::RunScript (cx=cx@entry=0x7ffff602e100, state=...)
    at js/src/vm/Interpreter.cpp:458
#13 0x000055555707fce8 in js::InternalCallOrConstruct (cx=0x7ffff602e100, args=..., 
    construct=construct@entry=js::NO_CONSTRUCT, reason=<optimized out>)
    at js/src/vm/Interpreter.cpp:612
#14 0x0000555557081c56 in InternalCall (cx=0x555558fa9b38, cx@entry=0x7ffff602e100, args=..., reason=1460577325, 
    reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:647
#15 0x0000555557081e43 in js::Call (cx=0x7ffff602e100, fval=fval@entry=..., thisv=thisv@entry=..., args=..., 
    rval=..., reason=reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:679
#16 0x00005555572daaab in js::Call (cx=0x555558fa9b38, fval=..., thisObj=<optimized out>, rval=...)
    at js/src/vm/Interpreter.h:109
#17 0x00005555573ebc5c in MaybeCallMethod (cx=cx@entry=0x7ffff602e100, obj=obj@entry=..., id=id@entry=..., vp=...)
    at js/src/vm/JSObject.cpp:2319
#18 0x00005555573ead1f in JS::OrdinaryToPrimitive (cx=cx@entry=0x7ffff602e100, obj=obj@entry=..., 
    hint=hint@entry=JSTYPE_NUMBER, vp=...) at js/src/vm/JSObject.cpp:2418
#19 0x00005555579165ee in date_toPrimitive (cx=cx@entry=0x7ffff602e100, argc=<optimized out>, vp=<optimized out>)
    at js/src/jsdate.cpp:3364
#20 0x0000555557080b17 in CallJSNative (cx=cx@entry=0x7ffff602e100, 
    native=native@entry=0x555557916440 <date_toPrimitive(JSContext*, unsigned int, JS::Value*)>, 
#21 0x000055555707fdbb in js::InternalCallOrConstruct (cx=0x7ffff602e100, args=...,
    construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:580
#22 0x0000555557081c56 in InternalCall (cx=0x555558fa9b38, cx@entry=0x7ffff602e100, args=..., reason=1460577325,
    reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:647
#23 0x0000555557081e43 in js::Call (cx=cx@entry=0x7ffff602e100, fval=fval@entry=..., thisv=thisv@entry=..., args=...,
    rval=..., reason=reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:679
#24 0x000055555714a28e in js::Call (cx=0x7ffff602e100, fval=..., thisv=..., arg0=..., rval=...)
    at js/src/vm/Interpreter.h:116
#25 0x00005555573ec56b in js::ToPrimitiveSlow (cx=0x555558fa9b38, preferredType=preferredType@entry=JSTYPE_NUMBER,
    vp=vp@entry=...) at js/src/vm/JSObject.cpp:2468
#26 0x0000555557926758 in js::ToPrimitive (cx=0x555558fa9b38, cx@entry=0x7ffff602e168, preferredType=JSTYPE_NUMBER,
    vp=..., vp@entry=...) at js/src/vm/JSObject.h:763
#27 js::ToNumberSlow (cx=0x555558fa9b38, cx@entry=0x7ffff602e100, v_=..., out=out@entry=0x7fffffdfebe0)
    at js/src/jsnum.cpp:2009
#28 0x0000555557606cef in js::ToInteger (cx=0x7ffff602e100, v=..., dp=0x7fffffdfebe0)
    at js/src/jsnum.h:350
#29 intrinsic_ToInteger (cx=0x7ffff602e100, argc=<optimized out>, vp=<optimized out>)
    at js/src/vm/SelfHosting.cpp:219
Attached file crash.js
Blocks: l11d-js-fuzzing
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Group: core-security → javascript-core-security

Jon, is this related to your CreateRegExpMatchResult changes?

Flags: needinfo?(jcoppeard)

(In reply to Jan de Mooij [:jandem] from comment #2)
That changed probably caused fuzzing to find it, but it's a pre-existing issue.

Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Keywords: regression
Regressed by: 1519483

Is this just a null deref? Can we unhide this then? Thanks.

Flags: needinfo?(jcoppeard)

Removing s-s for null deref.

Group: javascript-core-security
Flags: needinfo?(jcoppeard)

Set release status flags based on info from the regressing bug 1519483

status-firefox115: --- → affected
status-firefox116: --- → affected
status-firefox117: --- → affected
status-firefox-esr102: --- → affected
status-firefox-esr115: --- → affected
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a96e1b6f1449 Check for failure when getting RegExp match result template r=iain

Set release status flags based on info from the regressing bug 1519483

status-firefox118: --- → affected
Severity: -- → S3
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/a96e1b6f1449

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox118: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: