Closed Bug 1848417 Opened 9 months ago Closed 3 months ago

Assertion failure: line != 0, at vm/Modules.cpp:861

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox124 --- fixed

People

(Reporter: lukas.bernhard, Assigned: arai)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Bug 1848417 - Assert line number of module script at compile-time, with validation in testing functions. r?allstarschh!
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

On git commit 77dd6aa3810610949a5ff925e24de2f8c11377fd the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

function main() {
    const o2 = { 
        "module": true,
    };  
    registerModule("a", instantiateModuleStencilXDR(compileToStencilXDR(true, o2)));
    let v10 = "import { a as i0 } from 'a';";
    const o17 = { 
        "module": true,
    };  
    o17.lineNumber = {}; 
    moduleLink(registerModule("b", instantiateModuleStencilXDR(compileToStencilXDR(v10, o17))));
}
main();

#0  0x0000555557b0be1e in ThrowResolutionError (cx=0x7ffff662e100, module=..., 
    resolution=..., isDirectImport=true, name=..., line=0, column=9)
    at js/src/vm/Modules.cpp:861
#1  0x0000555557b0b7e3 in js::ModuleInitializeEnvironment (cx=0x7ffff662e100, module=...)
    at js/src/vm/Modules.cpp:992
#2  0x0000555557b0cf54 in InnerModuleLinking (cx=0x7ffff662e100, module=..., stack=..., 
    index=2, indexOut=0x7fffffffa1d0) at js/src/vm/Modules.cpp:1192
#3  0x0000555557b067c0 in js::ModuleLink (cx=0x7ffff662e100, module=...)
    at js/src/vm/Modules.cpp:1073
#4  0x000055555759124c in ModuleLink (cx=0x7ffff662e100, argc=1, vp=0x7ffff54e3138)
    at js/src/shell/js.cpp:5333
#5  0x000055555777d6fc in CallJSNative (cx=0x7ffff662e100, 
    native=0x555557591020 <ModuleLink(JSContext*, unsigned int, JS::Value*)>, 
    reason=js::CallReason::Call, args=...)
    at js/src/vm/Interpreter.cpp:486
#6  0x0000555557754593 in js::InternalCallOrConstruct (cx=0x7ffff662e100, args=..., 
    construct=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:580
#7  0x0000555557754d19 in InternalCall (cx=0x7ffff662e100, args=..., 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:647
#8  0x0000555557754b53 in js::CallFromStack (cx=0x7ffff662e100, args=..., 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:652
#9  0x0000555557763208 in js::Interpret (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:3395
#10 0x0000555557753f6f in MaybeEnterInterpreterTrampoline (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:400
#11 0x0000555557753c31 in js::RunScript (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:458
#12 0x0000555557756161 in js::ExecuteKernel (cx=0x7ffff662e100, script=..., 
    envChainArg=..., evalInFrame=..., result=...)
    at js/src/vm/Interpreter.cpp:845
#13 0x00005555577564d4 in js::Execute (cx=0x7ffff662e100, script=..., envChain=..., 
    rval=...) at js/src/vm/Interpreter.cpp:877
#14 0x00005555579179ff in ExecuteScript (cx=0x7ffff662e100, envChain=..., script=..., 
    rval=...) at js/src/vm/CompilationAndEvaluation.cpp:493
#15 0x0000555557917b25 in JS_ExecuteScript (cx=0x7ffff662e100, scriptArg=...)
    at js/src/vm/CompilationAndEvaluation.cpp:517
#16 0x00005555575ad9df in RunFile (cx=0x7ffff662e100, 
    filename=0x7ffff66979e0 "../gecko-fuzzilli/modifiedStuff/crash_2023_08_11_2.js", 
    file=0x7ffff7669020, compileMethod=CompileUtf8::DontInflate, compileOnly=false, 
    fullParse=false) at js/src/shell/js.cpp:1099
#17 0x00005555575ad27c in Process (cx=0x7ffff662e100, 
    filename=0x7ffff66979e0 "../gecko-fuzzilli/modifiedStuff/crash_2023_08_11_2.js", 
    forceTTY=false, kind=FileScript) at js/src/shell/js.cpp:1679
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Blocks: l11d-js-fuzzing

the line number set by o17.lineNumber = {} is interpreted as 0, and it's compiling a module with line number starting with 0.
There should be an assertion in the early step in the compilation API, and the JS shell testing function should also check the same and throw error.

Blocks: sm-frontend
Severity: -- → N/A
Priority: -- → P3
Severity: N/A → S4
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/72bee4a73a34
Assert line number of module script at compile-time, with validation in testing functions. r=allstarschh

https://hg.mozilla.org/mozilla-central/rev/72bee4a73a34

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox124: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: