Closed Bug 1856646 Opened 10 months ago Closed 10 months ago

Spidermonkey: SEGV ./include/mozilla/Assertions.h:281:3 in MOZ_Crash()

Categories

(Core :: JavaScript Engine, defect)

defect

Tracking

()

RESOLVED WONTFIX

People

(Reporter: baksmali404, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.40

Steps to reproduce:

version:master

$ git clone https://github.com/mozilla/gecko-dev
$ cd gecko-dev
$ git show
commit b0d28aecd58cbd2db00974db2ef8456856169fb4 (HEAD -> master, origin/master, origin/HEAD)
Author: Masayuki Nakano <masayuki@d-toybox.com>
Date:   Thu Sep 28 01:46:41 2023 +0000

Reproduce

./build_asan/dist/bin/js pocfile.js

pocfile.js

try {
    d();
} catch(e3) {
    function f4(a5, a6) {
        return a;
    }
}
const v8 = this.newGlobal();
const v9 = v8.Debugger;
const v10 = [v8,v8,v8,v8,v8];
v10.sameZoneAs = v9;
function F11(a13, a14, a15, ...a16) {
    if (!new.target) { throw 'must be called with new'; }
}
const v17 = new F11(v9, this, v9, v10);
const t15 = this.newGlobal(v10).Debugger;
const t16 = t15(v17).memory;
t16.trackingAllocationSites = v17;
try {
    c.m();
} catch(e25) {
    const v26 = [1,12,1024,-7,-54603,3,9];
    function f27(a28) {
        return Object.defineProperties(v26, f27);
    }
    Object.defineProperty(f27, -1974432208, { enumerable: true, get: f27, set: f27 });
    f27();
}
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Hit MOZ_CRASH([unhandlable oom] SavedStacksMetadataBuilder) at /home/user/gecko-dev/js/src/vm/JSContext.cpp:1302
// #01: js::AutoEnterOOMUnsafeRegion::crash(char const*)[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c526cd]
// #02: ???[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1e4d616]
// #03: JS::Realm::setNewObjectMetadata(JSContext*, JS::Handle<JSObject*>)[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1d7cf4d]
// #04: ???[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1979c51]
// #05: ???[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c9476c]
// #06: ???[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1ba3e92]
// #07: ???[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x215dce0]
// #08: ???[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1ba8e59]
// #09: JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...)[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x212e2e7]
// #10: JSContext::onOverRecursed()[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c5c2a2]
// #11: ???[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x19b2b67]
// #12: ???[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x19b20ce]
// #13: ???[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x19b3fa2]
// #14: ???[/home/user/gecko-dev/obj-fuzzbuild/dist/bin/js +0x2746867]
// #15: ??? (???:???)
// STDOUT:
// 
// ARGS: /home/user/gecko-dev/obj-fuzzbuild/dist/bin/js --baseline-warmup-threshold=10 --ion-warmup-threshold=100 --ion-check-range-analysis --ion-extra-checks --fuzzing-safe --disable-oom-functions --reprl
// EXECUTION TIME: 91ms
gc();

Actual results:

asan report

Hit MOZ_CRASH([unhandlable oom] SavedStacksMetadataBuilder) at /home/user/fuzz/gecko-dev/js/src/vm/JSContext.cpp:1257
#01: js::AutoEnterOOMUnsafeRegion::crash_impl(char const*)[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x336b328]
#02: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x3778abf]
#03: JS::Realm::setNewObjectMetadata(JSContext*, JS::Handle<JSObject*>)[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x372ca8d]
#04: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d57ced]
#05: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x340d5d4]
#06: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x31e1766]
#07: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x3d8fb59]
#08: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x31ec976]
#09: JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...)[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x3d39523]
#10: JSContext::onOverRecursed()[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x332e1e3]
#11: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x59c84be]
#12: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d923a6]
#13: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d94393]
#14: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d96f4e]
#15: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d99b2d]
#16: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x3542dc7]
#17: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x35445cd]
#18: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2f9fb66]
#19: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2fd63bf]
#20: ??? (???:???)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1100489==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55ff1bfeb34d bp 0x7ffc30e04ed0 sp 0x7ffc30e049e0 T0)
==1100489==The signal is caused by a WRITE memory access.
==1100489==Hint: address points to the zero page.
    #0 0x55ff1bfeb34d in MOZ_Crash(char const*, int, char const*) /home/user/fuzz/gecko-dev/build_asan/dist/include/mozilla/Assertions.h:281:3
    #1 0x55ff1bfeb34d in js::AutoEnterOOMUnsafeRegion::crash_impl(char const*) /home/user/fuzz/gecko-dev/js/src/vm/JSContext.cpp:1257:3
    #2 0x55ff1c3f8abe in js::AutoEnterOOMUnsafeRegion::crash(char const*) /home/user/fuzz/gecko-dev/build_asan/dist/include/js/Utility.h:309:58
    #3 0x55ff1c3f8abe in js::SavedStacks::MetadataBuilder::build(JSContext*, JS::Handle<JSObject*>, js::AutoEnterOOMUnsafeRegion&) const /home/user/fuzz/gecko-dev/js/src/vm/SavedStacks.cpp
    #4 0x55ff1c3aca8c in JS::Realm::setNewObjectMetadata(JSContext*, JS::Handle<JSObject*>) /home/user/fuzz/gecko-dev/js/src/vm/Realm.cpp:380:39
    #5 0x55ff1b9d7cec in js::NativeObject* js::SetNewObjectMetadata<js::NativeObject>(JSContext*, js::NativeObject*) /home/user/fuzz/gecko-dev/js/src/vm/JSObject-inl.h:198:18
    #6 0x55ff1c08d5d3 in NewObject(JSContext*, JSClass const*, JS::Handle<js::TaggedProto>, js::gc::AllocKind, js::NewObjectKind, js::EnumFlags<js::ObjectFlag>) /home/user/fuzz/gecko-dev/js/src/vm/JSObject.cpp:762:23
    #7 0x55ff1be61765 in js::NativeObject* js::NewObjectWithGivenTaggedProto<(js::NewObjectKind)0>(JSContext*, JSClass const*, JS::Handle<js::TaggedProto>, js::EnumFlags<js::ObjectFlag>) /home/user/fuzz/gecko-dev/js/src/vm/JSObject-inl.h:369:10
    #8 0x55ff1be61765 in js::NewObjectWithGivenProto(JSContext*, JSClass const*, JS::Handle<JSObject*>) /home/user/fuzz/gecko-dev/js/src/vm/JSObject-inl.h:395:10
    #9 0x55ff1be61765 in js::ErrorObject::create(JSContext*, JSExnType, JS::Handle<JSObject*>, JS::Handle<JSString*>, unsigned int, unsigned int, JS::ColumnNumberOneOrigin, mozilla::UniquePtr<JSErrorReport, JS::DeletePolicy<JSErrorReport> >, JS::Handle<JSString*>, JS::Handle<mozilla::Maybe<JS::Value> >, JS::Handle<JSObject*>) /home/user/fuzz/gecko-dev/js/src/vm/ErrorObject.cpp:549:21
    #10 0x55ff1ca0fb58 in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) /home/user/fuzz/gecko-dev/js/src/jsexn.cpp:356:7
    #11 0x55ff1be6c975 in ReportError(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) /home/user/fuzz/gecko-dev/js/src/vm/ErrorReporting.cpp:173:10
    #12 0x55ff1be6c975 in js::ReportErrorNumberVA(JSContext*, js::IsWarning, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) /home/user/fuzz/gecko-dev/js/src/vm/ErrorReporting.cpp:487:8
    #13 0x55ff1c9b9522 in JS_ReportErrorNumberASCIIVA(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, __va_list_tag*) /home/user/fuzz/gecko-dev/js/src/jsapi.cpp:3688:3
    #14 0x55ff1c9b9522 in JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) /home/user/fuzz/gecko-dev/js/src/jsapi.cpp:3678:3
    #15 0x55ff1bfae1e2 in JSContext::onOverRecursed() /home/user/fuzz/gecko-dev/js/src/vm/JSContext.cpp:323:3
    #16 0x55ff1e6484bd in js::AutoCheckRecursionLimit::check(JSContext*) const /home/user/fuzz/gecko-dev/build_asan/dist/include/js/friend/StackLimits.h:216:5
    #17 0x55ff1e6484bd in EnterJit(JSContext*, js::RunState&, unsigned char*) /home/user/fuzz/gecko-dev/js/src/jit/Jit.cpp:36:18
    #18 0x55ff1e6484bd in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/jit/Jit.cpp:213:10
    #19 0x55ff1ba123a5 in js::RunScript(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:448:32
    #20 0x55ff1ba14392 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:612:13
    #21 0x55ff1ba16f4d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:679:8
    #22 0x55ff1ba19b2c in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:801:10
    #23 0x55ff1c1c2dc6 in CallGetter(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/NativeObject.cpp:2068:12
    #24 0x55ff1c1c2dc6 in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, js::PropertyInfoBase<unsigned int>, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) /home/user/fuzz/gecko-dev/js/src/vm/NativeObject.cpp:2096:12
    #25 0x55ff1c1c45cc in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) /home/user/fuzz/gecko-dev/js/src/vm/NativeObject.cpp:2244:14
    #26 0x55ff1bc1fb65 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/ObjectOperations-inl.h:131:10
    #27 0x55ff1bc1fb65 in ObjectDefineProperties(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) /home/user/fuzz/gecko-dev/js/src/builtin/Object.cpp:1262:12
    #28 0x55ff1bc563be in obj_defineProperties(JSContext*, unsigned int, JS::Value*) /home/user/fuzz/gecko-dev/js/src/builtin/Object.cpp:2121:8
    #29 0x1abb5e23c6e5  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/fuzz/gecko-dev/build_asan/dist/include/mozilla/Assertions.h:281:3 in MOZ_Crash(char const*, int, char const*)
==1100489==ABORTING

Expected results:

SEGV or crash

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript Engine

Unfortunately, this bug isn't particularly actionable; this is a resource exhaustion issue where the exhaustion happens to be inside an AutoEnterOOMUnsafeRegion which indicates a region of code where memory allocation failing becomes fatal (as we have no code to handle the case where it fails).

Thank you for the bug, but I'm going to close this as Wontfix simply because I don't think we're going to change the allocation behaviour here unless we see this happening in non-recursive user code.

Status: UNCONFIRMED → RESOLVED
Closed: 10 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.