Closed
Bug 1856649
Opened 8 months ago
Closed 8 months ago
Spidermonkey: SEGV in js/src/vm/JSObject.h:649:3 in js::ArrayBufferViewObject* JSObject::maybeUnwrapAs<js::ArrayBufferViewObject>()
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 1854929
People
(Reporter: baksmali404, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.40
Steps to reproduce:
version:master
$ git clone https://github.com/mozilla/gecko-dev
$ cd gecko-dev
$ git show
commit b0d28aecd58cbd2db00974db2ef8456856169fb4 (HEAD -> master, origin/master, origin/HEAD)
Author: Masayuki Nakano <masayuki@d-toybox.com>
Date: Thu Sep 28 01:46:41 2023 +0000
Reproduce
./dist/bin/js pocfile.js
pocfile.js
function f1(a2, a3) {
a2.ensureNonInline(a2);
return f1;
}
BigInt64Array.get = f1;
const v7 = new Proxy(this, BigInt64Array);
v7.createShapeSnapshot(v7, BigInt64Array, BigInt64Array, Proxy);
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Hit MOZ_CRASH(Invalid object. Dead wrapper?) at /home/user/fuzz/gecko-dev/js/src/vm/JSObject.h:649
// #01: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1de5aaf]
// #02: JS::EnsureNonInlineArrayBufferOrView(JSContext*, JSObject*)[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1de74b9]
// #03: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x23d5223]
// #04: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c7ab67]
// #05: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c79e08]
// #06: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c90abb]
// #07: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c7906a]
// #08: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c79d35]
// #09: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c7bf09]
// #10: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x251b062]
// #11: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x250c342]
// #12: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x250bf65]
// #13: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1bd582b]
// #14: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1cada00]
// #15: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c8b66d]
// #16: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c7906a]
// #17: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c7dec2]
// #18: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c7e62d]
// #19: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1e60ada]
// #20: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1e60db0]
// #21: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1b666f8]
// #22: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1b604a9]
// #23: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
// #24: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
// #25: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1b2a679]
// #26: ??? (???:???)
// STDOUT:
//
// ARGS: /home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js --baseline-warmup-threshold=10 --ion-warmup-threshold=100 --ion-check-range-analysis --ion-extra-checks --fuzzing-safe --disable-oom-functions --reprl
// EXECUTION TIME: 14ms
gc();
Actual results:
asan report
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc23_scanf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc23_sscanf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc23_fscanf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc23_vscanf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc23_vsscanf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc23_vfscanf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc99_printf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc99_sprintf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc99_snprintf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc99_fprintf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc99_vprintf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc23_strtoimax'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc23_strtoumax'
==1118131==Registered root region at 0x7f6389101ab0 of size 112
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f6389101ab0 of size 112
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept 'pthread_mutexattr_getrobust_np'
==1118131==Registered root region at 0x7f6388f01310 of size 80
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f6388f01310 of size 80
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept 'xdr_quad_t'
==1118131==Registered root region at 0x7f6388f01310 of size 80
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f6388f01310 of size 80
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept 'xdr_u_quad_t'
==1118131==Registered root region at 0x7f6388f01310 of size 80
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f6388f01310 of size 80
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept 'xdr_destroy'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc23_strtol'
==1118131==Registered root region at 0x7f63897016e0 of size 96
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f63897016e0 of size 96
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__isoc23_strtoll'
==1118131==Registered root region at 0x7f6389101ab0 of size 112
==1118131==Registered root region at 0x7f63893007a0 of size 32
==1118131==Unregistered root region at 0x7f6389101ab0 of size 112
==1118131==Unregistered root region at 0x7f63893007a0 of size 32
==1118131==AddressSanitizer: failed to intercept '__cxa_rethrow_primary_exception'
==1118131==AddressSanitizer: libc interceptors initialized
|| `[0x10007fff8000, 0x7fffffffffff]` || HighMem ||
|| `[0x02008fff7000, 0x10007fff7fff]` || HighShadow ||
|| `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap ||
|| `[0x00007fff8000, 0x00008fff6fff]` || LowShadow ||
|| `[0x000000000000, 0x00007fff7fff]` || LowMem ||
MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00 0x02008fff6fff
redzone=16
max_redzone=2048
quarantine_size_mb=256M
thread_local_quarantine_size_kb=1024K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x7fff8000
==1118131==Installed the sigaction for signal 11
==1118131==Installed the sigaction for signal 7
==1118131==Installed the sigaction for signal 8
==1118131==Installed the sigaction for signal 4
==1118131==T0: stack [0x7ffdaea72000,0x7ffdaf272000) size 0x800000; local=0x7ffdaf270354
==1118131==AddressSanitizer Init done
==1118131==T1: stack [0x7f6386800000,0x7f6386ffedc0) size 0x7fedc0; local=0x7f6386ffecb4
==1118131==T1 TSDDtor
==1118131==T1 exited
==1118131==T7: stack [0x7f6385c06000,0x7f6385e02dc0) size 0x1fcdc0; local=0x7f6385e02cb4
==1118131==T6: stack [0x7f6385e05000,0x7f6386001dc0) size 0x1fcdc0; local=0x7f6386001cb4
==1118131==T3: stack [0x7f6386402000,0x7f63865fedc0) size 0x1fcdc0; local=0x7f63865fecb4
==1118131==T5: stack [0x7f6386004000,0x7f6386200dc0) size 0x1fcdc0; local=0x7f6386200cb4
==1118131==T4: stack [0x7f6386203000,0x7f63863ffdc0) size 0x1fcdc0; local=0x7f63863ffcb4
==1118131==T2: stack [0x7f6386601000,0x7f63867fddc0) size 0x1fcdc0; local=0x7f63867fdcb4
Hit MOZ_CRASH(Invalid object. Dead wrapper?) at /home/user/fuzz/gecko-dev/js/src/vm/JSObject.h:649
#01: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x30b70e9]
#02: JS::EnsureNonInlineArrayBufferOrView(JSContext*, JSObject*)[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x30673bc]
#03: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x3bd04ca]
#04: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2df94bf]
#05: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d94567]
#06: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2dbf373]
#07: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d932af]
#08: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d923d7]
#09: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d94393]
#10: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d96f4e]
#11: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x3e51681]
#12: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x3e6ebc8]
#13: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x3e3397e]
#14: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2c1c63a]
#15: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2ded3f2]
#16: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2db0389]
#17: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d932af]
#18: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d923d7]
#19: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d9a9b8]
#20: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2d9b52f]
#21: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x31423ec]
#22: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x31429c8]
#23: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2ba8d41]
#24: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2ba6e89]
#25: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2afe855]
#26: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x2af21ab]
#27: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
#28: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
#29: ???[/home/user/fuzz/gecko-dev/build_asan/dist/bin/js +0x29f7749]
#30: ??? (???:???)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1118131==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5567c5e2a116 bp 0x7ffdaf2685d0 sp 0x7ffdaf2685b0 T0)
==1118131==The signal is caused by a WRITE memory access.
==1118131==Hint: address points to the zero page.
#0 0x5567c5e2a116 in js::ArrayBufferViewObject* JSObject::maybeUnwrapAs<js::ArrayBufferViewObject>() /home/user/fuzz/gecko-dev/js/src/vm/JSObject.h:649:3
#1 0x5567c5dda3bb in JS::EnsureNonInlineArrayBufferOrView(JSContext*, JSObject*) /home/user/fuzz/gecko-dev/js/src/vm/ArrayBufferViewObject.cpp:380:21
#2 0x5567c69434c9 in EnsureNonInline(JSContext*, unsigned int, JS::Value*) /home/user/fuzz/gecko-dev/js/src/builtin/TestingFunctions.cpp:5686:8
#3 0x5567c5b6c4be in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:486:13
#4 0x5567c5b07566 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:580:12
#5 0x5567c5b32372 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:652:10
#6 0x5567c5b32372 in js::Interpret(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:3396:16
#7 0x5567c5b062ae in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:400:10
#8 0x5567c5b053d6 in js::RunScript(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:458:13
#9 0x5567c5b07392 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:612:13
#10 0x5567c5b09f4d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:679:8
#11 0x5567c6bc4680 in js::ScriptedProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const /home/user/fuzz/gecko-dev/js/src/proxy/ScriptedProxyHandler.cpp:1152:10
#12 0x5567c6be1bc7 in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/proxy/Proxy.cpp:526:19
#13 0x5567c6ba697d in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/proxy/Proxy.cpp:534:10
#14 0x5567c598f639 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/ObjectOperations-inl.h:124:10
#15 0x5567c5b603f1 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:4788:10
#16 0x5567c5b23388 in GetPropertyOperation(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:245:10
#17 0x5567c5b23388 in js::Interpret(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:3051:12
#18 0x5567c5b062ae in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:400:10
#19 0x5567c5b053d6 in js::RunScript(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:458:13
#20 0x5567c5b0d9b7 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:845:13
#21 0x5567c5b0e52e in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:877:10
#22 0x5567c5eb53eb in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:494:10
#23 0x5567c5eb59c7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/user/fuzz/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:518:10
#24 0x5567c591bd40 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:1217:10
#25 0x5567c5919e88 in Process(JSContext*, char const*, bool, FileKind) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp
#26 0x5567c5871854 in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:10874:10
#27 0x5567c5871854 in Shell(JSContext*, js::cli::OptionParser*) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:11136:12
#28 0x5567c58651aa in main /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:11544:12
#29 0x7f6389c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#30 0x7f6389c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#31 0x5567c576a748 in _start (/home/user/fuzz/gecko-dev/build_asan/dist/bin/js+0x29f7748) (BuildId: 20aa5237808bfe587005c363369aaac4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/fuzz/gecko-dev/js/src/vm/JSObject.h:649:3 in js::ArrayBufferViewObject* JSObject::maybeUnwrapAs<js::ArrayBufferViewObject>()
==1118131==ABORTING
Expected results:
SEGV or crash
|
||
Comment 1•8 months ago
|
||
This looks like bug 1854929.
Status: UNCONFIRMED → RESOLVED
Closed: 8 months ago
Duplicate of bug: 1854929
Resolution: --- → DUPLICATE
|
|
||
Comment 2•8 months ago
|
||
Thanks for the bug report though! We're always happy to see people are fuzzing SpiderMonkey.
You need to log in
before you can comment on or make changes to this bug.
Description
•