1868095 - Assertion failure: linear.ownsMallocedChars(), at js/src/vm/StringType.cpp:109

Status: RESOLVED DUPLICATE of bug 1866817

(Core :: JavaScript Engine, defect)

Description

[gandalf4a]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.40

Steps to reproduce:

version:master

$ git clone https://github.com/mozilla/gecko-dev
$ cd gecko-dev
$ git show
commit 6eb2ebcafb1b4a8576eb513e6cd2c61e3f3ae6dc (HEAD -> master, origin/master, origin/HEAD)
Author: Masayuki Nakano <masayuki@d-toybox.com>
Date:   Mon Nov 27 01:46:42 2023 +0000

Reproduce

./dist/bin/js pocfile.js

pocfile.js

function f0(a1, a2, a3) {
    return a3;
}
this.byteSize(f0.toSource(f0, f0, f0, f0, f0));
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Assertion failure: linear.ownsMallocedChars(), at /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:109
// #01: JSString::sizeOfExcludingThis(unsigned long (*)(void const*))[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x224ffae]
// #02: JS::ubi::Concrete<JSString>::size(unsigned long (*)(void const*)) const[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x2250979]
// #03: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x2400c03]
// #04: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c95227]
// #05: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c944c8]
// #06: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1cab24a]
// #07: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c9372a]
// #08: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c98582]
// #09: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c98ced]
// #10: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1e7b95a]
// #11: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1e7bc30]
// #12: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1b7f4e8]
// #13: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1b79259]
// #14: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
// #15: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
// #16: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1b43429]
// #17: ??? (???:???)
// STDOUT:
// 
// ARGS: /home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js --baseline-warmup-threshold=10 --ion-warmup-threshold=100 --ion-check-range-analysis --ion-extra-checks --fuzzing-safe --disable-oom-functions --reprl
// EXECUTION TIME: 13ms
gc();

Actual results:

asan report

Assertion failure: linear.ownsMallocedChars(), at /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:109
#01: JSString::sizeOfExcludingThis(unsigned long (*)(void const*))[./js +0x3946fe8]
#02: JS::ubi::Concrete<JSString>::size(unsigned long (*)(void const*)) const[./js +0x39471dc]
#03: ???[./js +0x3c6c895]
#04: ???[./js +0x2e3df2f]
#05: ???[./js +0x2dd61c7]
#06: ???[./js +0x2e01610]
#07: ???[./js +0x2dd4ee5]
#08: ???[./js +0x2dd4007]
#09: ???[./js +0x2ddc7b8]
#10: ???[./js +0x2ddd35f]
#11: ???[./js +0x3196afc]
#12: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[./js +0x31970d8]
#13: ???[./js +0x2be74a1]
#14: ???[./js +0x2be54f9]
#15: ???[./js +0x2b3af05]
#16: ???[./js +0x2b2e649]
#17: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
#18: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
#19: ???[./js +0x2a333f9]
#20: ??? (???:???)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1663497==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55e714dae01d bp 0x7ffca8da4e90 sp 0x7ffca8da4e00 T0)
==1663497==The signal is caused by a WRITE memory access.
==1663497==Hint: address points to the zero page.
    #0 0x55e714dae01d in JSString::sizeOfExcludingThis(unsigned long (*)(void const*)) /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:109:3
    #1 0x55e714dae1db in JS::ubi::Concrete<JSString>::size(unsigned long (*)(void const*)) const /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:129:15
    #2 0x55e7150d3894 in JS::ubi::Node::size(unsigned long (*)(void const*)) const /home/user/fuzz/gecko-dev/build_asan/dist/include/js/UbiNode.h:817:25
    #3 0x55e7150d3894 in ByteSize(JSContext*, unsigned int, JS::Value*) /home/user/fuzz/gecko-dev/js/src/builtin/TestingFunctions.cpp:6928:43
    #4 0x55e7142a4f2e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:472:13
    #5 0x55e71423d1c6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:566:12
    #6 0x55e71426860f in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:638:10
    #7 0x55e71426860f in js::Interpret(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:3053:16
    #8 0x55e71423bee4 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:386:10
    #9 0x55e71423b006 in js::RunScript(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:444:13
    #10 0x55e7142437b7 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:831:13
    #11 0x55e71424435e in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:863:10
    #12 0x55e7145fdafb in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:494:10
    #13 0x55e7145fe0d7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/user/fuzz/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:518:10
    #14 0x55e71404e4a0 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:1218:10
    #15 0x55e71404c4f8 in Process(JSContext*, char const*, bool, FileKind) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp
    #16 0x55e713fa1f04 in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:10873:10
    #17 0x55e713fa1f04 in Shell(JSContext*, js::cli::OptionParser*) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:11135:12
    #18 0x55e713f95648 in main /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:11543:12
    #19 0x7f8a34629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #20 0x7f8a34629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #21 0x55e713e9a3f8 in _start (/home/user/fuzz/gecko-dev/build_asan/dist/bin/js+0x2a333f8) (BuildId: 71ae8a975b60af99419302f850c277ca)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:109:3 in JSString::sizeOfExcludingThis(unsigned long (*)(void const*))
==1663497==ABORTING

Expected results:

SEGV or crash

Comment 1

[Andrew McCreight [:mccr8]]

byteSize is a testing-only function, so I'm not sure how much of a security issue it is. That being said, if there's a bug with a memory reporter in JS, that could potentially happen in the browser because we automatically collect memory reports occasionally. Although if this is an issue specifically with Ubi, then that can only be reached through our debugger. I'm also not sure how much of an issue this specific assertion is.

Comment 2

[Matthew Gaudet (he/him) [:mgaudet]]

This was fixed in Bug 1866817.