Closed
Bug 1868095
Opened 6 months ago
Closed 6 months ago
Assertion failure: linear.ownsMallocedChars(), at js/src/vm/StringType.cpp:109
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 1866817
People
(Reporter: baksmali404, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.40
Steps to reproduce:
version:master
$ git clone https://github.com/mozilla/gecko-dev
$ cd gecko-dev
$ git show
commit 6eb2ebcafb1b4a8576eb513e6cd2c61e3f3ae6dc (HEAD -> master, origin/master, origin/HEAD)
Author: Masayuki Nakano <masayuki@d-toybox.com>
Date: Mon Nov 27 01:46:42 2023 +0000
Reproduce
./dist/bin/js pocfile.js
pocfile.js
function f0(a1, a2, a3) {
return a3;
}
this.byteSize(f0.toSource(f0, f0, f0, f0, f0));
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Assertion failure: linear.ownsMallocedChars(), at /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:109
// #01: JSString::sizeOfExcludingThis(unsigned long (*)(void const*))[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x224ffae]
// #02: JS::ubi::Concrete<JSString>::size(unsigned long (*)(void const*)) const[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x2250979]
// #03: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x2400c03]
// #04: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c95227]
// #05: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c944c8]
// #06: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1cab24a]
// #07: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c9372a]
// #08: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c98582]
// #09: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1c98ced]
// #10: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1e7b95a]
// #11: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1e7bc30]
// #12: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1b7f4e8]
// #13: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1b79259]
// #14: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
// #15: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
// #16: ???[/home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1b43429]
// #17: ??? (???:???)
// STDOUT:
//
// ARGS: /home/user/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js --baseline-warmup-threshold=10 --ion-warmup-threshold=100 --ion-check-range-analysis --ion-extra-checks --fuzzing-safe --disable-oom-functions --reprl
// EXECUTION TIME: 13ms
gc();
Actual results:
asan report
Assertion failure: linear.ownsMallocedChars(), at /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:109
#01: JSString::sizeOfExcludingThis(unsigned long (*)(void const*))[./js +0x3946fe8]
#02: JS::ubi::Concrete<JSString>::size(unsigned long (*)(void const*)) const[./js +0x39471dc]
#03: ???[./js +0x3c6c895]
#04: ???[./js +0x2e3df2f]
#05: ???[./js +0x2dd61c7]
#06: ???[./js +0x2e01610]
#07: ???[./js +0x2dd4ee5]
#08: ???[./js +0x2dd4007]
#09: ???[./js +0x2ddc7b8]
#10: ???[./js +0x2ddd35f]
#11: ???[./js +0x3196afc]
#12: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[./js +0x31970d8]
#13: ???[./js +0x2be74a1]
#14: ???[./js +0x2be54f9]
#15: ???[./js +0x2b3af05]
#16: ???[./js +0x2b2e649]
#17: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
#18: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
#19: ???[./js +0x2a333f9]
#20: ??? (???:???)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1663497==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55e714dae01d bp 0x7ffca8da4e90 sp 0x7ffca8da4e00 T0)
==1663497==The signal is caused by a WRITE memory access.
==1663497==Hint: address points to the zero page.
#0 0x55e714dae01d in JSString::sizeOfExcludingThis(unsigned long (*)(void const*)) /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:109:3
#1 0x55e714dae1db in JS::ubi::Concrete<JSString>::size(unsigned long (*)(void const*)) const /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:129:15
#2 0x55e7150d3894 in JS::ubi::Node::size(unsigned long (*)(void const*)) const /home/user/fuzz/gecko-dev/build_asan/dist/include/js/UbiNode.h:817:25
#3 0x55e7150d3894 in ByteSize(JSContext*, unsigned int, JS::Value*) /home/user/fuzz/gecko-dev/js/src/builtin/TestingFunctions.cpp:6928:43
#4 0x55e7142a4f2e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:472:13
#5 0x55e71423d1c6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:566:12
#6 0x55e71426860f in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:638:10
#7 0x55e71426860f in js::Interpret(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:3053:16
#8 0x55e71423bee4 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:386:10
#9 0x55e71423b006 in js::RunScript(JSContext*, js::RunState&) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:444:13
#10 0x55e7142437b7 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:831:13
#11 0x55e71424435e in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:863:10
#12 0x55e7145fdafb in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/user/fuzz/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:494:10
#13 0x55e7145fe0d7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/user/fuzz/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:518:10
#14 0x55e71404e4a0 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:1218:10
#15 0x55e71404c4f8 in Process(JSContext*, char const*, bool, FileKind) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp
#16 0x55e713fa1f04 in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:10873:10
#17 0x55e713fa1f04 in Shell(JSContext*, js::cli::OptionParser*) /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:11135:12
#18 0x55e713f95648 in main /home/user/fuzz/gecko-dev/js/src/shell/js.cpp:11543:12
#19 0x7f8a34629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#20 0x7f8a34629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#21 0x55e713e9a3f8 in _start (/home/user/fuzz/gecko-dev/build_asan/dist/bin/js+0x2a333f8) (BuildId: 71ae8a975b60af99419302f850c277ca)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:109:3 in JSString::sizeOfExcludingThis(unsigned long (*)(void const*))
==1663497==ABORTING
Expected results:
SEGV or crash
Comment 1•6 months ago
|
||
byteSize is a testing-only function, so I'm not sure how much of a security issue it is. That being said, if there's a bug with a memory reporter in JS, that could potentially happen in the browser because we automatically collect memory reports occasionally. Although if this is an issue specifically with Ubi, then that can only be reached through our debugger. I'm also not sure how much of an issue this specific assertion is.
Group: core-security → javascript-core-security
Summary: Spidermonkey: SEGV /js/src/vm/StringType.cpp:109:3 in JSString::sizeOfExcludingThis(unsigned long (*)(void const*)) → Assertion failure: linear.ownsMallocedChars(), at /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:109
Updated•6 months ago
|
Summary: Assertion failure: linear.ownsMallocedChars(), at /home/user/fuzz/gecko-dev/js/src/vm/StringType.cpp:109 → Assertion failure: linear.ownsMallocedChars(), at js/src/vm/StringType.cpp:109
Comment 2•6 months ago
|
||
This was fixed in Bug 1866817.
Status: UNCONFIRMED → RESOLVED
Closed: 6 months ago
Duplicate of bug: 1866817
Resolution: --- → DUPLICATE
Updated•6 months ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•