Closed
Bug 1875742
Opened 1 year ago
Closed 1 year ago
Spidermonkey: SEGV at /js/src/shell/js.cpp:3946:5 in Crash(JSContext*, unsigned int, JS::Value*)
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
INVALID
People
(Reporter: baksmali404, Unassigned)
Details
Attachments
(1 file)
|
58.34 KB,
text/javascript
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0
Steps to reproduce:
version:master
$ git clone https://github.com/mozilla/gecko-dev
$ cd gecko-dev
$ git show
commit 7bf069df3a2b9f10ebd400e3366910337b75121a (HEAD -> master, origin/master, origin/HEAD)
Author: Emilio Cobos Álvarez <emilio@crisal.io>
Date: Wed Jan 17 21:49:34 2024 +0000
Bug 1840762 - Don't throttle postMessage for pdf.js. r=smaug
This should be safe to uplift.
Differential Revision: https://phabricator.services.mozilla.com/D198829
Reproduce
./dist/bin/js pocfile.js
pocfile.js
segv_js_3945.js
Actual results:
asan report
Hit MOZ_CRASH(forced crash) at /home/gandalf/fuzz/gecko-dev/js/src/shell/js.cpp:3946
#01: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2c041a3]
#02: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2e74e9f]
#03: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2e07759]
#04: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2e0a469]
#05: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x3432163]
#06: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2e74e9f]
#07: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2e07759]
#08: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2e33e31]
#09: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2e0655d]
#10: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2e05677]
#11: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x2e07585]
#12: ???[/home/gandalf/fuzz/gecko-dev/build_asan/dist/bin/js +0x4e05bd7]
#13: ??? (???:???)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==67128==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x562efb5d61d8 bp 0x7ffc70182fd0 sp 0x7ffc70182e40 T0)
==67128==The signal is caused by a WRITE memory access.
==67128==Hint: address points to the zero page.
LLVMSymbolizer: error reading file: No such file or directory
#0 0x562efb5d61d8 in Crash(JSContext*, unsigned int, JS::Value*) /home/gandalf/fuzz/gecko-dev/js/src/shell/js.cpp:3946:5
#1 0x562efb846e9e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:479:13
#2 0x562efb7d9758 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:573:12
#3 0x562efb7dc468 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:672:8
#4 0x562efbe04162 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /home/gandalf/fuzz/gecko-dev/js/src/vm/JSFunction.cpp:1102:10
#5 0x562efb846e9e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:479:13
#6 0x562efb7d9758 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:573:12
#7 0x562efb805e30 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:645:10
#8 0x562efb805e30 in js::Interpret(JSContext*, js::RunState&) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:3060:16
#9 0x562efb7d855c in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:393:10
#10 0x562efb7d7676 in js::RunScript(JSContext*, js::RunState&) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:451:13
#11 0x562efb7d9584 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/gandalf/fuzz/gecko-dev/js/src/vm/Interpreter.cpp:605:13
#12 0x562efd7d7bd6 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /home/gandalf/fuzz/gecko-dev/js/src/jit/BaselineIC.cpp:1659:10
#13 0x28fd5f7ee7be ([anon:js-executable-memory]+0xb7be)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/gandalf/fuzz/gecko-dev/js/src/shell/js.cpp:3946:5 in Crash(JSContext*, unsigned int, JS::Value*)
==67128==ABORTING
Expected results:
SEGV or crash
Credit:
Gandalf4a of PKU-Changsha Institute for Computing and Digital Economy
|
||
Updated•1 year ago
|
Group: core-security → javascript-core-security
|
||
Comment 1•1 year ago
|
||
Thank you for reporting this.
This is crashing in the crash() testing function, a builtin function that always triggers a crash when called, so this crash is safe and expected. To fuzz the SpiderMonkey shell you should pass the --fuzzing-safe flag to disable these fuzzing-unsafe functions.
Group: javascript-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID
When I compile spider, it says:"mozbuild.configure.options.InvalidOptionError: Unknown option: --fuzzing-safe".
How do I use this flag?
|
|
||
Comment 3•1 year ago
|
||
(In reply to gandalf4a from comment #2)
When I compile spider, it says:"mozbuild.configure.options.InvalidOptionError: Unknown option: --fuzzing-safe".
How do I use this flag?
It's a shell flag so you use it like this:
./dist/bin/js --fuzzing-safe pocfile.js
You need to log in
before you can comment on or make changes to this bug.
Description
•