1879783 - AddressSanitizer: SEGV on unknown address 0x000000000001 or Assertion failure: maxLength <= ArrayBufferObject::ByteLengthLimit, at vm/SharedArrayObject.cpp:65

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P2)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

new SharedArrayBuffer(0, {
    "maxByteLength": 9999999999
})

==44456==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x55f9e6561776 bp 0x7ffec470e950 sp 0x7ffec470e940 T0)
==44456==The signal is caused by a WRITE memory access.
==44456==Hint: address points to the zero page.
    #0 0x55f9e6561776 in js::SharedArrayRawBuffer::Allocate(bool, unsigned long, unsigned long) /home/skymainubu/trees/mozilla-central/js/src/vm/SharedArrayObject.cpp:65:3
    #1 0x55f9e65649f6 in js::SharedArrayBufferObject::NewGrowable(JSContext*, unsigned long, unsigned long, JS::Handle<JSObject*>) /home/skymainubu/trees/mozilla-central/js/src/vm/SharedArrayObject.cpp:527:18
    #2 0x55f9e65649f6 in js::SharedArrayBufferObject::class_constructor(JSContext*, unsigned int, JS::Value*) /home/skymainubu/trees/mozilla-central/js/src/vm/SharedArrayObject.cpp:482:20
    #3 0x55f9e5e07e61 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:480:13
    #4 0x55f9e5e07e61 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:496:8
    #5 0x55f9e5e07e61 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:702:14
    #6 0x55f9e5e2e0bf in js::ConstructFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:749:10
    #7 0x55f9e5e2e0bf in js::Interpret(JSContext*, js::RunState&) /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:3046:16
    #8 0x55f9e5e03edb in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:394:10
    #9 0x55f9e5e03edb in js::RunScript(JSContext*, js::RunState&) /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:452:13
    #10 0x55f9e5e0982e in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:839:13
    #11 0x55f9e60cea18 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/skymainubu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:494:10
    #12 0x55f9e60cee3f in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/skymainubu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:518:10
    #13 0x55f9e5bcd688 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/skymainubu/trees/mozilla-central/js/src/shell/js.cpp:1206:10
    #14 0x55f9e5bcc3be in Process(JSContext*, char const*, bool, FileKind) /home/skymainubu/trees/mozilla-central/js/src/shell/js.cpp
    #15 0x55f9e5b536b9 in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/skymainubu/trees/mozilla-central/js/src/shell/js.cpp:10886:10
    #16 0x55f9e5b536b9 in Shell(JSContext*, js::cli::OptionParser*) /home/skymainubu/trees/mozilla-central/js/src/shell/js.cpp:11148:12
    #17 0x55f9e5b42c19 in main /home/skymainubu/trees/mozilla-central/js/src/shell/js.cpp:11624:12
    #18 0x7f40cf933d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7f40cf933e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #20 0x55f9e5a51a94 in _start (/home/skymainubu/shell-cache/js-64-asan-linux-x86_64-13676fc9b0cd/js-64-asan-linux-x86_64-13676fc9b0cd+0x2684a94) (BuildId: 2d654e975e55fa8800322859753905f1)

AddressSanitizer can not provide additional info.

Run with --fuzzing-safe --no-threads --no-baseline --no-ion --enable-arraybuffer-resizable, compile with AR=ar sh ../configure --enable-address-sanitizer --enable-undefined-sanitizer --enable-fuzzing --disable-jemalloc --disable-stdcxx-compat --without-sysroot --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 13676fc9b0cd.

Setting s-s to be safe.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/bcb108625dff
user:        André Bargull
date:        Mon Jan 29 10:44:32 2024 +0000
summary:     Bug 1842773 - Part 32: Allow constructing growable SharedArrayBuffers. r=sfink

Andre, is bug 1842773 a likely regressor?

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1842773

Comment 3

[André Bargull [:anba]]

Not security-sensitive, because we hit a release assertion, so we crash safely. Furthermore the pref for the code is currently still off by default.

Comment 4

[André Bargull [:anba]]

Attachment: Bug 1879783: Add missing check for maxByteLength not exceeding the byte length limit. r=sfink!

Drive-by change:

• Update spec step comments to match current draft.

Comment 5

[Pulsebot]

Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/334e4d00a684
Add missing check for maxByteLength not exceeding the byte length limit. r=sfink

Comment 6

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/334e4d00a684

Comment 7

[Daniel Veditz [:dveditz]]

Furthermore the pref for the code is currently still off by default.

So that's "disabled", not "unaffected" then?

Comment 8

[André Bargull [:anba]]

(In reply to Daniel Veditz [:dveditz] from comment #7)

Furthermore the pref for the code is currently still off by default.

So that's "disabled", not "unaffected" then?

Yes.