1885401 - JSString::dumpCharsNoQuote stack exhaustion

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[lukas.bernhard]

Steps to reproduce:

On git commit 04f7743d94691fa24212fb43099f9d84c3bfc890 the attached sample exhausts the stack and hence crashes the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

let v0 = "s";
for (let i2 = 0; i2 < 250000; ++i2) {
    v0 += "a\n";
}
this.dumpValue(v0);

#0  0x00005555578fb5e8 in js::gc::HeaderWord::get (
    this=<error reading variable: Cannot access memory at address 0x7fffff7feff8>)
    at js/src/gc/Cell.h:104
#1  0x0000555557901ed5 in js::gc::CellWithLengthAndFlags::headerFlagsField (this=0x91a5dd3aac0)
    at js/src/gc/Cell.h:639
#2  0x0000555557901eb5 in JSString::flags (this=0x91a5dd3aac0) at js/src/vm/StringType.h:206
#3  0x0000555557901dc5 in JSString::isLinear (this=0x91a5dd3aac0) at js/src/vm/StringType.h:550
#4  0x000055555806408a in JSString::dumpCharsNoQuote (this=0x91a5dd3aac0, out=...)
    at js/src/vm/StringType.cpp:560
#5  0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3aad8, out=...)
    at js/src/vm/StringType.cpp:571
#6  0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3aaf0, out=...)
    at js/src/vm/StringType.cpp:571
#7  0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3ab08, out=...)
    at js/src/vm/StringType.cpp:571
#8  0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3ab20, out=...)
    at js/src/vm/StringType.cpp:571
#9  0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3ab38, out=...)
    at js/src/vm/StringType.cpp:571
#10 0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3ab50, out=...)
    at js/src/vm/StringType.cpp:571
#11 0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3ab68, out=...)
    at js/src/vm/StringType.cpp:571
#12 0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3ab80, out=...)
    at js/src/vm/StringType.cpp:571
#13 0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3ab98, out=...)
    at js/src/vm/StringType.cpp:571
#14 0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3abb0, out=...)
    at js/src/vm/StringType.cpp:571
#15 0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3abc8, out=...)
    at js/src/vm/StringType.cpp:571
#16 0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3abe0, out=...)
    at js/src/vm/StringType.cpp:571
#17 0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3abf8, out=...)
    at js/src/vm/StringType.cpp:571
#18 0x000055555806418d in JSString::dumpCharsNoQuote (this=0x91a5dd3ac10, out=...)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8d7916c07be5
user:        Tooru Fujisawa
date:        Wed Jan 31 08:54:47 2024 +0000
summary:     Bug 1783397 - Part 14: Add dumpValue testing funtion. r=mgaudet

Arai-san, is bug 1783397 a likely regressor?

Comment 2

[Tooru Fujisawa [:arai]]

Attachment: Bug 1885401 - Hide value/object/string dump functions from fuzzing. r?mgaudet!

Comment 3

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/68a52b9ecf54
Hide value/object/string dump functions from fuzzing. r=mgaudet

Comment 4

[Sandor Molnar[:smolnar]]

Backed out for causing build bustages @ js/src/builtin/TestingFunctions.cpp

Backout link: https://hg.mozilla.org/integration/autoland/rev/176d9ef5e59c4ad4a55076d0bf8ae828405a07cc

Push with failures

Failure log -> /builds/worker/checkouts/gecko/js/src/builtin/TestingFunctions.cpp:10419:44: error: use of undeclared identifier 'DumpStringRepresentation'

Comment 5

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/9e4513cdec3e
Hide value/object/string dump functions from fuzzing. r=mgaudet

Comment 6

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/9e4513cdec3e