1904899 - SEGV in WasmDumpIon src/js/src/builtin/TestingFunctions.cpp:2114:18

Status: UNCONFIRMED

(Core :: JavaScript: WebAssembly, defect)

Description

[Nils Bars]

Attachment: bug.js

Steps to reproduce:

Checkout commit 9fcc11127fbfbdc88cbf37489dac90542e141c77 and invoke the js shell as follows:

js --fuzzing-safe --fast-warmup --gc-zeal=14,162 <test-case>

Actual results:

=260949==The signal is caused by a READ memory access.
    #0 0x555557aff940 in void mozilla::detail::VectorImpl<unsigned char, 0ul, js::SystemAllocPolicy, true>::new_<unsigned char const&>(unsigned char*, unsigned char const&) /reproducebuild/dist/include/mozilla/Vector.h:251:12
    #1 0x555557aff940 in void mozilla::detail::VectorImpl<unsigned char, 0ul, js::SystemAllocPolicy, true>::copyConstruct<unsigned char>(unsigned char*, unsigned char const*, unsigned char const*) /reproducebuild/dist/include/mozilla/Vector.h:284:7
    #2 0x555557aff940 in void mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>::internalAppend<unsigned char>(unsigned char const*, unsigned long) /reproducebuild/dist/include/mozilla/Vector.h:1443:3
    #3 0x555557aff6ad in bool mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>::append<unsigned char>(unsigned char const*, unsigned char const*) /reproducebuild/dist/include/mozilla/Vector.h:1433:3
    #4 0x555557ad89b6 in bool mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>::append<unsigned char>(unsigned char const*, unsigned long) /reproducebuild/dist/include/mozilla/Vector.h:1516:10
    #5 0x555557ad89b6 in js::wasm::ShareableBytes::append(unsigned char const*, unsigned long) /js/src/wasm/WasmShareable.h:70:18
    #6 0x555557ad89b6 in WasmDumpIon(JSContext*, unsigned int, JS::Value*) /js/src/builtin/TestingFunctions.cpp:2114:18
    #7 0x5555572aea7e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:487:13
    #8 0x5555572adcdf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:581:12
    #9 0x5555572c4291 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:653:10
    #10 0x5555572c4291 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3291:16
    #11 0x5555572acce1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:459:13
    #12 0x5555572b1ec1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:846:13
    #13 0x5555572b26cc in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:878:10
    #14 0x5555574fb2f9 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /js/src/vm/CompilationAndEvaluation.cpp:494:10
    #15 0x5555574fb577 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /js/src/vm/CompilationAndEvaluation.cpp:518:10
    #16 0x5555571ec80e in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /js/src/shell/js.cpp:1194:10
    #17 0x5555571ebb75 in Process(JSContext*, char const*, bool, FileKind) /js/src/shell/js.cpp
    #18 0x5555571a641e in ProcessArgs(JSContext*, js::cli::OptionParser*) /js/src/shell/js.cpp:11255:10
    #19 0x5555571a641e in Shell(JSContext*, js::cli::OptionParser*) /js/src/shell/js.cpp:11507:12
    #20 0x55555719e421 in main /js/src/shell/js.cpp:12033:12
    #21 0x7ffff7a44d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #22 0x7ffff7a44e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #23 0x5555571680c8 in _start (/reproducebuild/dist/bin/js+0x1c140c8) (BuildId: c8a19ddcb250c15fe6cf6c98455e1cdf)

Comment 1

[Nils Bars]

WasmDumpIon is now fuzzing unsafe, so this is no security issue.