SEGV gecko-dev/js/src/builtin/TestingFunctions.cpp:1933:5 in DisassembleBaselineICs(JSContext*, unsigned int, JS::Value*)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: ddme, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [client-bounty-form])
Attachments
(1 file)
6.38 KB,
text/plain
|
Details |
working on 22a0993169acd84ab8d574fefddcb4da04b77c91
build with
c_add_options --enable-application=js
ac_add_options --enable-optimize
ac_add_options --enable-debug
ac_add_options --disable-shared-js
ac_add_options --enable-js-fuzzilli
ac_add_options --enable-fuzzing
ac_add_options --enable-gczeal
and run with --ion-eager
POC
class C1 {
["XN"];
}
const v3 = -String;
gczeal(14);
x = [v3,v3,v3];
const v10 = new Uint8Array();
Array.prototype.push.call(x, v10);
function f16() {
try {
y.toString();
} catch(e19) {
}
for (const v23 of [null,0]) {
function f24() {
const v25 = this;
v25.disblic(f24);
class C27 {
}
const v28 = C27.bind();
try { v28(v25, v23); } catch (e) {}
return v28;
}
f24();
}
return String;
}
Array.prototype.some.call(x, f16);
gc();
the other one
gczeal(14);
new Uint8Array();
for (const v7 of [null]) {
function f8() {
const v9 = this;
v9.disblic(f8);
class C11 {
}
const v12 = new C11();
v12.__proto__;
return f8;
}
const t12 = f8();
t12();
}
gc();
Updated•2 months ago
|
Updated•1 month ago
|
Comment 2•1 month ago
|
||
This is unlikely to qualify for a bug bounty if the problem is in the testing functions. The js shell is handy for testing, but not technically covered by the bug bounty program -- the bugs have to exist in Firefox itself. Make sure you're using the fuzzing-safe arguments which turn off a lot of the extra functionality so the environment is closer to that of what a web page sees in firefox. for help check in the #fuzzing room on our Matrix server https://chat.mozilla.org
Hi, I have tested that it can trigger with --ion-eager --fuzzing-safe
Comment 4•1 month ago
|
||
This is a duplicate of bug 1937430. The reported failing build (22a0993169acd84ab8d574fefddcb4da04b77c91) does not contain the fix. (It looks like it landed later in the day on the 20th).
I reproduced the crashes on an older build, and verified that both testcases pass in an up-to-date build.
Updated•1 month ago
|
Description
•