Open
Bug 1961072
Opened 3 months ago
Updated 3 months ago
Stack overflow in ExpressionDecompiler::decompilePC() when decompiling a super long expression
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
NEW
People
(Reporter: beads.75.chirpy, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [client-bounty-form])
ExpressionDecompiler::decompilePC() is written as a recursive function, and the recursion depth is controlled by the attacker controlled JS code. This means that the attacker can cause a stack overflow by constructing an expression with a long chain of operations and then get SpiderMonkey to decompile it. For example consider this one-liner test case:
eval("(" + "0".repeat(100000).split("").join("+") + ")()");
Here we construct a piece of Javascript with a long chain of operations and then get it to emit an exception which would cause the decompiler to run to construct the error message (e.g. TypeError: ((0 + 0) + 0) is not a function) and we will trigger a stack overflow.
js(2649,0x20848c840) malloc: nano zone abandoned due to inability to reserve vm space.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2649==ERROR: AddressSanitizer: stack-overflow on address 0x00016e827fe0 (pc 0x000101316924 bp 0x00016e828210 sp 0x00016e827f90 T0)
#0 0x000101316924 in js::StringPrinter::put(char const*, unsigned long)+0x4 (js:arm64+0x10053a924)
#1 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#2 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#3 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#4 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#5 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#6 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#7 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#8 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#9 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#10 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#11 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#12 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#13 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#14 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#15 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#16 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#17 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#18 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#19 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#20 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#21 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#22 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#23 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#24 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#25 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#26 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#27 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#28 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#29 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#30 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#31 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#32 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#33 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#34 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#35 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#36 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#37 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#38 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#39 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#40 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#41 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#42 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#43 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#44 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#45 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#46 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#47 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#48 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#49 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#50 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#51 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#52 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#53 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#54 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#55 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#56 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#57 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#58 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#59 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#60 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#61 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#62 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#63 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#64 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#65 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#66 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#67 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#68 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#69 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#70 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#71 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#72 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#73 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#74 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#75 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#76 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#77 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#78 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#79 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#80 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#81 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#82 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#83 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#84 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#85 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#86 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#87 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#88 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#89 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#90 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#91 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#92 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#93 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#94 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#95 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#96 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#97 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#98 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#99 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#100 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#101 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#102 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#103 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#104 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#105 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#106 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#107 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#108 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#109 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#110 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#111 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#112 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#113 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#114 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#115 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#116 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#117 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#118 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#119 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#120 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#121 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#122 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#123 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#124 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#125 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#126 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#127 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#128 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#129 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#130 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#131 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#132 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#133 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#134 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#135 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#136 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#137 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#138 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#139 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#140 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#141 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#142 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#143 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#144 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#145 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#146 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#147 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#148 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#149 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#150 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#151 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#152 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#153 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#154 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#155 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#156 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#157 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#158 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#159 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#160 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#161 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#162 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#163 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#164 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#165 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#166 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#167 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#168 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#169 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#170 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#171 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#172 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#173 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#174 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#175 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#176 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#177 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#178 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#179 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#180 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#181 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#182 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#183 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#184 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#185 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#186 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#187 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#188 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#189 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#190 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#191 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#192 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#193 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#194 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#195 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#196 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#197 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#198 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#199 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#200 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#201 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#202 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#203 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#204 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#205 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#206 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#207 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#208 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#209 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#210 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#211 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#212 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#213 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#214 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#215 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#216 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#217 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#218 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#219 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#220 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#221 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#222 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#223 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#224 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#225 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#226 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#227 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#228 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#229 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#230 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#231 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#232 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#233 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#234 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#235 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#236 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#237 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#238 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#239 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#240 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#241 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#242 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#243 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#244 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#245 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#246 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#247 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#248 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#249 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#250 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#251 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#252 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#253 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
#254 0x000101083fb0 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char)+0x75c (js:arm64+0x1002a7fb0)
SUMMARY: AddressSanitizer: stack-overflow (js:arm64+0x10053a924) in js::StringPrinter::put(char const*, unsigned long)+0x4
==2649==ABORTING
Flags: sec-bounty?
Group: firefox-core-security → core-security
Component: Security → JavaScript Engine
Product: Firefox → Core
Version: unspecified → Trunk
|
||
Updated•3 months ago
|
Group: core-security → javascript-core-security
|
|
||
Comment 1•3 months ago
|
||
A stack overflow from infinite recursion doesn't need to be a security bug.
Group: javascript-core-security
|
||
Updated•3 months ago
|
|
||
Updated•3 months ago
|
Status: UNCONFIRMED → NEW
Has STR: --- → yes
Ever confirmed: true
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•