Bug 690650

TI: Crash [@ js_InternalInterpret] or "Assertion failure: codeArray[offset],"

RESOLVED FIXED

Get help with this page

Status

()

Product:

▸

Core

Component:

▸

JavaScript Engine

Importance:

critical

Status:

RESOLVED FIXED

Reported:

6 years ago

Modified:

5 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks: 2 bugs, {assertion, crash, testcase})

Version:

Trunk

Target:

---

Platform:

x86

Mac OS X

Keywords:

assertion, crash, testcase

Points:

---

Blocks:

jsfunfuzz, infer-regress, 630996

Dependency tree / graph

Bug Flags:

decoder

in-testsuite

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos] js-triage-needed)

Attachments

(3 attachments)

testcase 6 years ago Gary Kwong [:gkw] [:nth10sd] 192.13 KB, text/plain		Details
stack 6 years ago Gary Kwong [:gkw] [:nth10sd] 2.81 KB, text/plain		Details
patch 6 years ago Brian Hackett (:bhackett) 764 bytes, patch	dvander : review+	Details \| Diff \| Splinter Review

Gary Kwong [:gkw] [:nth10sd]

(Reporter)

Description

•

6 years ago

Created attachment 563647 [details]
testcase

The attached testcase asserts js debug shell on JM changeset 44ef245b8706 and m-c changeset db9e99d537f2 with -m, -a and -n at Assertion failure: codeArray[offset], and crashes js opt shell at js_InternalInterpret

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

Since it seems to be a null deref, assuming sg:dos and locking s-s to be safe.

Gary Kwong [:gkw] [:nth10sd]

(Reporter)

Comment 1

•

6 years ago

Created attachment 563650 [details]
stack

Brian Hackett (:bhackett)

(Assignee)

Comment 2

•

6 years ago

Created attachment 565103 [details] [diff] [review]
patch

Use of GET_JUMP_OFFSET which did not watch for JOF_JUMPX opcodes.  No other suspicious uses of GET_JUMP_OFFSET in analysis/compilation code, though I'd kind of like to kill GET_JUMP_OFFSET / GET_JUMP_OFFSETX completely and use a common function to compute offsets for both.

Assignee: general → bhackett1024

Attachment #565103 - Flags: review?(dvander)

David Anderson [:dvander]

Updated

•

6 years ago

Attachment #565103 - Flags: review?(dvander) → review+

Brian Hackett (:bhackett)

(Assignee)

Comment 3

•

6 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/cfda40f4a5c8

Christian Holler (:decoder)

Comment 4

•

6 years ago

https://hg.mozilla.org/mozilla-central/rev/cfda40f4a5c8

Status: NEW → RESOLVED

Last Resolved: 6 years ago

Resolution: --- → FIXED

David Mandelin [:dmandelin]

Updated

•

6 years ago

Group: core-security

Christian Holler (:decoder)

Comment 5

•

5 years ago

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

TI: Crash [@ js_InternalInterpret] or "Assertion failure: codeArray[offset],"

Status

()

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks: 2 bugs, {assertion, crash, testcase})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos] js-triage-needed)

Security

(public)

User Story

Attachments

(3 attachments)

Description

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Updated

Comment 5