If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

IonMonkey: Crash [@ js::SkipSpace] with use-after-free

RESOLVED DUPLICATE of bug 759312

Status

()

Core
JavaScript Engine
--
major
RESOLVED DUPLICATE of bug 759312
5 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Other Branch
x86
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

(Reporter)

Description

5 years ago
The following testcase crashes on ionmonkey revision 4ce3983a43f4 (run with --ion -n -m):


var lfcode = new Array();
lfcode.push("function complex(aReal, aImag) {\n\
  this.i = aImag;\n\
  this.square = function() {\n\
    return new complex(this.r * this.r - this.i * this.i, 2 * this.r * this.i);\n\
  }\n\
  this.dist = function() {}\n\
  this.add = function(aComplex) {\n\
    return new complex(this.r + aComplex.r, this.i + aComplex.i);\n\
  }\n\
}\n\
function mandelbrotValueOO (aC, aIterMax) {\n\
  let Z = new complex(0.0, 0.0);\n\
  for (var iter = 0; iter < aIterMax; iter++) {\n\
    Z = Z.square().add(aC);\n\
  }\n\
}\n\
const height = 60;\n\
const max_iters = 50;\n\
for (let img_y = 0; img_y < height; img_y++) {\n\
  let C = new complex(-2 + new (function  () {\n\
    this.reports = [];\n\
  } ) * 3,typeof 1.5 + (img_y / height) * 3);\n\
  var res = mandelbrotValueOO(C, max_iters);\n\
  gczeal(2);\n\
}\n\
");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file);
}
function loadFile(lfVarx) {
  if (lfVarx.substr(-3) != ".js") {
    evaluate(lfVarx);
  }
}
(Reporter)

Comment 1

5 years ago
Crash trace:

Program received signal SIGSEGV, Segmentation fault.
0x08175cdd in js::SkipSpace (s=0xdadadada, end=0xf6363634) at js/src/jsstrinlines.h:100
100         while (s < end && unicode::IsSpace(*s))
(gdb) bt
#0  0x08175cdd in js::SkipSpace (s=0xdadadada, end=0xf6363634) at js/src/jsstrinlines.h:100
#1  0x08179e4d in js::StringToNumberType<double> (cx=0x87dcca8, str=0xf770f930, result=0xffffb400) at js/src/jsnuminlines.h:54
#2  0x08178f26 in js::ToNumberSlow (cx=0x87dcca8, v=..., out=0xffffb400) at js/src/jsnum.cpp:1220
#3  0x0806b2eb in JS::ToNumber (cx=0x87dcca8, v=..., out=0xffffb400) at js/src/jsapi.h:2387
#4  0x08149b74 in js::MulOperation (cx=0x87dcca8, lhs=..., rhs=..., res=0xf79ce220) at js/src/jsinterpinlines.h:635
#5  0x081577a6 in js::Interpret (cx=0x87dcca8, entryFrame=0xf79ce0f0, interpMode=js::JSINTERP_NORMAL) at js/src/jsinterp.cpp:2229
#6  0x0814c38d in js::RunScript (cx=0x87dcca8, script=0xf7706448, fp=0xf79ce0f0) at js/src/jsinterp.cpp:285
#7  0x0814cfef in js::ExecuteKernel (cx=0x87dcca8, script=0xf7706448, scopeChain=..., thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0xf79ce0b8)
    at js/src/jsinterp.cpp:485
#8  0x0814d27b in js::Execute (cx=0x87dcca8, script=0xf7706448, scopeChainArg=..., rval=0xf79ce0b8) at js/src/jsinterp.cpp:527
(gdb) x /i $pc
=> 0x8175cdd <js::SkipSpace(jschar const*, jschar const*)+87>:  movzwl (%eax),%eax
(gdb) info reg eax
eax            0xdadadada       -623191334
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 759312
(Reporter)

Updated

5 years ago
Group: core-security
(Reporter)

Comment 3

5 years ago
A testcase for this bug was already added in the original bug (bug 759312).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.