IonMonkey: Crash [@ QuoteString]

RESOLVED DUPLICATE of bug 779390

Status

()

--
major
RESOLVED DUPLICATE of bug 779390
6 years ago
6 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Other Branch
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:ignore][ion:p1:fx18][sg:dupe 779390], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 631692 [details]
Testcase for shell

The attached testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager).
(Reporter)

Comment 1

6 years ago
Valgrind shows:

==27586== Invalid read of size 2
==27586==    at 0x581B1F: QuoteString(js::Sprinter*, JSString*, unsigned int) (jsopcode.cpp:951)
==27586==    by 0x581E63: js_QuoteString (jsopcode.cpp:1012)
==27586==    by 0x5F171F: js_ValueToSource(JSContext*, JS::Value const&) (jsstr.cpp:3274)
==27586==    by 0x42EC50: JS_ValueToSource (jsapi.cpp:514)
==27586==    by 0x40B877: ToSource(JSContext*, JS::Value*, JSAutoByteString*) (js.cpp:1214)
==27586==    by 0x40BA76: AssertEq(JSContext*, unsigned int, JS::Value*) (js.cpp:1245)
==27586==    by 0x403829C: ???
==27586==    by 0xC71223F: ???
==27586==    by 0x7FEFFD257: ???
==27586==    by 0x43F: ???
==27586==  Address 0xc7fffff is not stack'd, malloc'd or (recently) free'd
==27586== 
==27586== Invalid read of size 2
==27586==    at 0x581B31: QuoteString(js::Sprinter*, JSString*, unsigned int) (jsopcode.cpp:953)
==27586==    by 0x581E63: js_QuoteString (jsopcode.cpp:1012)
==27586==    by 0x5F171F: js_ValueToSource(JSContext*, JS::Value const&) (jsstr.cpp:3274)
==27586==    by 0x42EC50: JS_ValueToSource (jsapi.cpp:514)
==27586==    by 0x40B877: ToSource(JSContext*, JS::Value*, JSAutoByteString*) (js.cpp:1214)
==27586==    by 0x40BA76: AssertEq(JSContext*, unsigned int, JS::Value*) (js.cpp:1245)
==27586==    by 0x403829C: ???
==27586==    by 0xC71223F: ???
==27586==    by 0x7FEFFD257: ???
==27586==    by 0x43F: ???
==27586==  Address 0xc800047 is 7 bytes inside a block of size 32 free'd
==27586==    at 0x4C2695D: free (vg_replace_malloc.c:366)
==27586==    by 0x403C14: js_free (Utility.h:169)
==27586==    by 0x403C4E: js::Foreground::free_(void*) (Utility.h:588)
==27586==    by 0x41B48F: JSRuntime::free_(void*) (jscntxt.h:880)
==27586==    by 0x41B4E3: JSContext::free_(void*) (jscntxt.h:1320)
==27586==    by 0x581A40: js::Sprint(js::Sprinter*, char const*, ...) (jsopcode.cpp:914)
==27586==    by 0x581D27: QuoteString(js::Sprinter*, JSString*, unsigned int) (jsopcode.cpp:986)
==27586==    by 0x581E63: js_QuoteString (jsopcode.cpp:1012)
==27586==    by 0x5F171F: js_ValueToSource(JSContext*, JS::Value const&) (jsstr.cpp:3274)
==27586==    by 0x42EC50: JS_ValueToSource (jsapi.cpp:514)
==27586==    by 0x40B877: ToSource(JSContext*, JS::Value*, JSAutoByteString*) (js.cpp:1214)
==27586==    by 0x40BA76: AssertEq(JSContext*, unsigned int, JS::Value*) (js.cpp:1245)
Not sure if this is exploitable... is it just a bug local to QuoteString, and so always interpreting the unclean data as strings?
Can't reproduce locally. Fixed by Bug 762936?
(Reporter)

Comment 4

6 years ago
The bot would have mentioned that, but trying to get explicity confirmation.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,reconfirm]
(Reporter)

Comment 5

6 years ago
I forgot that the bot cannot cope with archived testcases yet. But I found an easier testcase on tip now (rev 7ab88528503e, options as in comment 0):


gcPreserveCode();
gczeal(2);
var obj = {
    1: 1,
    2.5: 2.5,
    1073741822: 1073741822,
    1073741823: 1073741823,
    1073741824: 1073741824,
  };
for (var s in obj) {
  var n = obj[s];
  assertEq(JSON.stringify(obj, [n]), '{"' + s + '":' + n + '}', "Failed (" + n + ")");
  assertEq(JSON.stringify(obj, [s, ]), '{"' + s + '":' + n + '}', "Failed (" + s + "', " + n + ")");
  assertEq(JSON.stringify(obj, [n, s]), '{"' + s + '":' + n + '}', "Failed (" + n + ", '" + s + "')" );
}
Whiteboard: [jsbugmon:update,reconfirm] → [jsbugmon:ignore]
decoder, I can't seem to reproduce the test case in comment #5 on tip or the given cset.
(Reporter)

Comment 7

6 years ago
Just tried this again and it reproduced for me (rev b02a7b214e49):

$ /srv/repos/ionmonkey/js/src/debug64/js --ion -n -m --ion-eager test.js 
Segmentation fault

What configure options did you use and did you try linux 64 bit?
Whiteboard: [jsbugmon:ignore] → [jsbugmon:ignore] js-triage-needed
This is another one I still can't reproduce, either on the given cset or tip, using either test case. --enable-valgrind and valgrind shows no errors either.
Whiteboard: [jsbugmon:ignore] js-triage-needed → [jsbugmon:ignore][ion:p1:fx18]

Updated

6 years ago
Assignee: general → kvijayan

Updated

6 years ago
Assignee: kvijayan → general
Sweet, I can reproduce this on the given cset on the fuzzing box. It doesn't repro on tip and hg bisect claims it was bug 779390, which is very believable.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 779390
Group: core-security
Whiteboard: [jsbugmon:ignore][ion:p1:fx18] → [jsbugmon:ignore][ion:p1:fx18][sg:dupe 779390]
(Reporter)

Comment 10

6 years ago
A testcase for this bug was already added in the original bug (bug 779390).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.