Closed
Bug 974359
Opened 10 years ago
Closed 10 years ago
Crash [@ nextLazyInnerFunction] or Crash [@ numFreeVariables]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, sec-moderate, testcase)
Crash Data
Attachments
(1 file)
2.89 KB,
application/zip
|
Details |
The attached testcase crashes on mozilla-central revision bf0e76f2a7d4 (threadsafe build, run with --fuzzing-safe --thread-count=2 --ion-eager).
Reporter | ||
Comment 1•10 years ago
|
||
Jason and I discussed this already yesterday, here's some more crash information: 1) It only reproduces in a threadsafe optimized 64 bit build for me (--disable-debug --enable-optimize --enable-valgrind --enable-gczeal --enable-threadsafe). 2) It takes a variable amount of time to crash (I assume there is some thread scheduling issue that introduces the non-determinism here). 3) Crash trace: Program received signal SIGSEGV, Segmentation fault. nextLazyInnerFunction (this=0x7fffffffb768) at js/src/frontend/FullParseHandler.h:583 583 return lazyOuterFunction()->innerFunctions()[lazyInnerFunctionIndex++]; (gdb) bt #0 nextLazyInnerFunction (this=0x7fffffffb768) at js/src/frontend/FullParseHandler.h:583 #1 js::frontend::Parser<js::frontend::FullParseHandler>::checkFunctionDefinition (this=0x7fffffffb110, funName=0x0, pn_=0x7fffffffa140, kind=<optimized out>, pbodyProcessed=0x7fffffffa15f) at js/src/frontend/Parser.cpp:1832 #2 0x0000000000430985 in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=0x7fffffffb110, funName=0x0, start=..., type=js::frontend::Normal, kind=js::frontend::Expression, generatorKind= js::NotGenerator) at js/src/frontend/Parser.cpp:1960 #3 0x0000000000430d66 in js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:2421 #4 0x0000000000432348 in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=0x7fffffffb110, tt=js::frontend::TOK_FUNCTION) at js/src/frontend/Parser.cpp:7001 #5 0x00000000004326fd in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=0x7fffffffb110, tt=<optimized out>, allowCallSyntax=true) at js/src/frontend/Parser.cpp:6497 #6 0x0000000000432d34 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:5749 #7 0x000000000043326a in js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1 (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:5409 #8 0x0000000000433546 in condExpr1 (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:5461 #9 js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:5587 #10 0x00000000004360f2 in js::frontend::Parser<js::frontend::FullParseHandler>::variables (this=0x7fffffffb110, kind=js::frontend::PNK_VAR, psimple=0x0, blockObj=<optimized out>, varContext=js::frontend::HoistVars) at js/src/frontend/Parser.cpp:3516 #11 0x0000000000436bae in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=0x7fffffffb110, canHaveDirectives=true) at js/src/frontend/Parser.cpp:5192 #12 0x0000000000437356 in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:2592 #13 0x0000000000438498 in js::frontend::Parser<js::frontend::FullParseHandler>::functionBody (this=0x7fffffffb110, kind=js::frontend::Statement, type= js::frontend::Parser<js::frontend::FullParseHandler>::StatementListBody) at js/src/frontend/Parser.cpp:1065 #14 0x000000000043873f in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric (this=0x7fffffffb110, pn=0x15ee0a0, fun=(JSFunction * const) 0x7ffff5c61140 [object Function <unnamed>], type=<optimized out>, kind=js::frontend::Statement, newDirectives=<optimized out>) at js/src/frontend/Parser.cpp:2312 #15 0x0000000000423caa in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction (this=0x7fffffffb110, fun=(JSFunction * const) 0x7ffff5c61140 [object Function <unnamed>], staticLevel=<optimized out>, strict=<optimized out>, generatorKind=<optimized out>) at js/src/frontend/Parser.cpp:2241 #16 0x000000000047b77f in js::frontend::CompileLazyFunction (cx=0x15c58f0, lazy=0x7ffff5c54080, chars= 0x1606ef2 u"() { /* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */\n/* This Source Code Form is subject to the terms of the Mozilla Public\n * file, You can obtain one at http://mozilla."..., length=<optimized out>) at js/src/frontend/BytecodeCompiler.cpp:457 #17 0x00000000006919c9 in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x15c58f0, fun=(JSFunction * const) 0x7ffff5c61140 [object Function <unnamed>]) at js/src/jsfun.cpp:1217 #18 0x00000000007a4b20 in getOrCreateScript (cx=0x15c58f0, this=<optimized out>) at js/src/jsfun.h:302 #19 getOrCreateScript (cx=0x15c58f0, this=<optimized out>) at js/src/vm/Interpreter.cpp:440 #20 js::Invoke (cx=0x15c58f0, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:478 #21 0x00000000007a54eb in js::Invoke (cx=0x15c58f0, thisv=..., fval=..., argc=0, argv=<optimized out>, rval=...) at js/src/vm/Interpreter.cpp:532 #22 0x000000000054eb23 in js::jit::DoCallFallback (cx=0x15c58f0, frame=<optimized out>, stub=0x161d530, argc=0, vp=0x7fffffffc410, res=JSVAL_VOID) at js/src/jit/BaselineIC.cpp:8103 #23 0x00007ffff7e52f12 in ?? () warning: (Internal error: pc 0x0 in read in psymtab, but not in symtab.) #24 0x0000000000000000 in ?? () (gdb) x /i $pc => 0x41f675 <js::frontend::Parser<js::frontend::FullParseHandler>::checkFunctionDefinition(JS::Handle<js::PropertyName*>, js::frontend::ParseNode**, js::frontend::FunctionSyntaxKind, bool*)+133>: mov (%rax,%rdx,8),%r13 (gdb) info reg rax rdx r13 rax 0x0 0 rdx 0x0 0 r13 0x7fffffffa250 140737488331344 Marked this one s-s because the test involves gc and I'm not sure that might make it exploitable somehow.
Flags: needinfo?(jorendorff)
Reporter | ||
Comment 2•10 years ago
|
||
Before reduction, this also crashed [@ numFreeVariables]: #0 numFreeVariables (this=<optimized out>) at js/src/jsscript.h:1730 #1 js::frontend::Parser<js::frontend::FullParseHandler>::addFreeVariablesFromLazyFunction (this=0x7fffcd675c20, fun=<optimized out>, pc=0x7fffcd6752e0) at js/src/frontend/Parser.cpp:1877 #2 0x000000000041f710 in js::frontend::Parser<js::frontend::FullParseHandler>::checkFunctionDefinition (this=0x7fffcd675c20, funName=..., pn_=0x7fffcd674c60, kind=<optimized out>, pbodyProcessed=0x7fffcd674c7f) at js/src/frontend/Parser.cpp:1839 #3 0x00000000004364e5 in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=<optimized out>, funName=0x0, start=..., type=js::frontend::Normal, kind=js::frontend::Expression, generatorKind=js::NotGenerator) at js/src/frontend/Parser.cpp:1960 #4 0x00000000004368c6 in js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr (this=0x7fffcd675c20) at js/src/frontend/Parser.cpp:2421 #5 0x0000000000437ea8 in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=0x7fffcd675c20, tt=js::frontend::TOK_FUNCTION) at js/src/frontend/Parser.cpp:7001 #6 0x000000000043825d in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=0x7fffcd675c20, tt=<optimized out>, allowCallSyntax=true) at js/src/frontend/Parser.cpp:6497 #7 0x0000000000438894 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=0x7fffcd675c20) at js/src/frontend/Parser.cpp:5749 rsi 0xd71 3441 rip 0x42c8ed <js::frontend::Parser<js::frontend::FullParseHandler>::addFreeVariablesFromLazyFunction(JSFunction*, js::frontend::ParseContext<js::frontend::FullParseHandler>*)+29> => 0x42c8ed <js::frontend::Parser<js::frontend::FullParseHandler>::addFreeVariablesFromLazyFunction(JSFunction*, js::frontend::ParseContext<js::frontend::FullParseHandler>*)+29>: mov 0x28(%rsi),%r9
Crash Signature: [@ nextLazyInnerFunction] → [@ nextLazyInnerFunction]
[@ numFreeVariables]
Summary: Crash [@ nextLazyInnerFunction] → Crash [@ nextLazyInnerFunction] or Crash [@ numFreeVariables]
Comment 3•10 years ago
|
||
The first crash looks like null deref. Is there any evidence this might be worse?
Comment 4•10 years ago
|
||
I think I've seen this stack before in other hard-to-reproduce bugs: Bug 953336 - Assertion failure: lazyInnerFunctionIndex < lazyOuterFunction()->numInnerFunctions(), at frontend/FullParseHandler.h Bug 942496 Please fix this asap, I think this will help with other intermittent bugs too!
Reporter | ||
Comment 5•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3) > The first crash looks like null deref. Is there any evidence this might be > worse? Yes, the second one is not a null-deref and from the same test (just less reduced). Also it involves GC, so it's likely more than a simple null-deref.
Updated•10 years ago
|
Keywords: sec-moderate
Comment 6•10 years ago
|
||
I don't seem to see this anymore, resolving WFM.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•