This bug was found by Google's OSS-Fuzz running their custom internal JS fuzzer. I am refiling it in our issue tracker. Please note that they apply a 90-day disclose timeline to all bugs: /mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js --cpu-count=2 --disable-oom-functions --fuzzing-safe --ion-eager /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-42.js [Environment] ASAN_OPTIONS = redzone=512:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:coverage=0:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1 Assertion failure: result.unwrapErr() == AbortReason::Error, at mozilla-central/js/src/jit/IonBuilder.cpp:3813 AddressSanitizer:DEADLYSIGNAL ================================================================= ==14162==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000f94ab7 bp 0x7fffdc8c9e80 sp 0x7fffdc8c97a0 T0) ==14162==The signal is caused by a WRITE memory access. ==14162==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0xf94ab6 in js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*) mozilla-central/js/src/jit/IonBuilder.cpp:3844:13 #1 0xf99d53 in js::jit::IonBuilder::inlineSingleCall(js::jit::CallInfo&, JSObject*) mozilla-central/js/src/jit/IonBuilder.cpp:4337:12 #2 0xf9a767 in js::jit::IonBuilder::inlineCallsite(mozilla::Vector<js::jit::InliningTarget, 4ul, js::jit::JitAllocPolicy> const&, js::jit::CallInfo&) mozilla-central/js/src/jit/IonBuilder.cpp:4391:16 #3 0xf6456e in js::jit::IonBuilder::jsop_call(unsigned int, bool, bool) mozilla-central/js/src/jit/IonBuilder.cpp:5397:5 #4 0xf3370a in js::jit::IonBuilder::inspectOpcode(JSOp) mozilla-central/js/src/jit/IonBuilder.cpp:2063:9 #5 0xf31e9d in js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) mozilla-central/js/src/jit/IonBuilder.cpp:1564:9 #6 0xf2668d in js::jit::IonBuilder::traverseBytecode() mozilla-central/js/src/jit/IonBuilder.cpp:1481:9 #7 0xf116d4 in js::jit::IonBuilder::build() mozilla-central/js/src/jit/IonBuilder.cpp:864:5 #8 0xf0c04b in js::jit::AnalyzeNewScriptDefiniteProperties(JSContext*, JS::Handle<JSFunction*>, js::ObjectGroup*, JS::Handle<js::PlainObject*>, mozilla::Vector<js::TypeNewScript::Initializer, 0ul, js::TempAllocPolicy>*) mozilla-central/js/src/jit/IonAnalysis.cpp:4233:45 #9 0x23a77d3 in js::TypeNewScript::maybeAnalyze(JSContext*, js::ObjectGroup*, bool*, bool) mozilla-central/js/src/vm/TypeInference.cpp:3846:10 #10 0xefa3dd in js::jit::IonCompile(JSContext*, JSScript*, js::jit::BaselineFrame*, unsigned char*, bool, js::jit::OptimizationLevel) mozilla-central/js/src/jit/Ion.cpp:2193:46 #11 0xefa3dd in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) mozilla-central/js/src/jit/Ion.cpp:2443 #12 0xefcfe5 in BaselineCanEnterAtEntry(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*) mozilla-central/js/src/jit/Ion.cpp:2559:27 #13 0xefcfe5 in js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) mozilla-central/js/src/jit/Ion.cpp:2681 #12 0x3102f6c1e010 (<unknown module>) #13 0x3102f6c19c05 (<unknown module>) #14 0x10e95e0 in EnterJit(JSContext*, js::RunState&, unsigned char*) mozilla-central/js/src/jit/Jit.cpp:99:9 #15 0x10e95e0 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) mozilla-central/js/src/jit/Jit.cpp:162 #16 0x87c933 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:408:34 #17 0x8b2fc0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) mozilla-central/js/src/vm/Interpreter.cpp:495:15 #18 0xbe1a6b in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jit/BaselineIC.cpp:2551:14 #18 0x3102f6c2635a (<unknown module>) #19 0x621000508e8f (<unknown module>) #20 0x3102f6c19dae (<unknown module>) #19 0x10e95e0 in EnterJit(JSContext*, js::RunState&, unsigned char*) mozilla-central/js/src/jit/Jit.cpp:99:9 #20 0x10e95e0 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) mozilla-central/js/src/jit/Jit.cpp:162 #21 0x87c933 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:408:34 #22 0x8b2fc0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) mozilla-central/js/src/vm/Interpreter.cpp:495:15 #23 0xbe1a6b in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jit/BaselineIC.cpp:2551:14 #25 0x3102f6c2635a (<unknown module>) #26 0x6210003716ff (<unknown module>) #27 0x3102f6c5b000 (<unknown module>)

Can you take this one?

As soon as I am done with Bug 1412653.

Independently of the error reporting, tracking where the error was emitted gave the following stack, which surprised me! Apparently we run the parser in order to know if content of a function can be inlined during the analysis. Thread 1 received signal SIGSEGV, Segmentation fault. 0x00000000007fb066 in js::jit::IonBuilder::inlineScriptedCall (this=0x7fff993e6670, callInfo=..., target=0x7f978eeb3d00) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:3813 3813 MOZ_ASSERT(result.unwrapErr() == AbortReason::Error); (rr) bt #0 js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::statementList (this=0x7fff993e3470, yieldHandling=js::frontend::YieldIsName) at /home/nicolas/mozilla/alternate-dev/js/src/frontend/Parser.cpp:4112 #1 0x0000000000522283 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::functionBody (this=0x7fff993e3470, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, kind=js::frontend::Statement, type=js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::StatementListBody) at /home/nicolas/mozilla/alternate-dev/js/src/frontend/Parser.cpp:2699 #2 0x0000000000516380 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::functionFormalParametersAndBody (this=0x7fff993e3470, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, pn=0x46205b0, kind=js::frontend::Statement, parameterListEnd=..., isStandaloneFunction=false) at /home/nicolas/mozilla/alternate-dev/js/src/frontend/Parser.cpp:3757 #3 0x0000000000504fac in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneLazyFunction (this=0x7fff993e3470, fun=..., toStringStart=870, strict=false, generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::SyncFunction) at /home/nicolas/mozilla/alternate-dev/js/src/frontend/Parser.cpp:3649 #4 0x0000000000ce6c24 in js::frontend::CompileLazyFunction (cx=0x454b570, lazy=..., chars=0x486469e u"() {\n };\n return {\n areEqual: function areEqual() {\n validate( message);\n },\n areNotEqual: function areNotEqual() {\n } };\n}();\nclass __c_19 {\n constructor() {\n this.foo = 'Si"..., length=8) at /home/nicolas/mozilla/alternate-dev/js/src/frontend/BytecodeCompiler.cpp:689 #5 0x0000000000ba7476 in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x454b570, fun=...) at /home/nicolas/mozilla/alternate-dev/js/src/jsfun.cpp:1601 #6 0x0000000000439774 in JSFunction::getOrCreateScript (cx=0x454b570, fun=...) at /home/nicolas/mozilla/alternate-dev/js/src/jsfun.h:450 #7 0x00000000007e8935 in js::jit::IonBuilder::canInlineTarget (this=0x7fff993e4de0, target=0x7f978eeb3cc0, callInfo=...) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:428 #8 0x00000000007fbd15 in js::jit::IonBuilder::makeInliningDecision (this=0x7fff993e4de0, targetArg=0x7f978eeb3cc0, callInfo=...) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:4018 #9 0x00000000007fcb9b in js::jit::IonBuilder::inlineCallsite (this=0x7fff993e4de0, targets=..., callInfo=...) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:4363 #10 0x0000000000802764 in js::jit::IonBuilder::jsop_call (this=0x7fff993e4de0, argc=1, constructing=false, ignoresReturnValue=true) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:5397 #11 0x00000000007f1479 in js::jit::IonBuilder::inspectOpcode (this=0x7fff993e4de0, op=JSOP_CALL_IGNORES_RV) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:2063 #12 0x00000000007ee85f in js::jit::IonBuilder::visitBlock (this=0x7fff993e4de0, cfgblock=0x4873410, mblock=0x4901b48) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:1564 #13 0x00000000007ede31 in js::jit::IonBuilder::traverseBytecode (this=0x7fff993e4de0) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:1481 #14 0x00000000007ebc5f in js::jit::IonBuilder::buildInline (this=0x7fff993e4de0, callerBuilder=0x7fff993e6670, callerResumePoint=0x4901930, callInfo=...) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:1028 #15 0x00000000007faf9c in js::jit::IonBuilder::inlineScriptedCall (this=0x7fff993e6670, callInfo=..., target=0x7f978eeb3d00) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:3809 #16 0x00000000007fca2a in js::jit::IonBuilder::inlineSingleCall (this=0x7fff993e6670, callInfo=..., targetArg=0x7f978eeb3d00) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:4337 #17 0x00000000007fcd34 in js::jit::IonBuilder::inlineCallsite (this=0x7fff993e6670, targets=..., callInfo=...) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:4391 #18 0x0000000000802764 in js::jit::IonBuilder::jsop_call (this=0x7fff993e6670, argc=0, constructing=false, ignoresReturnValue=true) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:5397 #19 0x00000000007f1479 in js::jit::IonBuilder::inspectOpcode (this=0x7fff993e6670, op=JSOP_CALL_IGNORES_RV) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:2063 #20 0x00000000007ee85f in js::jit::IonBuilder::visitBlock (this=0x7fff993e6670, cfgblock=0x48732f0, mblock=0x4900ec0) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:1564 #21 0x00000000007ede31 in js::jit::IonBuilder::traverseBytecode (this=0x7fff993e6670) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:1481 #22 0x00000000007ea9c7 in js::jit::IonBuilder::build (this=0x7fff993e6670) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:864 #23 0x00000000007e4cc4 in js::jit::AnalyzeNewScriptDefiniteProperties (cx=0x454b570, fun=..., group=0x7f978eeba5b0, baseobj=..., initializerList=0x7fff993e6e30) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonAnalysis.cpp:4233 #24 0x0000000000f28d59 in js::TypeNewScript::maybeAnalyze (this=0x48bba20, cx=0x454b570, group=0x7f978eeba5b0, regenerate=0x0, force=true) at /home/nicolas/mozilla/alternate-dev/js/src/vm/TypeInference.cpp:3846 #25 0x00000000007d291e in js::jit::IonCompile (cx=0x454b570, script=0x7f978ee92d08, baselineFrame=0x7fff993e74b8, osrPc=0x0, recompile=false, optimizationLevel=js::jit::OptimizationLevel::Normal) at /home/nicolas/mozilla/alternate-dev/js/src/jit/Ion.cpp:2216 #26 0x00000000007d36d9 in js::jit::Compile (cx=0x454b570, script=..., osrFrame=0x7fff993e74b8, osrPc=0x0, forceRecompile=false) at /home/nicolas/mozilla/alternate-dev/js/src/jit/Ion.cpp:2466 #27 0x00000000007d3d65 in BaselineCanEnterAtEntry (cx=0x454b570, script=..., frame=0x7fff993e74b8) at /home/nicolas/mozilla/alternate-dev/js/src/jit/Ion.cpp:2582 #28 0x00000000007d43ef in js::jit::IonCompileScriptForBaseline (cx=0x454b570, frame=0x7fff993e74b8, pc=0x48bbb98 "T") at /home/nicolas/mozilla/alternate-dev/js/src/jit/Ion.cpp:2704 #29 0x000017b05c6f5811 in ?? () #30 0x0000000000000000 in ?? ()

InliningDecision_Error is always used to forward the error value coming from inlining decision. In the future, We would have to add a new InliningDecision_Alloc if we were to add an allocation failure case, which does not carry an exception.

Comment on attachment 8928949 [details] [diff] [review] InliningDecision_Error is always reported with a pending exception, use AbortReason_Error instead of _Alloc. Review of attachment 8928949 [details] [diff] [review]: ----------------------------------------------------------------- Good find.

I do not think this assertion will cause any issue, at the moment these are only over-recurse or OOM exceptions which are being reported today. The wrapping function will not even consider the AbortReason::Alloc vs AbortReason::Error values, and just forward if there is a pending exception: https://searchfox.org/mozilla-central/source/js/src/jit/IonAnalysis.cpp#4236-4237 If these were to happen in other code path, then in the worst case these might cause MOZ_CRASH, which are not exploitable. Safe to open and to ride the train from my point of view.

Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/e6be8071c22b InliningDecision_Error is always reported with a pending exception, use AbortReason_Error instead of _Alloc. r=jandem

Won't fix for 58, let it ride the train.