Tyson Smith [:tsmith] Reporter
	Description • 7 years ago

This was found with a Firefox build built with -fsanitize=shift

/parser/expat/lib/xmltok_impl.c:1143:5: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
    #0 0x7ff931e96148 in big2_prologTok /parser/expat/lib/xmltok_impl.c:1143:5
    #1 0x7ff931e362d3 in prologProcessor /parser/expat/lib/xmlparse.c:3811:13
    #2 0x7ff931e2fa24 in MOZ_XML_Parse /parser/expat/lib/xmlparse.c:1530:17
    #3 0x7ff92b458821 in nsExpatDriver::ParseBuffer(char16_t const*, unsigned int, bool, unsigned int*) /parser/htmlparser/nsExpatDriver.cpp:887:16
    #4 0x7ff92b4590db in nsExpatDriver::ConsumeToken(nsScanner&, bool&) /parser/htmlparser/nsExpatDriver.cpp:985:5
    #5 0x7ff92b460d7c in nsParser::Tokenize(bool) /parser/htmlparser/nsParser.cpp:1539:30
    #6 0x7ff92b45e5d5 in nsParser::ResumeParse(bool, bool, bool) /parser/htmlparser/nsParser.cpp:1056:41
    #7 0x7ff92b461f28 in nsParser::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /parser/htmlparser/nsParser.cpp:1437:12
    #8 0x7ff92c4a2cea in mozilla::dom::DOMParser::ParseFromStream(nsIInputStream*, char const*, int, char const*, nsIDOMDocument**) /dom/base/DOMParser.cpp:287:20
    #9 0x7ff92c4a1cb6 in mozilla::dom::DOMParser::ParseFromString(nsTSubstring<char16_t> const&, char const*, nsIDOMDocument**) /dom/base/DOMParser.cpp:123:10
    #10 0x7ff92c4a199e in mozilla::dom::DOMParser::ParseFromString(nsTSubstring<char16_t> const&, mozilla::dom::SupportedType, mozilla::ErrorResult&) /dom/base/DOMParser.cpp:63:8
    #11 0x7ff92dac840d in mozilla::dom::DOMParserBinding::parseFromString(JSContext*, JS::Handle<JSObject*>, mozilla::dom::DOMParser*, JSJitMethodCallArgs const&) /objdir-ff-ubsan/dom/bindings/DOMParserBinding.cpp:75:49
    #12 0x7ff92e0ebea6 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3040:13
    #13 0x7ff934d5ddd7 in CallJSNative /js/src/jscntxtinlines.h:291:15
    #14 0x7ff934d5ddd7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:473
    #15 0x7ff934d5ed40 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:522:12
    #16 0x7ff934d4b81b in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3098:18
    #17 0x7ff934d32917 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:423:12
    #18 0x7ff934d607e3 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /js/src/vm/Interpreter.cpp:706:15
    #19 0x7ff934d60cc9 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /js/src/vm/Interpreter.cpp:738:12
    #20 0x7ff935762a98 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /js/src/jsapi.cpp:4692:12
    #21 0x7ff935763332 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /js/src/jsapi.cpp:4711:12
    #22 0x7ff935762ebf in JS_ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /js/src/jsapi.cpp:4732:12
    #23 0x7ff92c78d1c4 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /dom/base/nsJSUtils.cpp:266:8
    #24 0x7ff92fd656e2 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /dom/script/ScriptLoader.cpp:2272:25
    #25 0x7ff92fd61fdf in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /dom/script/ScriptLoader.cpp:1914:10
    #26 0x7ff92fd51215 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /dom/script/ScriptLoader.cpp:1615:10
    #27 0x7ff92fd4f74b in mozilla::dom::ScriptElement::MaybeProcessScript() /dom/script/ScriptElement.cpp:147:18
    #28 0x7ff92b510a96 in nsIScriptElement::AttemptToExecute() /objdir-ff-ubsan/dist/include/nsIScriptElement.h:226:18
    #29 0x7ff92b4f4d21 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /parser/html/nsHtml5TreeOpExecutor.cpp:735:22
    #30 0x7ff92b4f0e10 in nsHtml5TreeOpExecutor::RunFlushLoop() /parser/html/nsHtml5TreeOpExecutor.cpp:539:7
    #31 0x7ff92b514301 in nsHtml5ExecutorFlusher::Run() /parser/html/nsHtml5StreamParser.cpp:130:20
    #32 0x7ff928f5cdb9 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1037:14
    #33 0x7ff928f95ed1 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:513:10
    #34 0x7ff92a0c7e31 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:97:21
    #35 0x7ff929f49d50 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299:3
    #36 0x7ff92fed70a4 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:159:27
    #37 0x7ff9348268d9 in nsAppStartup::Run() /toolkit/components/startup/nsAppStartup.cpp:288:30
    #38 0x7ff9349edafb in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:4685:22
    #39 0x7ff9349ef95c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4847:8
    #40 0x7ff9349f0651 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4942:21
    #41 0x518238 in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:231:22
    #42 0x517aba in main /browser/app/nsBrowserApp.cpp:304:16
    #43 0x7ff95de3b1c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
    #44 0x420589 in _start (firefox+0x420589)

	Andrew Overholt [:overholt]
	Comment 1 • 7 years ago

Looks like Eric's out until Dec 5. Peter, can you take a look, please?