Closed Bug 1817437 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(JS::Value has illegal type: 0xfffa80000000000a)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1816311

People

(Reporter: lukas.bernhard, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

crash.js
(deleted), application/x-javascript
Details
Attached file crash.js (deleted) —

Steps to reproduce:

On commit df2a7bff8fa01ebc6292e68ce7e3c7b7cf8fc33c the attached sample crashes with an assert when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js. While there is a call to the debugger API in the sample, I'm not sure whether this is the root cause, hence flagging as s-s.

#0  0x0000555557dbf63e in MOZ_Crash (
    aFilename=0x555555a1115d "js/src/vm/Value.cpp", aLine=40, 
    aReason=0x55555a470880 <sPrintfCrashReason> "JS::Value has illegal type: 0xfffa80000000000a")
    at obj-x86_64-pc-linux-gnu/dist/include/mozilla/Assertions.h:261
#1  js::ReportBadValueTypeAndCrash (value=...) at js/src/vm/Value.cpp:39
#2  0x000055555756d360 in js::TypeOfValue (v=...) at js/src/vm/Interpreter.cpp:943
#3  0x0000555557586f99 in js::TypeOfOperation (v=..., rt=0x7ffff7423000)
    at js/src/vm/Interpreter-inl.h:528
#4  0x0000555557556ccf in Interpret (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:2951
#5  0x000055555754ce90 in js::RunScript (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:431
#6  0x000055555756be7c in js::ExecuteKernel (cx=0x7ffff742f100, script=..., envChainArg=..., evalInFrame=..., 
    result=...) at js/src/vm/Interpreter.cpp:812
#7  0x00005555575d8785 in EvalKernel (cx=0x7ffff742f100, v=..., evalType=DIRECT_EVAL, caller=..., env=..., 
    pc=0x7ffff74176c5 "w\001", vp=...) at js/src/builtin/Eval.cpp:353
#8  0x00005555575d8b9d in js::DirectEval (cx=0x7ffff742f100, v=..., vp=...)
    at js/src/builtin/Eval.cpp:380
#9  0x0000555557559f96 in Interpret (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:3247
#10 0x000055555754ce90 in js::RunScript (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:431
#11 0x000055555756be7c in js::ExecuteKernel (cx=0x7ffff742f100, script=..., envChainArg=..., evalInFrame=..., 
    result=...) at js/src/vm/Interpreter.cpp:812
#12 0x0000555558082e43 in EvaluateInEnv (cx=0x7ffff742f100, env=..., frame=..., chars=..., evalOptions=..., 
    rval=...) at js/src/debugger/Frame.cpp:1000
#13 0x0000555558082591 in js::DebuggerGenericEval (cx=0x7ffff742f100, chars=..., bindings=..., options=..., 
    dbg=0x7ffff4c07200, envArg=..., iter=0x7fffffff9d90)
    at js/src/debugger/Frame.cpp:1086
#14 0x00005555580830a5 in js::DebuggerFrame::eval (cx=0x7ffff742f100, frame=..., chars=..., bindings=..., 
    options=...) at js/src/debugger/Frame.cpp:1105
#15 0x00005555580862bf in js::DebuggerFrame::CallData::evalMethod (this=0x7fffffffa258)
    at js/src/debugger/Frame.cpp:1846
#16 0x00005555580ad5d3 in js::DebuggerFrame::CallData::ToNative<&js::DebuggerFrame::CallData::evalMethod> (
    cx=0x7ffff742f100, argc=1, vp=0x7fffffffa730) at js/src/debugger/Frame.cpp:1302
Blocks: l11d-js-fuzzing
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Group: core-security → javascript-core-security

I see findPath in the test case. I'll see if this is fixed by the patch I have for that for another bug...

Flags: needinfo?(jdemooij)

This is fixed by the patch for bug 1816311. We're returning a MagicValue(JS_UNINITIALIZED_LEXICAL) to JS and TypeOfValue doesn't like that.

Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1816311
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: