Possible Fuzz-blocker at MOZ_CRASH([unhandlable oom] SavedStacksMetadataBuilder) on js::AutoEnterOOMUnsafeRegion::crash
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: 0x4248, Unassigned)
References
(Blocks 2 open bugs)
Details
Attachments
(2 files)
Steps to reproduce:
https://github.com/mozilla/gecko-dev
commit b5d4c2d
./js poc.js
class C0 {
get b() {
new ArrayBuffer(ArrayBuffer);
}
}
function F5() {
if (!new.target) { throw 'hi'; }
}
const v7 = new F5();
function F8(a10, a11) {
if (!new.target) { throw 'hi'; }
}
const v12 = new F8("iterator", v7);
v12.sameZoneAs = v7;
const v16 = this.newGlobal(v12).Debugger;
const t15 = v16(this).memory;
t15.trackingAllocationSites = "iterator";
const v19 = new C0();
function f21() {
v19.b;
return v16;
}
ArrayBuffer[Symbol.toPrimitive] = f21;
new ArrayBuffer(ArrayBuffer);
Actual results:
Hit MOZ_CRASH([unhandlable oom] SavedStacksMetadataBuilder) at /media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/js/src/vm/JSContext.cpp:1305
#01: js::AutoEnterOOMUnsafeRegion::crash(char const*)[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x30d012b]
#02: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x34e53a8]
#03: JS::Realm::setNewObjectMetadata(JSContext*, JS::Handle<JSObject*>)[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x3498548]
#04: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x2a8c3d7]
#05: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x316d37c]
#06: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x2f23ea0]
#07: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x3b0c3e3]
#08: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x2f2e26b]
#09: JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* ()(void, unsigned int), void*, unsigned int, ...)[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x3ab14fc]
#10: JSContext::onOverRecursed()[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x3090165]
#11: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x2ac91ea]
#12: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x2acb051]
#13: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x2acdbb9]
#14: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x2d16367]
#15: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x3192f6a]
#16: js::ToNumberSlow(JSContext*, JS::Handle<JS::Value>, double*)[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x3b896e2]
#17: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x3b8c0f8]
#18: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x3b8bf0f]
#19: ???[/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js +0x2d94f40]
#20: ??? (???:???)
AddressSanitizer:DEADLYSIGNAL
==13179==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5574c7d80150 bp 0x7ffe08566e10 sp 0x7ffe08566900 T0)
==13179==The signal is caused by a WRITE memory access.
==13179==Hint: address points to the zero page.
#0 0x5574c7d80150 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x30d0150) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#1 0x5574c81953a7 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x34e53a7) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#2 0x5574c8148547 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x3498547) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#3 0x5574c773c3d6 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x2a8c3d6) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#4 0x5574c7e1d37b (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x316d37b) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#5 0x5574c7bd3e9f (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x2f23e9f) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#6 0x5574c87bc3e2 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x3b0c3e2) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#7 0x5574c7bde26a (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x2f2e26a) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#8 0x5574c87614fb (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x3ab14fb) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#9 0x5574c7d40164 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x3090164) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#10 0x5574c77791e9 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x2ac91e9) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#11 0x5574c777b050 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x2acb050) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#12 0x5574c777dbb8 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x2acdbb8) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#13 0x5574c79c6366 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x2d16366) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#14 0x5574c7e42f69 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x3192f69) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#15 0x5574c88396e1 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x3b896e1) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#16 0x5574c883c0f7 (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x3b8c0f7) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#17 0x5574c883bf0e (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x3b8bf0e) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#18 0x5574c7a44f3f (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x2d94f3f) (BuildId: e3649afecc6cfcd19cadcce44482459c)
#19 0x127dfc9a08f5 (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/media/x4248/e2235291-bb75-496b-a6a8-ad13a607cef0/x4248/gecko-dev/objdir-ff-asan/dist/bin/js+0x30d0150) (BuildId: e3649afecc6cfcd19cadcce44482459c)
==13179==ABORTING
Expected results:
It should execute without triggering a crash.
|
Reporter | |
Comment 1•1 year ago
|
||
Sorry for the mess. I should have used backticks.
|
||
Comment 2•1 year ago
|
||
Thanks for the report. OOM crashes like this are safe and not security issues.
|
||
Comment 3•1 year ago
|
||
Not sure if there is any value in keeping this bug around.
I doubt we are going to look into this OOM issue unless this becomes a fuzz-blocker (very high volume while fuzzing) or this becomes a large crashing location for our users (crash-stats).
Usually we recommend to ignore bugs with [unhandlable oom] as a crash message, unless one specific location is preventing fuzzers from reporting any useful crashes.
이준성 is this crash highly frequent?
Otherwise we would just close this bug.
|
|
Reporter | |
Comment 4•1 year ago
|
||
Thank you for the clarification. This guidance is immensely helpful in guiding my approach to fuzzing.
I've indeed encountered similar stack traces across different instances, but I must admit, I'm not entirely certain how to assess the frequency of the crash.
I've attached the stack trace information from those varied cases.
|
|
||
Comment 5•1 year ago
|
||
A fuzz-blocker might be qualified as a kind of bug which appears so much that we fear that other bugs might be hidden behind.
I noticed MOZ_CRASH([unhandlable oom] SavedStacksMetadataBuilder) appears 172 times on the 179 js::AutoEnterOOMUnsafeRegion::crash reports.
Maybe we should investigate this one, and how to reduce it.
Decoder, do you happen to have an over-proportion of MOZ_CRASH([unhandlable oom] SavedStacksMetadataBuilder) as well?
|
||
Comment 6•1 year ago
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #5)
A fuzz-blocker might be qualified as a kind of bug which appears so much that we fear that other bugs might be hidden behind.
I noticedMOZ_CRASH([unhandlable oom] SavedStacksMetadataBuilder)appears 172 times on the 179js::AutoEnterOOMUnsafeRegion::crashreports.Maybe we should investigate this one, and how to reduce it.
Decoder, do you happen to have an over-proportion of
MOZ_CRASH([unhandlable oom] SavedStacksMetadataBuilder)as well?
We do not have statistics on these, because we throw away every result with "unhandlable oom" right away.
|
|
Reporter | |
Updated•1 year ago
|
Description
•