1854929 - Crash [@ JS::EnsureNonInlineArrayBufferOrView] or Hit MOZ_CRASH(Invalid object. Dead wrapper?) at vm/JSObject.h:649

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20230924-fada0a57f99d (opt build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

ensureNonInline({})

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x56743159 in JS::EnsureNonInlineArrayBufferOrView(JSContext*, JSObject*) ()
#1  0x568048e6 in EnsureNonInline(JSContext*, unsigned int, JS::Value*) ()
#2  0x56c7b7b8 in js::Interpret(JSContext*, js::RunState&) ()
#3  0x57032aab in js::RunScript(JSContext*, js::RunState&) ()
#4  0x570331e9 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#5  0x5706c1aa in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#6  0x5706c2bc in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#7  0x57007fb4 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) ()
#8  0x57007c63 in Process(JSContext*, char const*, bool, FileKind) ()
#9  0x56fdab66 in main ()
eax	0x5758fc67	1465449575
ebx	0x589eaff4	1486794740
ecx	0x589eeec4	1486810820
edx	0xf6a19c00	-157180928
esi	0x589aec38	1486548024
edi	0xf3000530	-218102480
ebp	0xfff169f8	4294011384
esp	0xfff169c0	4294011328
eip	0x56743159 <JS::EnsureNonInlineArrayBufferOrView(JSContext*, JSObject*)+313>
=> 0x56743159 <_ZN2JS32EnsureNonInlineArrayBufferOrViewEP9JSContextP8JSObject+313>:	movl   $0x289,0x0
   0x56743163 <_ZN2JS32EnsureNonInlineArrayBufferOrViewEP9JSContextP8JSObject+323>:	call   0x566be550 <abort>

Likely a shell-only issue with this new helper function, but a fuzzblocker.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230925135702-6729368858f0.
Unable to bisect testcase (Unable to launch the start build!):

Start: 7e4f996f753738a94e3a069fe4f8d834082e1636 (20220926093803)
End: fada0a57f99d5b5fc87e6e746df5d5b55781f57d (20230924092410)
BuildFlags: BuildFlags(asan=None, tsan=None, debug=True, fuzzing=None, coverage=None, valgrind=None, no_opt=None, fuzzilli=None, nyx=None)

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:willyelm, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Comment 7

[Steven DeTar [:sdetar]]

I moving this to S2 since this is a fuzz blocker.

Comment 8

[Steven DeTar [:sdetar]]

Since moving this S2, I clearing Will's NI.

Comment 9

[Steve Fink [:sfink] [:s:]]

Attachment: Bug 1854929 - JS::EnsureNonInlineArrayBufferOrView should not crash if given wrong type

Comment 10

[Steve Fink [:sfink] [:s:]]

This was just an unnecessary assert. Sorry for taking so long to check it out.

Comment 11

[Pulsebot]

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/acc80e42ffb0
JS::EnsureNonInlineArrayBufferOrView should not crash if given wrong type r=spidermonkey-reviewers,mgaudet

Comment 12

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/acc80e42ffb0

Comment 13

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20231005035341-c5b63a02d719.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.