Christian Holler (:decoder) Reporter
	Description • 6 years ago

The following testcase crashes on mozilla-central revision f903cbfa3c01 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

stackTest(function() {
  eval(`var g = newGlobal();
    recomputeWrappers(this, g);
  `);
});


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555555cc11a5 in js::RemapWrapper (cx=<optimized out>, cx@entry=0x7ffff5f16000, wobjArg=<optimized out>, wobjArg@entry=0x7ffff4d98340, newTargetArg=<optimized out>) at js/src/proxy/CrossCompartmentWrapper.cpp:663
#0  0x0000555555cc11a5 in js::RemapWrapper (cx=<optimized out>, cx@entry=0x7ffff5f16000, wobjArg=<optimized out>, wobjArg@entry=0x7ffff4d98340, newTargetArg=<optimized out>) at js/src/proxy/CrossCompartmentWrapper.cpp:663
#1  0x0000555555cc35f5 in js::RecomputeWrappers (cx=0x7ffff5f16000, sourceFilter=..., targetFilter=...) at js/src/proxy/CrossCompartmentWrapper.cpp:746
#2  0x000055555566225f in RecomputeWrappers (cx=0x7ffff5f16000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:6172
#3  0x00005555557e9bb5 in CallJSNative (cx=0x7ffff5f16000, native=0x555555662180 <RecomputeWrappers(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:461
[...]
#34 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10975
rax	0x0	0
rbx	0x7fffffffb4f0	140737488336112
rcx	0x7ffff6c212dd	140737333301981
rdx	0x0	0
rsi	0x7ffff6ef0770	140737336248176
rdi	0x7ffff6eef540	140737336243520
rbp	0x7fffffffb550	140737488336208
rsp	0x7fffffffb3d0	140737488335824
r8	0x7ffff6ef0770	140737336248176
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b977a0	140737332737952
r12	0x7ffff5f16000	140737319624704
r13	0x7fffffffb430	140737488335920
r14	0x7fffffffb450	140737488335952
r15	0x7fffffffb470	140737488335984
rip	0x555555cc11a5 <js::RemapWrapper(JSContext*, JSObject*, JSObject*)+1685>
=> 0x555555cc11a5 <js::RemapWrapper(JSContext*, JSObject*, JSObject*)+1685>:	movl   $0x0,0x0
   0x555555cc11b0 <js::RemapWrapper(JSContext*, JSObject*, JSObject*)+1696>:	ud2

	Fuzzing Team
	Comment 1 • 6 years ago

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/343c194c1a08
user:        Jan de Mooij
date:        Wed Sep 19 11:42:45 2018 +0200
summary:     Bug 1492406 - Add a recomputeWrappers function to the JS shell for js::RecomputeWrappers. r=jonco

This iteration took 287.473 seconds to run.

	Jan de Mooij [:jandem] Assignee
	Comment 2 • 6 years ago

Ugh, this is just a MOZ_CRASH that needs to be made more fuzzing-friendly now that this code is reachable in the shell.

	Jan de Mooij [:jandem] Assignee
	Comment 4 • 6 years ago

Depends on D9253

	Jan de Mooij [:jandem] Assignee
	Comment 5 • 6 years ago

Depends on D9254

	Jan de Mooij [:jandem] Assignee
	Comment 6 • 6 years ago

Bah, there's some code in the tree or a (GTK?) header that #defines None because I can't use that in an enum class in js/public/Utility.h Renaming None to Nothing fixes it...

	Pulsebot
	Comment 7 • 6 years ago

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/271d76b2997b
part 1 - Change JSObject::swap return type from bool to void (it always returned true). r=jonco
https://hg.mozilla.org/integration/autoland/rev/9697472e6ab7
part 2 - Unify OOM testing state variables for different kinds to make AutoEnterOOMUnsafeRegion work for stack checks. r=jonco
https://hg.mozilla.org/integration/autoland/rev/72ce1b22eee8
part 3 - Use AutoEnterOOMUnsafeRegion in js::RemapWrapper. r=jonco

	Cosmin Sabou [:CosminS]
	Comment 8 • 6 years ago
bugherder

https://hg.mozilla.org/mozilla-central/rev/271d76b2997b
https://hg.mozilla.org/mozilla-central/rev/9697472e6ab7
https://hg.mozilla.org/mozilla-central/rev/72ce1b22eee8

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)
	Comment 9 • 6 years ago

It would be nice to land this on mozilla-beta as well to reduce fuzzing noise for the recomputeWrappers function.

	Jan de Mooij [:jandem] Assignee
	Comment 10 • 6 years ago

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #9)
> It would be nice to land this on mozilla-beta as well to reduce fuzzing
> noise for the recomputeWrappers function.

Are we actually fuzzing beta?

Part 2 here is pretty big so if this is really an issue I'd prefer just marking the recomputeWrappers shell function as fuzzing-unsafe on beta instead of uplifting this.

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)
	Comment 11 • 6 years ago

Marking it fuzzing-unsafe on beta works for me.

And yes, I'm fuzzing beta occasionally too. Thanks!

	Jon Coppeard (:jonco)
	Comment 13 • 6 years ago

Comment on attachment 9020797 [details] [diff] [review]
Mark the recomputeWrappers shell function as fuzzing-unsafe on beta

Review of attachment 9020797 [details] [diff] [review]:
-----------------------------------------------------------------

WFM.

	Jan de Mooij [:jandem] Assignee
	Comment 14 • 6 years ago
uplift

Pushed this with a=NPOTB.

https://hg.mozilla.org/releases/mozilla-beta/rev/74b78f02330749197bbd4009fe20705490b6a86f